Monday, 2 February 2015

Application Manager 8.9 System Controls

Application Manager 8.9 will introduce, among other things, the ability for Administrators to elevate or restrict access to a number of System Controls. These system controls include:
  • Uninstall Controls
  • Service Controls
  • Event Log Controls
What this means in a nutshell is that using AppSense Anvironment Manager, an Administrator can now control exactly what applications, services and event logs a user (or perhaps a site level administrator) can interact with without having to be granted local administrator rights. 

This feature will appear as a new tab, called System Controls, on the User Rights item within a rule.

First thing you will notice is that AppSense have implemented an "Add AppSense Components and Dependencies" button which by default will add the AppSense rules seen in the screenshot above. This prevents users from being able to tamper with the AppSense components to open their system up. 

Uninstall Controls

Uninstall controls allow or disallow users from being able to uninstall certain applications within the Add or Remove Programs dialogue.

In this example I want my end users to able to uninstall Notepad++ should the need arise. In order to do this the Administrator would simply open the existing Application Manager configuration and browse to the system controls section.

Right click anywhere in the item pane and select Uninstall Control Item. The Administrator is then presented with a dialogue box they can use to input details about the application they are looking to allow the uninstallation of. 

In the event that the details are not known the Administrator can simply click the browse button [...] and choose from the list of applications installed on the local machine or alternatively connect to a remote machine in order to get the applications list from there.

In the example I have chosen to allow the uninstallation of Notepad++. By default the newly added item will be assigned the Builtin Restrict policy which will prevent the user from uninstalling that application. This should be switched to Builtin Elevate to allow the uninstallation to complete successfully.

Once the configuration is deployed attempt to uninstall Notepad++

And the operation will be allowed as though my user had Administrator rights.

Service Controls

Service controls, as the name implies. allows Administrators to specify which services users (or a local IT bod) can start, stop, etc.

The tasks required to setup a service control item are the same as the tasks to configure an uninstall control with the only exception being selecting a service control item from the right click menu.

In the example below the Print Spooler has been configured with the builtin elevate policy so that users can restart this however the AppSense Services have been configured using the builtin restrict policy to prevent local interaction:

Print Spooler

Using the services.msc snap in the user has access to the Start, Stop, etc controls that are available to any administrator on the system

When attempting to stop the service using net.exe the user is allowed to stop the print spooler. 

AppSense Application Manager

Using the Services.msc snap-in the Start, Stop, Pause and Resume controls are disabled as are the corresponding right click options on the service name.

Using net.exe to stop the service the user will receive an Access is Denied message:

Event Log Controls

Similar to the Uninstall and Service controls, event log controls can be used to allow or prevent an end user from accessing an event log. 

The most common use case for this functionality is allowing users (or local on site support staff) access to specific event viewer logs in order support a workstation, etc.