Advanced Features

Advanced Features

Configure Application Blocking

This feature, which is also called application authorization, enables administrators to build blacklists and whitelists of applications to control application and license sprawl. You can also create condition settings to control the circumstances under which an application can be used. For example, you can create a condition that allows a user access to company-specific applications only when the user is on the internal corporate network.

The following Configure Application Blocking section provides a brief overview of the application-blocking feature.
(Approximate read time: 2 minutes)

For the purposes of this Quick-Start Tutorial, we recommend that you limit this feature to endpoint devices used for testing purposes. After you are comfortable with the way the feature works, and have the appropriate application-blocking rules defined, you can expand to using devices in your production environment.

Prerequisites for Using Application Blocking

To perform this exercise, you need the following:

  • Credentials for the virtual or physical machine where you installed and performed the initial configuration of the User Environment Manager Management Console, as described in Configure the User Environment Manager Management Console.
  • End-user credentials for the virtual or physical endpoint machine where you installed the User Environment Manager Agent, as described in Install the User Environment Manager Agent (FlexEngine) on the Desktop or RDSH Server.
  • One or more executable files with which to test application blocking. We recommend downloading the following executables for testing:
  • To complete all exercises, we recommend creating the following file structure on a file-share server.
    • \\<fileshare>\software
      Copy Putty.exe to the software folder.
    • \\<fileshare>\software\installers
      Copy Notepad++ to the installers folder.

The Domain Users group, or whichever group you selected in Profile Archives Share Prerequisites, must have read and execute permissions to this file share.

Note: Throughout this exercise you will frequently change between your Windows end-point device, where the User Environment Manager agent (FlexEngine) is installed, and the physical or virtual machine where the Management Console is installed. It is recommended that you simply minimize the unused screen to streamline the testing process.

1. Log In to the Desktop as an End User to Verify That Putty Can Run

Log in to your Windows end-point device where the User Environment Manager agent is installed.

For the example in this exercise, we used a Windows 10, instant-clone VM, accessed through the VMware Horizon Client.

 

1.1. Run Putty

From the Windows endpoint, browse to the file share and run Putty.exe.

1.2. Close Putty

Select Cancel to close Putty.

Remain logged in to the Windows endpoint device, but minimize the window before continuing to the next step.

2. Select Global Application Blocking in the Management Console

  1. On the physical or virtual machine where the Management Console is installed, open the Management Console.
    From the Start screen, select the Management Console shortcut in the VMware UEM folder.
  2. Select the User Environment tab.
  3. Select Application Blocking.
  4. Select Global Configuration.

3. Enable and Configure Application Blocking

  1. Select Enable Application Blocking.
  2. Select Add.

3.1. Specify the Path to the Windows Explorer Application

Browse to or enter the path to explorer.exe. Windows Explorer is considered a parent application, which means it is used to start other applications.

3.2. Complete the Configuration

Select OK to continue.

The Message title, Message text, and Hide after text boxes are automatically populated. These fields define the notification that the end-user receives when the user attempts to start an application that is blocked by User Environment Manager.

Although this notification is not required, we recommend that you leave this default configuration in place while testing the application-blocking feature.

3.3. Confirm Application Blocking

Review the disclaimer and select OK to continue. Application blocking is now enabled. If you use Windows Explorer to start an application whose executable file does not reside in C:\Program Files or C:\Program Files (x86), you will see the notification you configured in the previous step, and the application will not start.

4. Refresh Settings and Verify That Application Blocking Is Enabled

  1. Maximize the virtual desktop window or reconnect to your Windows endpoint device.  
  2. Open a command-prompt window and run the following command to force FlexEngine to check for updated application-blocking policies.
"C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -uemrefreshapplicationblocking

Application-blocking policy settings are read when a user logs in to Windows or when a triggered task occurs to refresh the policy settings. You can manually refresh the application-blocking policy settings on an endpoint device by running FlexEngine.exe at the command line with the appropriate argument.

There are a number of arguments that can be passed to FlexEngine.exe, as described in the following section. (Approximate read time: 2 minutes)

4.1. Verify That Running Putty from the File Share Is Blocked

From the Windows endpoint, browse to the file share and double-click the Putty.exe file.

This time, Putty is blocked by User Environment Manager. If the default settings were chosen when you enabled application blocking, a notification is displayed for ten seconds.

4.2. Verify That Running Putty from the Desktop Is Blocked

  1. Copy Putty.exe from the file share to the virtual desktop.
  2. Double-click Putty.exe and notice that again it is blocked from running.  

4.3. Verify That Putty Runs from the Permitted Location

  1. Copy Putty.exe to C:\Program Files.
    Note: You may need to elevate permissions to copy the executable to this location.
  2. Double-click Putty.exe and notice the executable runs normally. This is because C:\Program Files is one of the default whitelisted folders for application blocking.

