Application Control via PAM360

PAM360's Application Control, powered by ManageEngine's Application Control Plus, empowers administrators with advanced privilege elevation and delegation management. This functionality allows for effective oversight of applications on organizational endpoints. Using a set of crafted rules, administrators can effortlessly identify and manage applications across PAM360 resources and tailor allowlists and blocklists to control application usage. Additionally, at break-glass scenarios, administrators can temporarily authorize applications on the blocklist. Overall, this operation streamlines the process of allocating application access to users, enhancing security and efficiency within the PAM360 environment across all resources.

  1. If you are already leveraging the Application Control module through Application Control Plus/Endpoint Central, proceed with the help documentation to configure Application Control in PAM360 seamlessly.
  2. If you are new to Application Control, download Application Control Plus now to access free application management for up to 25 resources.

1. Prerequisites

  1. To control applications at endpoints via PAM360, you should have the Application Control Plus application powered by ManageEngine.

    Note: Please note that if you are already using ManageEngine's Endpoint Central, you can take advantage of it by ensuring that you have the Application Control Plus module enabled.

  2. The possessed version of Application Control Plus should not be less than 11.3.2404.1.
  3. The user responsible for configuration should hold administrative privileges in both the Application Control Plus application and PAM360.
  4. In order to leverage Application Control within PAM360 effectively, it is crucial that the user currently logged into PAM360 exists within Application Control Plus with an identical username. If the user is authenticated via Active Directory, their corresponding account in Application Control Plus should align with the same domain name. This synchronization ensures seamless integration and functionality across both platforms.
  5. The HTTPS port of Application Control Plus is required to configure Application Control in PAM360.

2. Role - Manage Application Control

By default, users assigned the Privileged Administrator and Administrator roles can configure and manage Application Control in PAM360. Alternatively, you can grant these same responsibilities to users by creating a custom role with the Manage Application Control privilege enabled. Users assigned this custom role will be able to configure and manage Application Control via PAM360.

3. Generating Authentication Token

To enable the Application Control functionality, it is necessary to generate an authentication token from Application Control Plus. To generate the authentication token, perform the steps that follow:

  1. Log in to Application Control Plus.
  2. Go to Admin, then Integration, and select API Explorer.
  3. On the page that opens, under API List, choose Authentication, then Login.
  4. Opt for the required authentication and input your Application Control Plus' User Name, Password, and/or Domain.
  5. Click Execute to generate the required authentication token for establishing communication with PAM360.
  6. Copy the authentication token for configuring Application Control in PAM360.


4. Configuring Application Control in PAM360

To ensure the expected functionality and perform endpoint privilege management capabilities via the PAM360 environment, configuring Application Control in PAM360 is necessary. To do so:

  1. Login to the PAM360 user account.
  2. Go to Admin, then Privilege Elevation, and select Application Control. Click Configure.
  3. In the dialogue box that opens,
    1. Input the server name where the Application Control Plus is installed (e.g., in-qaauto-92dt).
    2. Enter the HTTPS port number configured for Application Control Plus (default is 8383).
  4. Click Enable to establish communication and complete the setup process.

    Note: Once configured, you can also edit the above details using the Edit Configuration button present at the top pane of the left Application Control column.

5. Application Control in PAM360

Once communication is established between PAM360 and Application Control Plus, the Application Control window will load for further application management. Here, you can create allowlists and blocklists for endpoints across PAM360, and you can perform the following further application management actions directly from the PAM360 interface:

  1. Manage Windows systems
  2. Application Allowlist/Blocklist
  3. Custom Group Creation
  4. Endpoint Privilege Management

6. Configuration and Management Failure Scenarios

Encountering difficulties while configuring or managing Application Control in PAM360 can result from various factors. It is essential to address these issues to ensure effective and efficient utilization of the Application Control feature.

a. Mismatched Privileged Roles

If a user attempts to manage Application Control via PAM360 but lacks a corresponding privileged role in Application Control Plus, issues may arise. Users should possess similar privileged roles in both platforms to access and manage Application Control seamlessly.

b. Module Absence in Endpoint Central

In cases where the Application Control module is not enabled in Endpoint Central, attempts to configure or manage Application Control will fail. It is crucial to ensure that the Application Control module is activated within Endpoint Central for proper functionality.

c. Unauthorized Access and Privileges

Configuration or management of Application Control without the appropriate privileges can lead to unauthorized access attempts. Users should be granted the necessary privileges to avoid encountering issues while configuring or managing Application Control within PAM360.

d. Authentication Token Update Requirement

Changing the login password of the responsible user in Application Control Plus disrupts the functionality of the Application Control module in PAM360. This is because the previously generated authentication token becomes invalid after the password change. To ensure smooth operation, it is essential to update the Application Control configuration with the newly generated authentication token.

e. Username Discrepancy

If a user attempting to access Application Control does not have the same username as in PAM360, issues may arise. Consistency in usernames across platforms is necessary to facilitate seamless access and utilization of Application Control functionalities.

Addressing these potential failure scenarios comprehensively ensures the effective and efficient deployment and usage of Application Control within PAM360, enhancing overall security management capabilities.