Home » Policy Deployment

Application Control: Policy Deployment

Table of contents

Associating Application Groups

Users with similar roles often need similar apps. You can assign applications to each device based on their requirements, or create custom groups of machines with specific application allowlists to satisfy their needs using relevant policies. Endpoint Central's application allowlisting feature lets you associate multiple allowlists with a custom group and vice versa.

How to associate applications with custom groups?

  • Log in to the Endpoint Central web console with administrative privileges and navigate to Application Control -> Application Groups to create an Allowlist or Blocklist. To know more about the creation of application groups, refer to this page.
  • Under Deployment, go to Deploy Policy and create a custom group or select an already existing custom group.
  • Select the already existing application group that needs to be associated with the custom group.
  • If required, enable the option to Associate Privileged Application List.
  • Select the required option to run the applications either on Audit mode or Strict mode.
  • While running in Strict mode, the unmanaged applications can be requested if the option is enabled.
  • Enable Custom notifications and Alert messages according to your preference.

  • Click Deploy or Deploy immediately.
     

    Associate App Group

You have successfully associated applications with custom groups in Endpoint Central. This simplifies management, access control, and reporting. You can now define policies, permissions, and restrictions at the group level, providing granular control over the applications used within your organization.

Flexibility Regulator

Different enterprises have diverse application control needs. Traditional application control solutions might not satisfy the needs of all the enterprises alike. Endpoint Central offers various modes to satisfy various levels of flexibility preferred by different enterprises, including:

Audit Mode

Enterprise IT admins that have just begun their application control process can leverage Audit Mode to get a clear picture of how they should build their application control framework. In the beginning as the admin might not know what applications users in their organization need, the best option is to enable high flexibility functioning.

All allowlisted and unmanaged applications will run in this mode and so it is not a secure model. Event collection is enabled to help admins identify apps to add to the allowlist, depending on the frequency and legitimacy of their use.

Audit Mode

Strict Mode

Strict Mode enforces a zero-trust security model. By choosing this mode, the unmanaged applications will be blocked. Only applications that are a part of the allowlist can execute. In case the user tries to access an unmanaged application, they will be immediately notified that the use of this particular application is prohibited.

Strict Mode

Note: In Audit mode, all running applications are logged and blocklisted ones are prevented from executing; however, this mode does not provide complete protection. Strict mode provides a higher level of security and enforcing a zero-trust model.

User Notification Settings

User notification settings allow administrators to display a customized alert message to end users when an application is blocked, ensuring clear communication of enforcement. The notification message can be tailored as needed and configured to appear for all blocked applications or for all applications excluding Microsoft Store apps.

When this option is enabled, a notification containing the defined custom message will be shown on the user’s device whenever an application is blocked by the policy.

Alert Settings

Revoking Application Policy

The deployed policies can be revoked either by deleting the policy or by removing the target machine from its associated custom group. Any policy changes, deletions, group modifications, or updates to unmanaged applications are synchronized with agent machines during their refresh cycles. In environments with a Distribution Server, policies and configurations are first replicated to the server and then synchronized with agent machines as part of the standard 90-minute refresh cycle.

Delete Application Group

Application Access Events

The Access Events view provides a comprehensive record of application access attempts made by users on a managed endpoint. This includes both applications that were successfully launched and applications that were blocked based on the application control policies. To view the events:

  1. Navigate to Systems and select the required machine.
  2. Open the Events tab and select Access Events from the left panel.

Administrators can use this view to monitor user activity, verify policy enforcement, and investigate unauthorized application access attempts. Each event displays key details such as the application name, user, rule type (Product, Vendor, etc.), event type (Allowed or Blocked), event time, remarks, and the associated application group or policy. Click Update Now on the right top corner to refresh and display the latest events from the endpoint.

Application Access Events

Note:Elevation Events can also be viewed.

Policy Precedence

Policy precedence can be configured under Settings -> General Settings to determine how conflicts are resolved when both allowlist and blocklist policies of the same filter rule are applied. In scenarios where an application matches rules from both policies, this setting lets administrators define which policy takes priority, ensuring consistent and predictable enforcement across managed endpoints.

Scenario:If an application is blocked using the vendor rule and allowed using the product name rule, changing the policy precedence will not have any effect.

Policy Precedence Settings

If you have any further questions, please refer to our Frequently Asked Questions section for more information.

Vertraut von