# Application Control: Policy Deployment ## Table of contents - [Associating Application Groups](https://www.manageengine.com/products/desktop-central/help/application-control/ac-policy-deployment.html#associate) - [Flexibility Regulator](https://www.manageengine.com/products/desktop-central/help/application-control/ac-policy-deployment.html#flexibility) - [User Notification Settings](https://www.manageengine.com/products/desktop-central/help/application-control/ac-policy-deployment.html#notifi) - [Revoking Application Policy](https://www.manageengine.com/products/desktop-central/help/application-control/ac-policy-deployment.html#revoke) - [Policy Precedence](https://www.manageengine.com/products/desktop-central/help/application-control/ac-policy-deployment.html#precede) ## Associating Application Groups Users with similar roles often need similar apps. You can assign applications to each device based on their requirements, or create custom groups of machines with specific application allowlists to satisfy their needs using relevant policies. Endpoint Central's application allowlisting feature lets you associate multiple allowlists with a custom group and vice versa. ### How to associate applications with custom groups? - Log in to the **Endpoint Central** web console with administrative privileges and navigate to **Application Control -> Application Groups** to create an **Allowlist** or **Blocklist**. To know more about the creation of application groups, refer to [this page](https://www.manageengine.com/products/desktop-central/help/application-control/configure-app-groups.html). - Under Deployment, go to **Deploy Policy** and create a custom group or select an already existing custom group. - Select the already existing application group that needs to be associated with the custom group. - If required, enable the option to [Associate Privileged Application List](https://www.manageengine.com/products/desktop-central/help/endpoint-privilege-management/epm-policy-deployment.html#associate). - Select the required option to run the applications either on [Audit mode](https://www.manageengine.com/products/desktop-central/help/application-control/ac-policy-deployment.html#audit) or [Strict mode](https://www.manageengine.com/products/desktop-central/help/application-control/ac-policy-deployment.html#strict). - While running in Strict mode, the unmanaged applications can be requested if the option is enabled. Learn more about unmanaged application requests [here](https://www.manageengine.com/products/desktop-central/help/application-control/unmanaged-application-request.html). - Enable [Custom notifications and Alert messages](https://www.manageengine.com/products/desktop-central/help/application-control/ac-policy-deployment.html#alert) according to your preference. - Click **Deploy** or **Deploy immediately**. [![Associate App Group](https://cdn.manageengine.com/sites/meweb/images/desktop-central/help/application-control/ac-associate-group.png)](https://www.manageengine.com/sites/meweb/images/desktop-central/help/application-control/ac-associate-group.png) You have successfully associated applications with custom groups in Endpoint Central. This simplifies management, access control, and reporting. You can now define policies, permissions, and restrictions at the group level, providing granular control over the applications used within your organization. ## Flexibility Regulator Different enterprises have diverse application control needs. Traditional application control solutions might not satisfy the needs of all the enterprises alike. Endpoint Central offers various modes to satisfy various levels of flexibility preferred by different enterprises, including: ### Audit Mode Enterprise IT admins that have just begun their application control process can leverage Audit Mode to get a clear picture of how they should build their application control framework. In the beginning as the admin might not know what applications users in their organization need, the best option is to enable high flexibility functioning. All allowlisted and unmanaged applications will run in this mode and so it is not a secure model. Event collection is enabled to help admins identify apps to add to the allowlist, depending on the frequency and legitimacy of their use. [![Audit Mode](https://cdn.manageengine.com/sites/meweb/images/desktop-central/help/application-control/ac-audit-mode.png)](https://www.manageengine.com/sites/meweb/images/desktop-central/help/application-control/ac-audit-mode.png) ### Strict Mode Strict Mode enforces a zero-trust security model. By choosing this mode, the unmanaged applications will be blocked. Only applications that are a part of the allowlist can execute. In case the user tries to access an unmanaged application, they will be immediately notified that the use of this particular application is prohibited. [![Strict Mode](https://cdn.manageengine.com/sites/meweb/images/desktop-central/help/application-control/ac-strict-mode.png)](https://www.manageengine.com/sites/meweb/images/desktop-central/help/application-control/ac-strict-mode.png) **Note:** In Audit mode, all running applications are logged and blocklisted ones are prevented from executing; however, this mode does not provide complete protection. Strict mode provides a higher level of security and enforcing a zero-trust model. ## User Notification Settings User notification settings allow administrators to display a customized alert message to end users when an application is blocked, ensuring clear communication of enforcement. The notification message can be tailored as needed and configured to appear for all blocked applications or for all applications excluding Microsoft Store apps. When this option is enabled, a notification containing the defined custom message will be shown on the user’s device whenever an application is blocked by the policy. [![Alert Settings](https://cdn.manageengine.com/sites/meweb/images/desktop-central/help/application-control/ac-alert-settings.png)](https://www.manageengine.com/sites/meweb/images/desktop-central/help/application-control/ac-alert-settings.png) ## Revoking Application Policy The deployed policies can be revoked either by deleting the policy or by removing the target machine from its associated custom group. Any policy changes, deletions, group modifications, or updates to unmanaged applications are synchronized with agent machines during their refresh cycles. In environments with a Distribution Server, policies and configurations are first replicated to the server and then synchronized with agent machines as part of the standard 90-minute refresh cycle. [![Delete Application Group](https://www.manageengine.com/products/desktop-central/help/images/ac-delete-policy.png)](https://www.manageengine.com/products/desktop-central/help/images/ac-delete-policy.png) ## Policy Precedence Policy precedence can be configured under **Settings -> General Settings** to determine how conflicts are resolved when both allowlist and blocklist policies are applied. In scenarios where an application matches rules from both policies, this setting lets administrators define which policy takes priority, ensuring consistent and predictable enforcement across managed endpoints. [![Policy Precedence Settings](https://cdn.manageengine.com/sites/meweb/images/desktop-central/help/application-control/ac-policy-precedence.png)](https://www.manageengine.com/sites/meweb/images/desktop-central/help/application-control/ac-policy-precedence.png) If you have any further questions, please refer to our [Frequently Asked Questions](https://www.manageengine.com/products/desktop-central/help/application-control/ac-faq.html#deployfaq) section for more information.