TestDrive

Enforcement Level Activity Overview

Updated

This activity will cover Enforcement Levels and how assigned level affects running unapproved applications. For background on Enforcement levels see Section 4 of this guide.

1. Changing the Enforcement Level

Device Name

This activity involves changing the Enforcement Level for your VDI endpoint. You can identify what your endpoint name is by right clicking the Windows icon in the lower left and selecting system from the menu. Your device name should follow the format cb-##-ac.

2. Select Computers

Select Computers
  • Login to the App Control console. For information on accessing the console see Section 1.2.
  • From the top menu, hover over 'Assets' to display menu options, then click 'Computers'

3. Computer View

Computer View
  • Confirm that the selected view is 'Active Computers'

4. Move computers to Policy Action

Move Computers to Policy Action
  • Find your device name (for assistance find device name, see beginning of this section) and select checkbox

Note: From this view you can also confirm what Enforcement Level the device is currently in. Under the 'Connected Enforcement' and 'Unconnected Enforcement' columns

  • Click the 'Action' button to display menu items
  • From here, you can move the device into a desired policy. For convenience, three policies have been created for this lab: TD_Low_Enforcement, TD_Medium_Enforcement, and TD_High_Enforcement with the named Enforcement Levels

5. Running Unapproved File

Files Menu Option

On the Desktop of your device is the application Steam, which is a digital distribution software often used for gaming. This file is unapproved in the environment. Let's run steam in the three different Enforcement Levels to see how each affects unapproved files.

Before beginning we can first confirm what file state Steam is in.

  • In the console click on 'Tools' tab on the top menu to expand options, then click 'Find Files'

6. Filters

Filters

Let's search for Steam using the Find Files tool. On this page you can easily find files based by name or any other number of attributes App Control collects (ex: publisher, OS hash, etc.)

  • Type in 'steam' to the textbox
  • Select the 'contains' option when displayed
Steam File Search

You will now have filtered down files to view files containing steam. If we want to filter further, we can search for steam.exe specifically as well. Scrolling through you should see 'unapproved' for both local and global state (click to expand image if needed).

8. Medium Enforcement

Medium Enforcement Prompt

Low Enforcement:

Confirm your device is in Low Enforcement (policy TD_Low_Enforcement). For information on changing Enforcement Level see Section 6.1.1. If not in Low Enforcement, switch to the Lowe Enforcement policy.

  • On your endpoint's Desktop, click to run the 'Steam' application
  • Note that while unapproved, Steam runs without prompt or issue

In Low Enforcement, unapproved files are allowed to run without user or admin action. If Steam was banned, it would not be allowed to run even in Low Enforcement.

Medium Enforcement:

You will now switch your device to Medium Enforcement (policy TD_Medium_Enforcement).

  • On your endpoint's Desktop, click to run the 'Steam' application
  • A prompt will appear from App Control, with details and the options to Block and Allow
  • Do not click Allow - this will locally approve Steam on your device. We want Steam to remain unapproved for the final activity (running in High Enforcement)
  • Click 'Block' to deny the execution of the unapproved app; selecting block will make no changes to Steam's file state of unapproved

In Medium Enforcement unapproved files are blocked or allowed to run based on the user's reaction to the App Control prompt. If file is allowed it will be granted the locally approved state.

9. High Enforcement

High Enforcement Block

High Enforcement:

You will now switch your device to High Enforcement (policy TD_High_Enforcement).

  • On your endpoint's Desktop, click to run the 'Steam' application
  • A prompt will appear from App Control informing the user the application is unapproved and blocked from running
  • Close the notification when finished viewing

In High Enforcement unapproved files are blocked from executing. This is the most secure Enforcement Level with a 'default deny' approach.

Try It Yourself! Want to run more Enforcement Level tests? Create a .bat file on your device. The newly created .bat file will be unapproved. Play around with file states by approving in Medium Enforcement then try running in High Enforcement. As an example, you can create a very simple .bat file with the commands echo "WORDS_HERE"

Previous Article App Control Policies Overview
Next Article Rule Discovery Overview