Application Manager


What precisely does Application Manager do? It is, in my opinion, one of the most underrated products in the AppSense portfolio. The application management part of this is often referred to by myself as "AppLocker on steroids", providing a highly granular application whitelisting solution that allows you to customize your application control to cover huge amounts of eventualities. But this also ties in with the excellent User Rights Management piece that allows users to elevate or de-elevate their privileges and rights on-the-fly, allowing them to perform tasks that would normally be outside of their scope or necessitate use of secondary accounts and RunAs commands. Add to this the potential for device control, software inventory and licensing management it provides, and you have a product that delivers a massive amount of value across a whole breadth of situations.

Aggregated below are the posts detailing what you can do with Application Manager, and how to deal with problems you may find when using it.

Using AppSense Application Manager to override traditional AV?
Managing licensing using AppSense Application Manager device control
Setting application time limits using Application Manager
Working with the Terminal Services %temp% variable in Application Manager
How to replace your antivirus with AppSense Application Manager greylisting
Problems with non-English Adobe Reader X and Application Manager
AppSense Application Manager Rules Analyzer
Self-Elevation of Start Menu Pinned Items
Using Application Manager Process Rules
Using Application Manager Device Rules to restrict locally-installed apps
User Rights Management and Web Installations 
Using AppSense Application Manager to de-elevate administrative rights 
Using AppSense Application Manager to allow non-admin users to install software
Deploying AppSense Application Manager configurations into Active Directory Group Policy
Mitigating against CryptoLocker using AppSense Application Manager

33 comments:

  1. Hi James,

    I am very new to appsense,
    What is the difference between application manager, environment manager and profile manager. ?

    ReplyDelete
    Replies
    1. Hi Vijay

      The tabs at the top for the three main DesktopNow areas (EM, AM and PM) should give you some useful information.

      Delete
  2. Hi James,

    I have a requirement for users to modify the content of published application folder with non admin privilege. I have granted them shared folder access with modify control. However whenever a non admin user modifies the application package with new version & then try to launch the published application from the citrix portal they get the error " user is not authorized to execute the application.exe" I thought this is trusted ownership issue & added the shared folder in the allowed list for everyone group. But still this issue is not resolved.
    Shared folder is a hidden share with a $ symbol. Does this cause any issue for the trusted ownership not to apply?

    ReplyDelete
  3. Did you set the Allow item to "run this file even if not owned by a trusted owner"? Network locations are disallowed by default, even with trusted ownership.

    If it still persists, try using the Rules Analyzer to see which rule is blocking it.

    Cheers,


    JR

    ReplyDelete
  4. Hi James,

    We have implemented appsense AM policy for not to allow local installs of google chrome and mozilla firefox browser. The install is allowed only for administrator. But we found certain users who have admin access to the machines are installing these browsers. I would like to block any installs of these browsers and there by allowing the local installs if the user is member of "Allow-Chrome", Though if he is an administrator, the AM should allow an admin to install local chrome if he is member of "Allow-Chrome"group. Let me know your view. I have added chromeinstall to blocked list. do we have to include any other exe's for the block list? as we have app-v for browser delivery.

    ReplyDelete
    Replies
    1. The problem you have here is "admin trumps all". Even if you disallow the install for admins and allow it for the Allow-Chrome group, the administrator has the rights to stop the AM service and simply do it anyway. Admin is God - there's no way around this. Best you can do is try and work out a way of removing those local administrator rights!

      Delete
    2. But it would be difficult as the users are not the same as we have developers and engineers, I would say administrator ( end user) wouldn't know that Appsense is behind the blocking, so considering that the end user is not aware of the service , is there a way to block local installs?

      Delete
    3. Yes, you could disallow the installation for Administrators and then allow it for a specific group, that would work as intended. However you would have to switch the Administrators group into "Restricted" mode, which might cause problems for your actual real "admin users" when they come to do things to the machines. It could also potentially affect things like software deployment and other system processes.

      Cheers,


      JR

      Delete
  5. Great, Thanks James, Final question, looks bit silly, I have listed the chrome install exe's which i think needs to be blocked, do you have any link or exe's,MSI which needs to be added for chrome or firefox blocking, no matter the file is renamed/moved/copied etc the installed should not work. I have done this for certain exe's using signature method, but really interested in Chrome

    ReplyDelete
    Replies
    1. I don't really know if there is a comprehensive list of possible Chrome installers out there, blocking by signature is obviously much more desirable in this case. Are your admins also Trusted Owners? In this case, then there is even more of a problem, as if they rename a file the "change a file's ownership when it is overwritten or renamed " will not do you any good, because the new owner will be allowed to execute it anyway.

      The old adage of "if your user is an administrator, the device doesn't belong to you any more" will ring true here - all you are going to do is plug some of the more obvious gaps for them to slip through.

