Documente Academic
Documente Profesional
Documente Cultură
Manager
Install and
Upgrade Guide
ii
C O NT E N TS
vi
Welcome
Section 1
vii
vii
Feedback
vii
Application Manager
Key Benefits
Feature Summary
iii
Section 2
Install
Prerequisites
Supported Languages
System Requirements
Installed Components
10
11
Enterprise Installation
11
Standalone Installation
16
Manual Installation
Section 3
iv
18
Licensing
20
20
Managing Licenses
22
23
23
24
24
24
Uninstallation
25
Upgrade
26
27
Configuration Upgrade
30
32
32
33
Section 4
Configure Servers
34
35
Console
36
Configuration
40
Agent
40
Analysis Service
41
Licenses
43
Apache License
43
Appendices
Appendix A
Glossary
44
WELCOME
In this Section:
WELCOME
About This Document
Use
Bold
Highlights items you can select in Windows and the product interface, including nodes,
menus items, dialogs and features.
Code
Italic
Highlights values you can enter in console text boxes and titles for other guides and
Helps in the documentation set.
Green + underlined
>
Information tables - Highlights important points of the main text or provides supplementary
information, additional techniques and help for users. Also used to provides links to further
information which include more detail about the topic, either in the current document or related
sources
FEEDBACK
The AppSense Documentation team aim to provide accurate and high quality documentation
to assist you in the installation, configuration and ongoing operation of AppSense products.
We are constantly striving to improve the documentation content and value any contribution
you wish to make based on your experiences with AppSense products.
Please email any comments to: documentation.feedback@appsense.com
vii
1
Application Manager
In this Section:
1 APPLICATION MANAGER
About Application Manager
APPLICATION MANAGER
Key Benefits
Console on page 36
Configuration on page 40
Agent on page 40
KEY BENEFITS
This section provides key benefits of using AppSense Application Manager, they are as
follows:
FEATURE SUMMARY
Application Manager provides the following key features for application control:
Group Management
Group Management is a library for compiling reusable groups of files, folders, drives,
signatures and network connections which can be associated with rules in the configuration.
For example, these groups can be used to manage the licenses for a software suite by
compiling all the necessary elements and components into a single group and allowing or
restricting access to certain rules.
User Rights Management
User Rights Management allows you to create reusable user rights policies which can be
associated with any rules and can elevate or restrict access to files, folders, signatures,
application groups and Control Panel components. A more granular level of control allows
you to assign specific privileges for debugging or installing software, or to set integrity levels
for managing interoperability between different products, such as Microsoft Outlook and
Microsoft Word.
The Web Installation feature of User Rights Management allows the elevation to
administrative rights for ActiveX installers from a particular domain.
Self-Elevation allows an administrator to specify which applications can be self-elevated,
that is, run with administrative rights, to enhance a standard users ability to perform their
role.
APPLICATION MANAGER
Feature Summary
Allowing a user to have administrative rights provides them with access to all files, including
important system files, and the ability to, for example, delete or rename them. These actions
can compromise a system. The Secure Common Dialogs feature prohibits users from
manipulating files. The dialog boxes still open and provide access to files but the files cannot
be deleted or renamed.
Application Manager does not restrict access to areas that a user ordinarily has access to.
Trusted Ownership
By default, only application files owned by an administrator or the local System are allowed
to execute. Trusted Ownership is determined by reading the NTFS permissions of each file
which attempts to run. Application Manager automatically blocks any file where ownership
cannot be established, such as files located on non-NTFS drives, removable storage
devices, or network locations. These files can optionally be allowed to run either by
specifying them as Accessible Items or by configuring a Self-Authorizing User rule. The
Trusted Owner list can be configured to suit each environment.
User, Group, Device and Custom Rules
Extend application accessibility by applying rules based on username, group membership,
computer or connecting device, and combinations of these. Accessible and Prohibited Items,
Trusted Vendors and User Rights can be specified in each rule, and are applied to a user
session based on the environment in which the user operates.
Scripted Rules
Scripted Rules allow administrators to apply Accessible Items, Prohibited Items, Trusted
Vendors and User Rights Management policies based on the outcome of a Windows
PowerShell or VBScript. Scripts can be run for each individual user session or run once per
computer.
Trusted Vendors
Allow authentic applications to run which have digital certificates signed by trusted sources,
and which are otherwise prohibited by Trusted Ownership checking. Define a list of Trusted
Vendor certificates for each User, Group, Device, Custom, Scripted and Process rule in the
configuration.
Process Rules
Process rules allow you to manage access for an application to run child processes which
might otherwise be managed differently in other rules. You can add Accessible Items,
Prohibited Items, Trusted Vendors and User Rights to the rule.
Application Termination
Application Termination allows you to control triggers, behavior and warning messages for
terminating applications on managed computers. You can also control the manner in which
applications are terminated and how the user is notified.
APPLICATION MANAGER
Feature Summary
URL Redirection
URL Redirection is setup using the URL Redirection dialog accessed from the General
Features ribbon. It provides the functionality to automatically redirect a user when they
attempt to access a sensitive URL from an unsecured location.
Network Connections
Block access to certain applications accessed via IP, UNC or host name. Application
Manager has the ability to manage access based on the location of the requester, for
example if they are connecting via VPN or directly to the network.
