Application Control Best Practices

Every enterprise has their own set of requirements and approach techniques when it comes to application control. It is impossible to construct a guide that will work for all enterprises alike. Application Control Plus recommends the following steps as best practices, however they can be customized to fit the unique needs of your enterprise.

Step 1: Create Custom Groups

What are custom groups?

Computers belonging to users who require similar groups of applications can be clustered together to form Custom Groups. This grouping process can be based on roles, departments or any other criteria of your preference.

How to create custom groups?

To create a custom group, follow the steps below:

  1. Select the Admin tab
  2. Click the Custom Groups link available under the Global Settings. This will list all the Custom Groups that have been created.
  3. Click the Create New Group button and specify the following values
    • Specify a name for the custom group. This should be unique.
    • Select the Domain or the Workgroup from the list.
    • Select the Group Type as Computers. This will list the available computers in the selected domain.
    • Note: By default, the computers will be displayed in Tree View. Use List View link to view computers as a list. Manual entry of users is possible using Manual Input option
    • Select the computers and move them to the Added list.
  4. Click Submit to create the group

Refer Custom Group Creation to learn more about this process.

Step 2 : Create Application Groups

What are application groups?

All the applications that are clustered together to build either a allowlist or a blocklist, will be considered as an application group. These groups will be automatically built based on the rules you set for each of them.

How to create application groups?

  1. Select the Application Groups tab.
  2. Click Create Allowlist or Create Blocklist, based on the type of application group you wish to build.
  3. Once inside this module, give the application group an apt name and description, if required.
  5. Initially all the running applications discovered in the systems with agents will be displayed to you, as the Product Name rule will be selected by default.
  7. To view the running applications and EXEs specific to the custom groups created in the previous step, click on Filters.Specify the Custom Group. All the running applications or EXEs running in the users or systems present in that custom group will then be displayed to you based on the rule chosen. You can further filter this list by specifying the required criteria.
  8. Next, you need to set the rules for the application group. All the discovered applications will be checked to see if they comply with the rules set and will be added to the application group based on this. The different rules that can be set are based on the vendors, product names, executables with valid certificates and the hash value of the EXE(s). Click on the drop down button near 'Product Name', if you wish to specify any other rule.
  10. If you have chosen, say the vendor rule, all the vendors of the discovered applications will be displayed to you. You can choose the vendors you wish to add to the allowlist/blocklist from this. All applications that belong to these vendors will automatically be added to the application group you are building. This will be the same case for all other rules as well.
  11. Once you have specified all the necessary rules to add your required applications, you can proceed to click Create.

Now that the custom groups and application groups have been created, the next step is to deploy the set policies to the chosen group of users.

Step 3: Application Control Policy Deployment

How are application control policies deployed?

A policy can be created and deployed by associating the application groups with custom groups that contain the systems that require these policies. Here are the steps to be followed in order to deploy an application control policy:

  1. Navigate to the Policy Deployment tab. Click on Associate Groups, once that window is open, specify the Custom Group containing the computers of the users to whom you want to deploy the control policies to. You can also create a new custom group at this step.
  2. Proceed to choose the Application Groups with the allowlists/blocklists meant for that particular Custom Group. You can specify multiple application groups at this step. New groups can also be created by clicking on Add.
  3. Next, proceed to choose the preferred mode of flexibility. You can either implement the policies set in Audit Mode or Strict Mode. Unmanaged applications are those that aren't a part of both the allowlist and the blocklist. They will be allowed to run in the audit mode and will be blocked in the strict mode. Active log collection will occur every time a unmanaged application is run. Once the preferred mode is specified you can deploy the policies. 

Initially, when Application Control Plus is run for the first time it is advised to create a tentative allowlist and deploy policies in the Audit Mode. You can monitor and resolve the unmanaged applications, to properly define your allowlist before switching to the Strict Mode, as only allowlisted applications will run in this mode.

How to resolve unmanaged applications?

First you will have to go through the logs to understand which unmanaged applications have been run in the Audit Mode.

  1. In order to view this, navigate to the Policy Deployment tab and click the custom group for which you want to view the list of unmanaged applications. 
  2. Once inside this window, you will be able to view all the unmanaged applications. Based on the legitimacy and instances of their usage you can determine if they are truly necessary for your network. 
  3. Once you have arrived at this decision you can select them and either move them to a new allowlist or blocklist by clicking on Move to Allowlist or Move to Blocklist. They will immediately get associated with that particular custom group. You can also move them to an existing application group by clicking on Move to Existing Application Group and specifying the name of that particular application group.

Once unmanaged applications have been resolved to the extent you prefer, you can either continue to run it in the Audit Mode or you can switch to the Strict Mode where only allowlisted applications will work. By switching to the Strict Mode you can ensure that you have 100% control over all the applications that run in your network.

Before deploying the association policies, another option to either Associate the Privilged Application List or not will be made available to you. Enabling this would allow you to do Endpoint Privilege Management.


What is Endpoint Privilege Management?

Endpoint Privilege Management is the process of allocating application-specific privileged access to users based on their requirements. You can easily adopt the principle of least privilege through out your network, without it affecting your productivity using this feature. It enables privileged access to applications without compromising the privileged credentials or any unnecessary privilege elevation.

How does Endpoint Privilege Management work?

  1. First you will have to create a Privileged Application List. Navigate to the Privilege Management tab and create a list of applications that need administrator level access to run.
  2. After this list creation is done, you can navigate to the Policy Deployment tab and choose the Custom Group with the user-devices that require privileged access to those applications. Once you have done this, you can click yes to Associate the Privileged Application List to the chosen custom group.
  3. The user-devices in the associated custom group can attain privileged access to those applications by right clicking on the application's exe and choosing 'Run as ManageEngine'.

Note: The presence of an application in a allowlist or blocklist associated with the same custom group will not affect its functioning when 'Run as ManageEngine'.

After making all of these choices, you can go ahead and deploy the control policies.


How to modify or delete an existing application control policy?

  1. Navigate to the Policy Deployment tab and identify the custom group to which the application control policy has been applied.
  2. Once the policy has been spotted, hover over actions. Options to either modify or delete the policy would be available, you can then proceed to choose the action of your preference.