      I was possibly wondering whether it would be easier to use Browsium Catalyst rather than AppSense to mitigate against this, but then again there is a cost attached. Catalyst can redirect the browser to a different one, so you could let them install Chrome/Firefox, they just wouldn't be able to use it to browse any websites. But again, they could just unload the add-on or uninstall the software - again, you're back to the "admin problem" again.

      Surely it would be better to use AppSense Application Manager's privilege elevation to give non-admins access to the admin tasks they require? Then, you could just block Chrome normally and everything would be cool.

      Cheers,



      JR

      Delete
  6. Hi - can Appsense Application Manager control execution of DLL's or SYS Driver Files which operate as Drivers for specific USB Devices?

    ReplyDelete
    Replies
    1. Depends entirely on how you want to control this. If you want to allow specific USB devices to be allowed to execute, that's going to be tough. Is that the level of control you are after?

      Delete
  7. Hi there,

    I would like to setup an AM config, where users do not have the rights to launch any application (whether it requires admin rights or not) except if these applications are allowed. Could you tell me how to achieve this please? Thank you :)

    ReplyDelete
    Replies
    1. What you're describing is essentially whitelisting, rather than greylisting which AM does by default. This means that NO application (even those installed by an admin) will be launched UNLESS it appears in the Allowed Items for the user/group/device/etc.

      To do this you will need to turn off Trusted Ownership checking, which is found in the console under Global Settings | Trusted Owners.

      You will also need to switch the Administrators group to Restricted if you also wish to apply these settings to local administrators.

      Once you've done that, allow your whitelist of executables as required in the Allowed Items section and then deploy the configuration. I would suggest that you do a FULL audit of your allowed software first as this config will block EVERYTHING from being able to execute that isn't specifically allowed in the configuration.

      Cheers,



      JR

      Delete
  8. I have the need to let users write to a folder in Programs Files. I cannot see where anything is being denied in the Rules Analyzer. The application will report back that the users does not have permissions to write to the needed location. Any ideas on how to give the users access to write to the specified location?

    ReplyDelete
    Replies
    1. Can you open up the NTFS permissions on the folder? The %PROGRAMFILES% location is restricted to Admins by default, for obvious reasons.

      Cheers,


      JR

      Delete
    2. I would prefer to make it happen inside of Application Manager. I had to use the NTFS permissions this morning to get the users back up and operational. This is PC hooked to a high capacity scanner. The software looks to make sure that the logged in user has access to
      %PROGRAMFILES% for the data to be written. The PC support team has tried to redirect the output file with no luck. They turned to me yesterday to make this work. The program was originally written for XP and made to work in Windows 7. Any ideas would be greatly appreciated.

      Delete
    3. OK, so what you are talking about is rights elevation. Does the application have a particular process? If so, can you use the Builtin Elevate to elevate the rights of this specific process so that users can then write to %PROGRAMFILES%?

      Delete
  9. Hi James, Can I use Application manager to block accessing published desktop based on Client IP? We are able to block .exe's.

    ReplyDelete
    Replies
    1. Hi

      A published desktop isn't an executable, per se. It's more a session.

      However, if you're talking Citrix XenApp, you can restrict the desktop to specific IP ranges, if I remember correctly. It probably depends on the XenApp version how you would achieve that.

      If it's RDSH you're talking, then it's also probably possible in some way.

      Cheers,



      JR

      Delete
  10. Ok. we are in XA 6.5. I would love to restrict using AM or EM. In XenApp we have option to restrict with load evaluator.

    ReplyDelete
    Replies
    1. In EM, you could run a Process Started Action to terminate the session using logoff.exe if the client IP address matches the given range - but that's a bit kludgey.

      Will have a think!

      Delete
    2. How about if you had a Condition of Published Application Name, together with a Condition of Client IP Range, and if the IP Range did not match, pop up a message box using VBscript and then initiate Logoff.exe?

      You can email me for details of the VBscript if you want.

      Cheers,



      JR

      Delete
    3. Hi James, I was thinking the same. Appreciate your response. Have a good day

      Delete
  11. Hi James, is it possible to restrict access to certain websites using AM?

    ReplyDelete
    Replies
    1. Not as far as I am aware, you would need a proper web filtering product for that.

      Delete
  12. ok. I thought adding a site to Hostname type in Network connection will do this function by adding it to prohibit items.

    ReplyDelete
    Replies
    1. I suppose you could, but not really what it's designed for.

      Delete
    2. I even tried the example given in the console itself like: www.google.com. still I couldnt make it working.

      Delete
    3. Sorry I accidentally deleted your last comment :-( perils of mobile devices. I will have a look at this tomorrow and see what is what.

      Delete
  13. sure no problem. I was testing URL redirection option. but it is global setting. it gets applied to all the user and it is only for IE.

    ReplyDelete
    Replies
    1. Sorry I accidentally deleted your comment, please repost and I will publish. Damn mobile!

      Delete
    2. We have to enable "Enable Application Network Access Control" in General Feature->Option section to control network related access.

      Delete