deviceTRUST 19.2 is now available and includes the new macOS Client and an updated iOS Client. See the release notes for more information.

Application Control with Microsoft AppLocker

deviceTRUST can dynamically configure the Microsoft AppLocker configuration (click here for more details) to allow or deny access to applications, scripts, modern apps or installer packages (.msi) for a user based on the context of the remote endpoint. deviceTRUST can also gracefully terminate applications that should not be running.

Note:

We will guide you step-by-step to enable AppLocker and use it to control access to a business application (for demonstration purposes, we will use Notepad++) depending upon whether the remote device is licensed. We will perform the following steps:

  1. Step 1: Enable Microsoft AppLocker
  2. Step 2: Install the deviceTRUST Console
  3. Step 3: Create a ‘Licensed For Business Application’ Context
  4. Step 4: Test the ‘Licensed For Business Application’ Context
  5. Step 5: Create an ‘Application Control For Business Application’ Action
  6. Step 6: Test the ‘Application Control For Business Application’ Action
  7. Step 7: Gracefully Terminating Business Application on Reconnect
  8. Step 8: Test the Graceful Termination of Business Application on Reconnect

Step 1: Enable Microsoft AppLocker

  • Launch either the Local Policy Editor or edit a Group Policy Object using your Group Policy management tools.
  • Navigate to COMPUTER CONFIGURATION\POLICIES\WINDOWS SETTINGS\APPLICATION CONTROL POLICIES\APPLOCKER (or COMPUTER CONFIGURATION\WINDOWS SETTINGS\APPLICATION CONTROL POLICIES\APPLOCKER when using the Local Policy Editor).
  • Enable and configure the default Microsoft AppLocker rules by right clicking on EXECUTABLE RULES, WINDOWS INSTALLER RULES, SCRIPT RULES and PACKAGED APP RULES nodes and selecting CREATE DEFAULT RULES.
  • Ensure that the APPLICATION IDENTITY service is started.

Step 2: Install the deviceTRUST Console

To configure the deviceTRUST Host using the Local Policy Editor, the deviceTRUST Console must be installed on the same machine as the deviceTRUST Host. Alternatively, configuration can be deployed using a Group Policy Object (GPO) by installing the deviceTRUST Console on the same machine as your Group Policy management tools. Follow the steps in the section Installing the Console to complete the installation.

The deviceTRUST Console is available within the Group Policy management tools at COMPUTER CONFIGURATION\POLICIES\DEVICETRUST CONSOLE (or COMPUTER CONFIGURATION\DEVICETRUST CONSOLE when using the Local Policy Editor).

Step 3: Create a ‘Licensed For Business Application’ Context

We will design a new context named Licensed for Business Application to have the value True whenever the hardware serial number of the remote device matches a predefined list, otherwise it will have the value False.

Within the deviceTRUST Console, click on Context within the navigation bar, and then click on Create new context.

Creating a new context
Creating a new context

Name the context Licensed For Business Application and provide a description.

Naming the `Licensed For Business Application` context
Naming the `Licensed For Business Application` context

Underneath the condition HOST - DEVICETRUST - CONNECTED EQUALS TRUE, click on the + icon. Click on the HARDWARE category of properties.

Adding from the Hardware category of properties
Adding from the Hardware category of properties

Choose BIOS SERIAL NUMBER from the list of available hardware properties.

Select the BIOS Serial Number property
Select the BIOS Serial Number property

Select DEVICE to ensure that the condition is applied against the BIOS serial number of the remote device, and enter the BIOS serial numbers of one or more endpoints.

Note:
  • Comments can be added within condition values by prefixing the comment with the `#` character.
Define the BIOS Serial Number condition
Define the BIOS Serial Number condition

Click on OK to apply the new condition to the context. Next, change the DEFAULT value of the condition to False and set the VALUE to True. The context will become True when all conditions evaluate successfully.

Specify the context values
Specify the context values

Finally, click the Save button on the navigation bar to commit your changes.

Note:
  • When deploying configuration using a Group Policy Object, a call to `gpupdate` will be necessary to apply the new policy.
  • Existing user sessions will not get the updated policy until their next logon.

Step 4: Test the ‘Licensed For Business Application’ Context

Test the Licensed For Business Application context by remoting into a virtual session and viewing the value of the context within the HKEY_CURRENT_USER\SOFTWARE\deviceTRUST\Contexts registry key. Accessing the virtual session from an endpoint with a matching BIOS Serial Number will result in a context value of True. All other machines will have the context value False.

