Wednesday, 17 April 2013

Building an AppSense Application Manager whitelist configuration

A number of people have asked me about building an AppSense Application Manager whitelist configuration where they can control, to an extremely granular level, what applications a user can and cannot run. 

This post will describe the steps required to build a configuration which can achieve this. Please ensure you read the entire document before attempting to configure Application Manager Whitelisting.
Pre-Requisites

The following pre-requisites should exist:
  • A desktop, laptop or virtual machine configured using your base image with all applications installed.
  • The above-mentioned device must be joined to the corporate domain to ensure all computer and user policies are applied to the device.
  • Application Manager Agent must be installed on the above-mentioned device.
  • AppSense Management Center must be installed and configured with auditing configured for denied applications.
Process

The first step is to configure auditing of 9000 events. This can be done in two places:

1. Within the AppSense Management Center


2. Within the Application Manager Configuration (Home > Auditing)



Once you've configured the auditing you need to create a group rule for your pilot users and switch this group to "Audit Only" mode:

Note: This can be done against the Everyone group if the configuration is being deployed to targeted users only.


Once this is setup configure a prohibited items rule for *.exe within the same group rule that is configured for audit only mode.


Next step is to analyse the enterprise auditing list or log file and use create allow rules for all events flagged as 9000 events.



Next configure Accessible Items for each of the items listed in the auditing of event log. Once all items listed in the logs are included within the configuration ensure that you clear the auditing and event logs to simplify reading the logs.


When you're not seeing new items within the log file you're ready to switch the group rule to "Restricted".



A few more things:

There are no shortcuts for this... you will need to deploy the configuration and agent to a pilot user base. These users need to run with this configuration in auditing mode for several weeks and during this time the configuration should be updated to cover as many different eventualities as possible. 

Test, test and test... then when you think you're done give it another test. Switching the configuration to Restricted will cause disruption if your configuration is not complete.