Applications security modes: disabled, learning, enabled

Managed application security can be configured on a global level or on individual application level.

Global level

On global level, there are three modes for the security restrictions on Applications:

  • In Disabled mode, users can start applications and executables that are not managed by Workspace Control and no data is logged.

  • In Learning mode, attempts to start unauthorized applications and executables will not be blocked, but can be logged. This helps you identify and authorize any executables that are started by authorized applications. When you have fine-tuned your environment sufficiently in Learning mode, you can set Application security to Enabled mode.

  • In Enabled mode, only authorized applications and executables can be started. This prevents users accessing any unauthorized file, folder, or executable.

Under the Security > Applications > Managed Applications > Settings tab, configure the security mode for Workspace Control managed applications using the Managed Application Security option.

  • If you select the option Log security events, security events will be logged if Applications security is in Enabled or Learning mode.

  • If you select the option Notify users about security events, users will be notified if Applications security is in Enabled or Learning mode.

  • File hashes can only be discovered for Workspace Containers. Managed Application Security must then be set to Enabled or Learning for that Workspace Container. In Learning mode all discovered file hashes are displayed in the log. In Enabled mode, the file hashes for blocked processes and files are not displayed. See the Workspace Control Help for more information.

Application level

If you add a new application, it is not necessary to set Applications security to learning mode on global level, because this jeopardizes the existing security of the user workspace. Instead, it is sufficient to set only the new application to learning mode. The workspace remains secured, because only executables launched by the application will be allowed. Because these executables can be logged as a security event, this allows you to create application-specific exceptions.

If Applications security is enabled, the authorized files configured for a specific application will, by default, be enforced. You can configure authorized files for an application at Managed Applications on the application's Security > Authorized Files tab. See Authorize files and folders.

If the user is allowed to use the cmd command, any attempts to start executables will be blocked (e.g. a ping command). If necessary, you can authorize additional executables at application level.