Testing the 'Licensed For Business Application' context
Testing the 'Licensed For Business Application' context

Step 5: Create an ‘Application Control For Business Application’ Action

We will build a new action which denies access to the business application (for demonstration purposes, we will use Notepad++) when the Licensed For Business Application context is False.

Within the deviceTRUST Console, click on ACTION within the navigation bar, and then click on CREATE NEW ACTION.

Creating a new action
Creating a new action

Name the action Application Control For Business Application and provide a description.

Naming the 'Application Control For Business Application' action
Naming the 'Application Control For Business Application' action

Triggers occur at specific times within the user logon session, or whenever the value of a context changes. Click ADD A NEW TRIGGER and select CONTEXT CHANGED to handle a change in the value of a context.

Adding a new Context Changed trigger
Adding a new Context Changed trigger

Select the LICENSED FOR BUSINESS APPLICATION context within the dropdown, and check FALSE to take action when the context becomes this value. Click OK to add this new trigger to the context.

Select the context and values that will trigger the sequence of tasks
Select the context and values that will trigger the sequence of tasks

We are now able to launch tasks whenever the value of the context becomes FALSE. Click on ADD NEW TASK and select APPLOCKER to create a Microsoft AppLocker rule.

Creating an AppLocker task
Creating an AppLocker task

Choose DENY ACCESS TO AN APPLICATION and click NEXT.

Defining the AppLocker task
Defining the AppLocker task

The AppLocker task requires a full path to the application to be specified. Using the support for wildcards, enter the path of *\notepad++.exe and ensure that EXECUTABLE is selected from the dropdown.

Customizing the AppLocker task
Customizing the AppLocker task

Click on OK to add the task to the sequence of tasks that will execute when the LICENSED FOR BUSINESS APPLICATION context becomes FALSE.

The 'Application Control For Business Application' action
The 'Application Control For Business Application' action

Finally, click the SAVE button on the navigation bar to commit your changes.

Note:
  • When deploying configuration using a Group Policy Object, a call to `gpupdate` will be necessary to apply the new policy.
  • Existing user sessions will not get the updated policy until their next logon.

Step 6: Test the ‘Application Control For Business Application’ Action

Test the Application Control For Business Application context by remoting into a virtual session and attempting to launch the business application. Accessing the virtual session from an endpoint with a BIOS Serial Number that matches those defined in the Licensed For Business Application context will allow the business application to execute. Accessing the virtual session from any other endpoint will result in an error message.

Attempting to launch the business application from an unlicensed device
Attempting to launch the business application from an unlicensed device

Step 7: Gracefully Terminating Business Application on Reconnect

Our current action will now successfully prevent the launching of our business application from unlicensed endpoints. However, the business application can still be launched from a licensed endpoint, and then used following a reconnection from an unlicensed endpoint. To solve this, we can use the TERMINATE APP task to gracefully terminate.

Underneath the APPLOCKER - DENY EXECUTABLE task, click ADD NEW TASK and select TERMINATE APP.

Creating a Terminate App task
Creating a Terminate App task

Click on IDENTIFY APPLICATIONS BY APPLOCKER POLICIES to use the current AppLocker policies to identify the applications to terminate. Provide a suitable TITLE and MESSAGE to display to the logged on user.

Customizing the Terminate App task
Customizing the Terminate App task

Click on OK to add the task to the sequence of tasks that will execute when the LICENSED FOR BUSINESS APPLICATION context becomes FALSE.

The final 'Application Control For Business Application' action
The final 'Application Control For Business Application' action

Finally, click the SAVE button on the navigation bar to commit your changes.

Note:
  • When deploying configuration using a Group Policy Object, a call to `gpupdate` will be necessary to apply the new policy.
  • Existing user sessions will not get the updated policy until their next logon.

Step 8: Test the Graceful Termination of Business Application on Reconnect

Test the updated Application Control For Business Application context by remoting into a virtual session from a licensed endpoint. Launch the business application and leave running whilst reconnecting from an unlicensed endpoint. deviceTRUST will gracefully terminate the application.

Graceful Termination of the Business Application after switching to unlicensed endpoint
Graceful Termination of the Business Application after switching to unlicensed endpoint

After the timeout period defined within the Terminate App configuration, the business application will be terminated.