When a user starts an application, the application usually needs to access other files and executables to function properly. Access to certain files and folders can be blocked on a global level at Security > Data > Files and Folders. If a certain application needs a file or folder that is blocked on a global level, you could authorize these files and executables on a global level, but this may be undesirable. The alternative approach is to authorize the necessary files and folders for the specific application only. This approach provides the best protection of the user workspace.
- Global authorized files are configured at Security > Global Authorized Files.
- Application authorized files are configured at Managed Applications on the application's Security tab.
- To add, edit or remove authorized files and folders for a specific application, open the application at Managed Applications and go to Security > Authorized Files.
- Select Run this application in learning mode if all access to files and folders by this application should be allowed but also logged. Run an application in learning mode for a while to find out which files and executables should be authorized for the application
- To ensure that a user can only start the application in his Workspace Control session, select Only Workspace Control is allowed to launch this application. This ensures that a user can only use his Start Menu or desktop to start the application, and not e.g. a command prompt or Windows Explorer. This is useful if you want to force license compliance in your organization, because it allows Workspace Control to determine the actual number of application licenses in use. This setting is also useful if certain settings for the application are indispensable (e.g. registry settings). In the following situations, this setting is selected automatically and grayed out:
- The default value for the setting If running application is no longer authorized is configured at Security > Applications. You can change the behavior of the current application so that it does not follow the default anymore.
- You can authorize files and executables by adding a file or executable to the list of authorized files, but you can also authorize a file or executable directly from the log:
- Click the Log tab. This shows an overview of security events that were caused by the application.
- Select the file or executable that caused the security event and click Authorize selected incident. This will open the Authorize file window. The Authorized File field will be populated with the values of the incident that you selected.
- Authorized file security can be enhanced by checking the executable's file hash. To check file hashes, the global option Only allow authorized file hashes (at Security > Applications > Managed Applications, on the Settings tab) must be enabled and allowed/denied file hashes must be configured.
- Changes on the Authorized Files tab will not come in effect until you click OK and close the Edit application window.
- You can easily move authorized files from one application to another; from an application to the global Authorized Files node; and from the global Authorized Files node to a specific application. To do so, right-click one or more selected authorized files and choose Move.
- On the Applications List tab of the Managed Applications node, the column Learning mode shows whether an application is set in learning mode or not.
The availability of an application can be authorized based on a Zone. Once an application is running in a Workspace Control session, it can remain active if the user shuts down the computer without logging off from the session. Then, if the user logs on from another computer outside of the Zone that authorized the application, the application may still remain active despite its lack of authorization.
This breach of authorization can be prevented with the setting If running application is no longer authorized, [terminate application].
If this is not necessary, Workspace Control can also be configured with If running application is no longer authorized, [do nothing].
The default for this setting is configured at Security > Applications. Different behavior can be set for individual applications by opening the application at Composition > Applications and changing the setting at Security > Authorized Files.