Application Manager


What precisely does Application Manager do? It is, in my opinion, one of the most underrated products in the AppSense portfolio. The application management part of this is often referred to by myself as "AppLocker on steroids", providing a highly granular application whitelisting solution that allows you to customize your application control to cover huge amounts of eventualities. But this also ties in with the excellent User Rights Management piece that allows users to elevate or de-elevate their privileges and rights on-the-fly, allowing them to perform tasks that would normally be outside of their scope or necessitate use of secondary accounts and RunAs commands. Add to this the potential for device control, software inventory and licensing management it provides, and you have a product that delivers a massive amount of value across a whole breadth of situations.

Aggregated below are the posts detailing what you can do with Application Manager, and how to deal with problems you may find when using it.

Using AppSense Application Manager to override traditional AV?
Managing licensing using AppSense Application Manager device control
Setting application time limits using Application Manager
Working with the Terminal Services %temp% variable in Application Manager
How to replace your antivirus with AppSense Application Manager greylisting
Problems with non-English Adobe Reader X and Application Manager
AppSense Application Manager Rules Analyzer
Self-Elevation of Start Menu Pinned Items
Using Application Manager Process Rules
Using Application Manager Device Rules to restrict locally-installed apps
User Rights Management and Web Installations 
Using AppSense Application Manager to de-elevate administrative rights 
Using AppSense Application Manager to allow non-admin users to install software
Deploying AppSense Application Manager configurations into Active Directory Group Policy
Mitigating against CryptoLocker using AppSense Application Manager

10 comments:

  1. Hi James,

    I am very new to appsense,
    What is the difference between application manager, environment manager and profile manager. ?

    ReplyDelete
    Replies
    1. Hi Vijay

      The tabs at the top for the three main DesktopNow areas (EM, AM and PM) should give you some useful information.

      Delete
  2. Hi James,

    I have a requirement for users to modify the content of published application folder with non admin privilege. I have granted them shared folder access with modify control. However whenever a non admin user modifies the application package with new version & then try to launch the published application from the citrix portal they get the error " user is not authorized to execute the application.exe" I thought this is trusted ownership issue & added the shared folder in the allowed list for everyone group. But still this issue is not resolved.
    Shared folder is a hidden share with a $ symbol. Does this cause any issue for the trusted ownership not to apply?

    ReplyDelete
  3. Did you set the Allow item to "run this file even if not owned by a trusted owner"? Network locations are disallowed by default, even with trusted ownership.

    If it still persists, try using the Rules Analyzer to see which rule is blocking it.

    Cheers,


    JR

    ReplyDelete
  4. Hi James,

    We have implemented appsense AM policy for not to allow local installs of google chrome and mozilla firefox browser. The install is allowed only for administrator. But we found certain users who have admin access to the machines are installing these browsers. I would like to block any installs of these browsers and there by allowing the local installs if the user is member of "Allow-Chrome", Though if he is an administrator, the AM should allow an admin to install local chrome if he is member of "Allow-Chrome"group. Let me know your view. I have added chromeinstall to blocked list. do we have to include any other exe's for the block list? as we have app-v for browser delivery.

    ReplyDelete
    Replies
    1. The problem you have here is "admin trumps all". Even if you disallow the install for admins and allow it for the Allow-Chrome group, the administrator has the rights to stop the AM service and simply do it anyway. Admin is God - there's no way around this. Best you can do is try and work out a way of removing those local administrator rights!

      Delete
    2. But it would be difficult as the users are not the same as we have developers and engineers, I would say administrator ( end user) wouldn't know that Appsense is behind the blocking, so considering that the end user is not aware of the service , is there a way to block local installs?

      Delete
    3. Yes, you could disallow the installation for Administrators and then allow it for a specific group, that would work as intended. However you would have to switch the Administrators group into "Restricted" mode, which might cause problems for your actual real "admin users" when they come to do things to the machines. It could also potentially affect things like software deployment and other system processes.

      Cheers,


      JR

      Delete
  5. Great, Thanks James, Final question, looks bit silly, I have listed the chrome install exe's which i think needs to be blocked, do you have any link or exe's,MSI which needs to be added for chrome or firefox blocking, no matter the file is renamed/moved/copied etc the installed should not work. I have done this for certain exe's using signature method, but really interested in Chrome

    ReplyDelete
    Replies
    1. I don't really know if there is a comprehensive list of possible Chrome installers out there, blocking by signature is obviously much more desirable in this case. Are your admins also Trusted Owners? In this case, then there is even more of a problem, as if they rename a file the "change a file's ownership when it is overwritten or renamed " will not do you any good, because the new owner will be allowed to execute it anyway.

      The old adage of "if your user is an administrator, the device doesn't belong to you any more" will ring true here - all you are going to do is plug some of the more obvious gaps for them to slip through.

      I was possibly wondering whether it would be easier to use Browsium Catalyst rather than AppSense to mitigate against this, but then again there is a cost attached. Catalyst can redirect the browser to a different one, so you could let them install Chrome/Firefox, they just wouldn't be able to use it to browse any websites. But again, they could just unload the add-on or uninstall the software - again, you're back to the "admin problem" again.

      Surely it would be better to use AppSense Application Manager's privilege elevation to give non-admins access to the admin tasks they require? Then, you could just block Chrome normally and everything would be cool.

      Cheers,



      JR

      Delete