Remain logged in to the Windows endpoint, but minimize the window before continuing to the next step.

5. Create a Hash-Based Rule for Application Blocking

  1. In the Management Console, select the User Environment tab.
  2. Select Application Blocking.
  3. Select Create to create a new Allow rule for application blocking.

User Environment Manager provides several types of application-blocking rules. After you select the rule type, you can create settings to allow or block applications. In this exercise, you will create a hash-based rule and a path-based rule.

The following section summarizes the rule types and the steps for creating application rules.
(Approximate read time: 1 minute)

5.1. Specify the Name and Type for a Hash-Based Rule

  1. In the Application Blocking dialog box that appeared after you completed the previous step, enter a name for this application-blocking rule.
  2. Select Hash-based from the Type drop-down list.
  3. In the Allow section, select Add to browse to an executable.

5.2. Select the Application Executable

Browse to the file share where Putty.exe is stored and select Putty.exe.

Note that a hash of the executable is made.

5.3. Save the Hash-Based Rule

Select Save to commit the new application-blocking rule.

5.4. Refresh Application-Blocking Policies on the Virtual Desktop

  1. Maximize the virtual desktop window or reconnect to your Windows endpoint device.
  2. Open a command-prompt window and run the following command to force FlexEngine to check for updated application-blocking policies.
"C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -uemrefreshapplicationblocking

5.5. Verify That Putty Can Start from Any Location

  1. Verify that Putty.exe runs from the Desktop.
  2. Verify that Putty.exe runs from the file share.

With the application-blocking Allow rule in place, Putty.exe can now run from any location.

5.6. Verify That Putty Runs After You Rename the Executable

  1. Rename Putty.exe to myapp.exe.
  2. Double-click myapp.exe and notice the executable still runs.

One of the advantages of hash-based application-blocking rules is that they work even if the end user renames the executable.  

6. Create an Approved Software Repository Using a Path-Based Rule for Application Blocking

  1. In the Management Console, select the User Environment tab.
  2. Select Application Blocking.
  3. Select Create to create a new Allow rule for application blocking.

Enterprises often need to prevent end users from running executables located outside of an IT-approved repository. Because the contents of the repository might change over time, a path-based Allow rule is well-suited for this task.

6.1. Specify the Name and Type for a Path-Based Rule

  1. Enter a name for this application-blocking rule.
  2. Select Path-based from the Type drop-down list.
  3. In the Allow section, select Add to browse to a folder.

6.2. Enter the Path to the Software Repository

Enter the path to the folder you want to use as a software repository.

This path should use the file structure you created as specified in Prerequisites for Using Application Blocking. For the example in this exercise, we use \\file\software\installers.

6.3. Save the Path-Based Rule

Select Save to commit the new application-blocking rule.

Notice that an asterisk is automatically appended to the folder path. This wildcard character indicates that all executables in this folder will inherit the Allow rule.

6.4. Refresh Application-Blocking Policies on the Virtual Desktop

  1. Maximize the virtual desktop window or reconnect to your Windows endpoint device.
  2. Open a command-prompt window and run the following command to force FlexEngine to check for updated application-blocking policies.
"C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -UemRefreshApplicationBlocking

6.5. Verify That You Can Start an Application in the Software Repository

Navigate to \\<fileserver>\software\installers and double-click the Notepad++ executable.

You can copy additional executables to this folder location and verify that application blocking allows them to run from this approved software repository.

7. Disable Application Blocking Before Proceeding to Other Exercises

  1. In the Management Console, select the User Environment tab.
  2. Select Application Blocking.
  3. Select Global Configuration.

Important: Disabling application blocking is strongly recommended at this point to avoid having the feature interfere with other exercises.

8. De-select the Enable Application Blocking Check Box

  1. Clear the Enable Application Blocking check box to disable the feature.
  2. Select OK to commit the change.

The following App Blocking video provides a detailed demonstration of the steps for enabling application blocking. If you need additional detail, you can find it here. This video is 5 minutes.

Configure Privilege Elevation for Installing an Application

With privilege elevation, administrators can now allow end users to run certain applicators as administrators, as well as install their own applications if they meet the specified criteria. IT administrators can create rules that elevate privileges based on a file hash, a software publisher, or a path to a file or folder.

The following Configure Privilege Elevation section provides a brief overview of this feature.
(Approximate read time: 2 minutes)

Prerequisites for Using Privilege Elevation

To perform this exercise, you need the following:

Important: The end-user credentials must have Local User privileges to the endpoint device, rather than Local Administrator privileges. The privilege elevation feature elevates privileges on specific executables, without requiring Local Administrator privileges.

