Application Blocking

Application blocking allows you to enable or block applications from launching. Also called application authorization, this feature enables administrators to build blacklists and whitelists of applications to control application and license sprawl. You can also create condition settings to control the circumstances under which an application can be used. For example, you can create a condition that allows a user access to company-specific applications only when the user is on the internal corporate network.

By default, once you enable application blocking, only applications from the Windows folder, C:\Program Files, and C:\Program Files (x86) are allowed to run. To fine-tune application blocking, you can further specify applications to allow or block based on path, hash, or publisher.

You can configure the following types of application blocking:

  • Path-based. You can specify a path to a folder. Or, you can specify a fully qualified file name (the configured path includes the full path and file name of the executable).
  • Hash-based. You can specify to allow or block based on a hash that matches a particular executable.
  • Publisher-based. You can specify a publisher to allow, and executables associated with that publisher can launch. You cannot block applications by publisher.

Note If you configure multiple types of application blocking, it is important to understand the order in which they are evaluated.

Enable and Configure Application Blocking

Application blocking is disabled by default. You must enable it manually, configure conditions to control the users eligible for application blocking, and define a custom message.

Launch User Environment Manager

Open the UEM Management Console from the Main Console desktop by Double-clicking on the Icon UEM Management Console on the desktop.

If UEM is still open from previous lesson then you can continue to the next step.

Bring up Application Blocking

  1. Click on User Environment
  2. Click on Application Blocking
  3. Click on Global Configuration

Global Configuration of Application Blocking

You will notice that Application Blocking is turned off by default.

  1. Click the Check box to Enable Application Blocking
  2. Click OK

Click OK

  1. Click OK to enable Application Blocking
  2. Minimize the UEM Management Console

Horizon HTML Access

  1. Open Chrome Browser
  2. Select the VMware Horizon bookmark
  3. Select VMware Horizon HTML Access

Login to VMware Horizon

Login to Horizon HTML Access:

  1. Change username to: user2mod1 (please make sure to change default user)
  2. Password: VMware1!
  3. Click Login

 

Launch the Instant Clone Desktop

Double Click the Instant Clone Pool to launch the desktop.  It will automatically log user2mod1 user into the desktop.

Copy / Paste Message

Click OK on the Copy and Paste Message that pops up

Launch Run from Desktop

  1. Right Click the Windows in the bottom left corner
  2. Open Run.

Run the command prompt

  1.  Type C:\windows\system32\cmd.exe in the Open: prompt for Run (you can also use click & drag)
  2. Click OK

Command Prompt Launches Successfully

Note the command application opens successfully.

We will specifically block this app in the next steps.

Lock the Desktop

  1. Click on the Window in the bottom left corner
  2. Click on the Person icon
  3. Click lock
  4. Minimize Chrome

We will be using this desktop more in a minute. We set a Triggered Task earlier so that the UEM Application Blocking will be refreshed upon Unlock of the Desktop.  We did this so we didn't have to wait on the Instant Clone Desktop to be provisioned after disconnect.

Open up the UEM Management Console

If not already open, click on the Production Environment on the taskbar reopen the UEM Management Console.

Allow and Block Applications

  1. Under the User Environment Tab
  2. Click on Application Blocking
  3. Click on Create

Application Blocking Settings

We are going to block the Command application from launching.

  1. Under Settings Type for the Name: Command Blocking and Label: CMD
  2. Under Block, Click on Add

Select path to block

  1. You can either type path above C:\Windows\System32\cmd.exe or click on Select File.... and navigate to the file.  (Use Click & Drag)
  2. Click OK

Save Application Blocking

Click on Save to save the Application Blocking settings.

Confirm Application Blocking

You should now see the Application Blocking is enabled and you have the Command Blocking Application blocked.

Now we will see that this is blocked when we try to run it as a user.

Minimize the UEM Management Console.

Unlock the Horizon HTML Access Desktop

  1. Open the Desktop back up by clicking on the Chrome Browser tab for the Horizon HTML Access
  2. Click on the pull out
  3. Select the Ctrl-alt-delete icon to open the password prompt
  4. Enter password: VMware1! and hit return.
  5. Click on the pull out to close it.

Launch Run from Desktop

  1. Right Click the Windows logo in the bottom left corner
  2. Click on Run

Run the command prompt

  1. Type c:\windows\system32\cmd.exe in the Open box of Run.
  2. Click OK

Does the cmd prompt launch?

A message is displayed saying command was blocked.

Click close to continue as this is expected since you just blocked that application.

Sign out of the Desktop

  1. Click on the Window in the bottom left corner
  2. Click on the Person icon
  3. Click Sign Out
  4. Close the Chrome Browser by clicking the X in the top right

Disable Application Blocking

In the UEM Management Console be sure to disable Application Blocking as some of the next steps in this lab may be impacted.

  1. Select the UEM Management Console from the taskbar
  2. Click on  User Environment tab at the top
  3. Click on Application Blocking
  4. Click on Global Configuration
  5. Uncheck the box for Enable Application Blocking in order to disable it
  6. Click OK
  7. Close the UEM Management Console by clicking the X in the top right

This is the conclusion of this exercise - we have gone over how to use Application Blocking in UEM.