Application Control - Using AppLocker
Application Control or AppLocker is a feature available since Windows 7 (new Windows 10 MDM API) that advances the features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny applications from running based on unique identities of files and to specify which users or groups can run those applications.
Using AppLocker, you can:
- Control the following types of applications: executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), DLL files (.dll and .ocx), and packaged apps (.appx).
- Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.
- Assign a rule to a security group or an individual user.
- Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run except Registry Editor (Regedit.exe).
- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
- Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, all criteria in the existing policy are overwritten.
AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of help desk calls that result from users running unapproved applications.
In Windows 10, AirWatch leverages the Application Control profile to send down the AppLocker configuration to devices. We will learn how to create the AppLocker configuration file to import into AirWatch.
1. Creating the AppLocker Configuration File
- Click on the Windows logo
- Enter "group policy"
- Click Edit group policy
1.1. AppLocker GPO
- Expand Windows Settings
- Expand Security Settings
- Expand Application Control Policies
- Expand AppLocker
- Click Configure rule enforcement
1.2. Enforce Packaged App Rules
In this example we will block the Xbox application (.appx). If you wanted to block RegEdit then you would configure the Executable rules.
- Check Configured under Package app Rules; Enforce rules option is default, if you want to test the rules before applying them, then you could run them in Audit mode first.
- Click Apply
- Click OK
1.3. Create Default Rules
- Click Packaged app Rules, to start configuring the rules.
- Right click in the white space to the right of the window
- Select Create Default Rules
1.4. Edit Default Rule
For blacklisting only a few apps, I suggest starting with an Allow rule and add your blacklisting exceptions. If you want to only allow a few apps then convert the default to a Block and whitelist your exceptions.
- Right click on the default rule
- Click Properties
1.5. Exceptions
- Click Exceptions
- Click Add...
1.6. Packaged App Reference
- Select Use an installed packaged as a reference
- Click Select...
1.7. Select Packaged Application
- Using the scroll bar, scroll to the bottom
- Check the Xbox app with Package Name of Microsoft.XboxApp
- Click OK
1.8. Package Name
All of the package's information is pre-populated. You can block the Xbox app based on the specific version, package name, or by the publisher. We want to block any version of the Xbox application.
- Raise the lever from Package version to Package name
- Click OK
1.9. Confirm Exceptions
- Click Apply
- Click OK
1.10. Export AppLocker Policy
- Right click AppLocker
- Click Export Policy...
1.11. Save Policy XML
- Select the Downloads directory, if needed
- Enter "BlockXbox" in the File name field
- Click Save
1.12. Export Confirmation
- Click OK
1.13. Clear Policy
Now that we have exported our policy, we want to remove it from our test device.
- Right click AppLocker
- Click Clear Policy
1.14. Clear Policy Confirmation
- Click Yes
1.15. Removed Policy Confirmation
- Click OK
1.16. Close Group Policy Editor
- Click the X to close the Group Policy Editor window
2. Creating the Application Control Profile
- Back in the AirWatch console, click ADD
- Click Profile
2.1. Windows Platform
- Click Windows
2.2. Windows Desktop Device Type
- Click Windows Desktop
2.3. General Profile Settings
- Enter "Block Xbox" into the Name field
- Select your "All Devices" smart group for the Assigned Groups
2.4. Application Control
- Using the scroll bar, scroll all the way to the bottom
- Click Application Control
- Click Configure
2.5. Enable Application Control
- Check the Import Sample Device Configuration box
- Click Upload
2.6. Upload AppLocker Configuration XML
- Click Browse...
- Ensure you are at the Downloads directory
- Click BlockXbox
- Click Open
2.7. Save AppLocker XML
- Click Save
2.8. Save & Publish
- Click Save & Publish
2.9. Device Assignment
- Click Publish
2.10. Verify Profile
You should now see your Block Xbox Application Control (AppLocker) profile. In this workshop, we did a simple blocking of one application. There are many resources which you can use to create your perfect AppLocker policy.