Application Control - Using AppLocker
Application Control or AppLocker is a feature available since Windows 7 (new Windows 10 MDM API) that advances the features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny applications from running based on unique identities of files and to specify which users or groups can run those applications.
Using AppLocker, you can:
- Control the following types of applications: executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), DLL files (.dll and .ocx), and packaged apps (.appx).
- Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.
- Assign a rule to a security group or an individual user.
- Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run except Registry Editor (Regedit.exe).
- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
- Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, all criteria in the existing policy are overwritten.
AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of help desk calls that result from users running unapproved applications.
In Windows 10, AirWatch leverages the Application Control profile to send down the AppLocker configuration to devices. We will learn how to create the AppLocker configuration file to import into AirWatch.
1. Creating the AppLocker Configuration File
- Click on the Windows logo
- Enter "group policy"
- Click Edit group policy
1.1. AppLocker GPO
- Expand Windows Settings
- Expand Security Settings
- Expand Application Control Policies
- Expand AppLocker
- Click Configure rule enforcement
1.2. Enforce Packaged App Rules
In this example we will block the Xbox application (.appx). If you wanted to block RegEdit then you would configure the Executable rules.
- Check Configured under Package app Rules; Enforce rules option is default, if you want to test the rules before applying them, then you could run them in Audit mode first.
- Click Apply
- Click OK
1.3. Create Default Rules
- Click Packaged app Rules, to start configuring the rules.
- Right click in the white space to the right of the window
- Select Create Default Rules
1.4. Edit Default Rule
1.7. Select Packaged Application
1.8. Package Name
1.11. Save Policy XML
1.13. Clear Policy
2. Creating the Application Control Profile
- Back in the AirWatch console, click ADD
- Click Profile
2.3. General Profile Settings
- Enter "Block Xbox" into the Name field
- Select your "All Devices" smart group for the Assigned Groups
2.4. Application Control
2.6. Upload AppLocker Configuration XML
2.8. Save & Publish
- Click Save & Publish
2.9. Device Assignment
- Click Publish
2.10. Verify Profile
You should now see your Block Xbox Application Control (AppLocker) profile. In this workshop, we did a simple blocking of one application. There are many resources which you can use to create your perfect AppLocker policy.