  • One or more executable files with which to test privilege elevation. We recommend downloading  WireShark for testing. Starting this file requires Local Administrator privileges.
  • To complete all exercises, we recommend creating the following file structure on a file-share server.

\\<fileshare>\software\installers

Copy the WireShark file to the installers folder.

Important: The Domain Users group, or whichever group you selected in Profile Archives Share Prerequisites, must have read and execute permissions to this file share.

Note: Throughout this exercise, you will frequently change between your Windows end-point device, where the User Environment Manager agent (FlexEngine) is installed, and the physical or virtual machine where the Management Console is installed. It is recommended that you simply minimize the unused screen to streamline the testing process.

1. Verify Local User Privileges

Log in to your Windows end-point device, where the User Environment Manager agent is installed.

For the example in this exercise, we used a Windows 10, instant-clone VM, accessed through the VMware Horizon Client.

To properly demonstrate privilege elevation, you will verify that privileges for the end-user credentials are insufficient to run the Wireshark installer.

 

1.1. Attempt to Start Wireshark as an End User on the Virtual Desktop

  1. Browse to the file share you created. For the example in this exercise, the path is \\file\software\installers.
  2. Double-click the Wireshark installer.

1.2. Verify That You Are Prompted for Administrator Credentials

Note that Windows User Account Control prompts you for administrator credentials because the end-user credentials lack the privileges required to run this installer.

Remain logged in to the Windows endpoint device, but minimize the window before continuing to the next step.

2. Select Global Privilege Elevation in the Management Console

  1. On the physical or virtual machine where the Management Console is installed, open the Management Console.
    From the Start screen, select the Management Console shortcut in the VMware UEM folder. Select the User Environment tab.
  2. Select Privilege Elevation.
  3. Select Global Configuration.

2.1. Enable and Configure Privilege Elevation

  1. Select Enable Privilege Elevation.
  2. Select Also elevate all child processes.
    This is an optional, global setting that applies only to the case where you enable end users to install applications. This setting is not required to complete this exercise.
  3. Select Ask user to elevate.
  4. Enter text for Message title and Message text. This notification is displayed to the end user when the privilege elevation feature is invoked.

After you select OK a confirmation box appears.

2.2. Confirm Privilege Elevation

Review the disclaimer and select OK to continue. Privilege elevation is now enabled.

3. Create a Rule for Privilege Elevation

  1. On the User Environment tab, select Privilege Elevation.
  2. Select Create in the toolbar.

Privilege elevation operates as a whitelist. In addition to enabling the feature, you must create privilege elevation rules and specify files or folders to elevate.  

3.1. Specify the Name and Type for the Privilege Election Rule

  1. Enter a Name for this privilege elevation rule.
  2. Select Path-based elevated application from the Type drop-down list.
  3. Select Add to browse to a folder.

 

3.2. Select the Directory Path to Elevate

Browse to or type the path to the file share. For the example in this exercise, all executables in the \\file\software\installers folder will be elevated.

3.3. Save the Privilege Elevation Rule

  1. Select Also elevate child processes.
  2. Select Save to commit the new privilege elevation rule.

4. Refresh Privilege Elevation Rules on the Virtual Desktop

  1. Maximize the virtual desktop window or reconnect to your Windows endpoint device.  
  2. Open a command-prompt window and run the following command to force FlexEngine to check for updated privilege elevation policies.
"C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -UemRefreshPrivilegeElevation

Privilege elevation policy settings are read when a user logs in to Windows or when a triggered task occurs to refresh the policy settings. You can manually refresh the privilege elevation policy settings by running FlexEngine.exe at the command line with the appropriate argument.

There are a number of arguments that can be passed to FlexEngine.exe, as described in the following section. (Approximate read time: 2 minutes)

5. Start the Wireshark Installer

  1. Browse to the file share you created. In this case, the path is \\file\software\installers.
  2. Double-click the Wireshark installer.
    A notification is displayed with the text you entered when configuring the privilege elevation feature.
  3. Select Yes to elevate the installer.

6. Verify That the Installer Runs Without Prompting for Administrator Credentials

Notice that the setup wizard starts. This time, the Wireshark installer runs without the Windows User Account Control prompt for alternate credentials.

The following Privilege Elevation video provides a detailed demonstration of the steps outlined in this exercise. If you need additional detail, you can find it here. This video is 2 minutes.

Additional Information and Use Cases for Privilege Elevation

In this exercise, you created a single, path-based privilege elevation rule. User Environment Manager provides several types of privilege elevation rules, including the ability to elevate executables for applications that have already been installed but that require local administrator privileges to run.

The following User Environment Manager 9.2 - Privilege Elevation Demo video provides demos of several use cases, as well as a brief technical discussion of the way privilege elevation uses Access Tokens in Windows. This video is 8 minutes.