Certificate-based Application Security

Authorized Certificates can only be used if Managed Application Security is enabled at Security > Applications > Managed Applications > Settings tab.

To globally enable File Certificate Security, in the Workspace Control Console, go to Security > Authorized Certificates, the Settings tab. This can also be enabled for specific Workspace Containers. File certificate Security is also called Certificate-based Application security.

When enabling this security setting and configuring the option Use globally authorized certificates for this application (at Composition > Applications, on the application's Security > Authorized Files tab), each executable file's certificate is checked against the list of authorized certificates before it is allowed to be executed. With this option on application level, you make sure users can only start applications in their Workspace Control session if the file certificate is authorized.

Only if this option is enabled, the application, once allowed as an Authorized File, will also be checked against File Certificate Security. If this option is not selected, the user can start the application if he is allowed to start it as an Authorized File, without Workspace Control checking the file executable's certificate.

File certificates can be added in three ways:

  • Manually- on the Authorized Certificates tab (at Security > Authorized Certificates), click New on the Command bar or select New from the context menu.

  • Bulk import - Create an XML file with the file certificates and import that file with the command line option %respfdir%\pwrtech.exe /importfilesecurity=<filepath>

  • Workspace Control Application Whitelist Monitor - Discover and import file certificates with the Application Whitelist Monitor. This is a service that runs in the background on one or more machines in your Workspace Control environment. At a specified interval (default: every 30 minutes), it will scan a list of one or more designated directories containing executables and installers authorized to run in your environment. When scanning, the Application Whitelist Monitor will extract any embedded certificates used to verify the application publisher. Once the file certificates have been discovered, they are uploaded to the Workspace Control Datastore and can be managed in the Workspace Control Console at Security > Authorized Certificates.

On the Authorized Certificates tab, the list of authorized files with authorized certificates is displayed.

When enabled, if an executable is started but there is no Authorized File or Authorized Certificate configured, it is blocked and will be reported in the Workspace Control Console at Security > Applications > Managed Applications, on the Log tab and at Security > Authorized Certificates, on the Log tab. Only executables that have a certificate will appear in the Authorized Certificate security log and the reported action will be Certificate not allowed. In both logs, executables can be authorized via the context menu.

An application is authorized when an allow rule is found for one of the configured security options. Once authorized, the application will no longer appear in the logs. The log is cleaned up automatically at an interval which can be configured at Setup > Advanced Settings, with the option # days to keep log files.

When there is an Authorized Certificate that is using Mode: Deny, and no other security rules are configured, the executable will be listed on the Authorized Certificates security log with the action Certificate is denied and in the Managed Applications security log with the action CERT DENIED.

Certificate-based Allow Rules is available for Windows Agents only. It is not compatible with the Linux and MacOS Workspace Control Agents.

Once Managed Application Security is set to Enabled, Learning Mode can be configured only for Authorized Certificates using a registry setting. For more details, see CertSecLearning.