App Control Enforcement Levels Overview

Updated on

This section provides optional background related to the VMware Carbon Black App Control solution. If you have experience or background knowledge on the App Control solution this section may be skipped.

1. What is an Enforcement Level?

An enforcement level controls whether unapproved files (have not been approved or banned) are allowed to execute. Enforcement levels can be chosen for each policy that suits the security and user requirements for the group of computers associated with that policy. If a file has been banned, it is blocked at all enforcement levels with agent prevention enabled.

Administrators can define enforcement levels when a computer connected versus disconnected. If a computer is disconnected more strict enforcement levels may be desired  this can be achieved.

2. What are the Enforcement Levels?

Medium Enforcement Prompt

Five enforcement levels are available:

  • High
  • Medium
  • Low
  • None (Visibility)
  • None (Disabled)

High enforcement is the strictest enforcement level. In high enforcement only approved files are allowed to execute; unapproved files are blocked. App Control administrators should work towards moving to high enforcement for the strongest security stance  however it is not recommended to start in high enforcement.

Medium enforcement prompts users when an unapproved file attempts to execute. A notification dialog is displayed, and a user can decide whether to allow or block the unapproved file execution. If the user chooses to allow that file is locally approved on that computer and will always be allowed to run.

3. Enforcement Level Effect Reference

Enforcement Level Reference

Low enforcement allows both approved and unapproved files to execute without any user prompt. While approved and unapproved files are allowed to execute the file, activity is still monitored by App Control. Due to the visibility low enforcement grants while mitigating unwanted preventions it is recommended as one of the starting enforcement levels if blocked rules still wish to be enforced.

None (visibility) enforcement tracks file activities without blocking  no rules are enforced. Due to the visibility none (visibility) grants it is recommended as one of the starting enforcement levels to gather file activity without enforcement.

None (disabled) enforcement stops all enforcement and tracking activities.