Digital Signatures
SHA-1 signature checks may be applied to any number of application control rules, providing
enhanced security where NTFS permissions are weak or non-existent, or for applications on
non-NTFS formatted drives. A digital signature wizard allows easy creation and maintenance
of large digital signature lists.
Endpoint Analysis
Allows an administrator to browse to any endpoint and retrieve a list of applications that have
been installed on that endpoint. Search for any executable files and add them to the
configuration.
Application Manager records which applications are started and by whom. The recording of
data is started and stopped by the administrator.
Endpoint Analysis is on demand and inactive by default.
Auditing
Events are raised by Application Manager according to the default Event Filtering
configuration and audited directly to a local file log or the Windows Event Log.
For more information on Events, see the AppSense Application Manager Product Guide and the
AppSense Management Center Product Guide.
APPLICATION MANAGER
Feature Summary
Once a scan has completed details of the applications that have used administrative rights
can be viewed in the Rights Discovery Results work areas accessed from Rights Discovery
Results navigation button.
For more information on Rights Discovery, see the AppSense Application Manager Product Guide.
2
Install
In this Section:
Prerequisites on page 8
Licensing on page 20
Uninstallation on page 25
2 INSTALL
Prerequisites
PREREQUISITES
This section provides details on the System Requirements for AppSense Application
Manager.
Supported Languages
English
German
System Requirements
The table below contains the minimum and recommended hardware requirements for
running Application Manager.
Component
Requirement
Application Manager
Agent
Application Manager
Console
Processor
Memory
Minimum: 2 GB RAM
Recommended: 4 GB RAM or greater
Refer to Windows editions documentation on support for
more than 4 GB RAM (x86) and 32 GB RAM (x64)
Minimum: 1 GB
2 INSTALL
Prerequisites
Agent
Installed Components
The following components are installed as part of the AppSense DesktopNow Installer:
Microsoft Visual C++ 2010 SP1 Redistributable package (x86) and (x64). Note that for
Application Manager x64 both the x86 and x64 Redistributable packages are required.
2 INSTALL
Installing AppSense Application Manager
Packages
Installer packages for each component in the AppSense Application Manager product set
include 32-bit and 64-bit versions as follows:
ApplicationManagerAgent.msi
ApplicationManagerConsole.msi
ApplicationManagerDocumentation.msi
ApplicationManagerAnalysisService.msi
Additional prerequisite third-party software components are provided with the installation
media and can be installed automatically via the DesktopNow Installer or manually by
running the relevant packages provided.
A quick test to ensure that AppSense Application Manager has installed correctly is to go to the
Task Manager and check the running Processes for AMAgent.exe.
Note: On Windows Vista or later you need to select the Show processes from all users option.
10
2 INSTALL
Installing AppSense Application Manager
Enterprise Installation
Enterprise installation allows you to install the full suite of product consoles together with the
AppSense server components. You are prompted to select which server products to install.
The Enterprise Suite includes:
Enterprise installation is completed by running the Server Configuration Utility (SCU) for
each installed server product.
Servers, SQL databases and consoles for each of the products in Enterprise mode
installations can be installed either together on one computer or distributed across the
network on separate computers.
Enterprise Installation is only available when the AppSense DesktopNow Installer is launched on
a Server operating system.
In a distributed environment where product consoles and server components are installed on
separate management computers, you need to run the installer again on each computer to install
the relevant components.
For more information about product licenses, see Service Pack Installation on page 23
You manage the licenses for Enterprise mode installations using the Enterprise Licensing
view in the AppSense Management Console. See the AppSense Management Center
Product Guide for further details
11
2 INSTALL
Installing AppSense Application Manager
6. In the Installation Type screen, select Enterprise to install product consoles and
server-based products.
The Application Manager agent is entered into the Management Center database when you run
the Management Server Configuration Utility after the installation has completed.
12
2 INSTALL
Installing AppSense Application Manager
7. In the Product Selection screen, select the products you want to install. In this case the
Management Center is selected.
When installing in Enterprise mode, the Application Manager console is installed with the
Management Center and the Application Manager agent is added to the Management Center
database ready to be deployed to endpoints.
To use the Application Manager Rights Discovery feature, select Application Manager Rights
Discovery from the list of options. This will install the Analysis Service required to collate the
Rights Discovery information to allow you to create Application Manager configurations.
For further information on deploying agents from the AppSense Management Center refer to
the AppSense Management Center Installation and Upgrade Guide.
8. In the SQL Server Installation screen, if no local Microsoft SQL Server is detected, you
are prompted either to install a Microsoft SQL Server or browse to select an existing
remote SQL Server.
If no existing SQL server is selected, the Installer installs Microsoft SQL Server 2005
Express Edition. If you select this option, read the license agreement, if you accept the
terms, select and click Next and follow the prompts of the Microsoft SQL Server 2005
Setup to complete the installation.
You can skip this step and configure remote servers later using the Server Configuration Utility
for each of the products.
13
2 INSTALL
Installing AppSense Application Manager
9. In the Prerequisite Management screen, a list of required components displays, split into
Installed, Not Installed and Requires Manual Installation.
Select Install next to each Not Installed component or select Install All.
Manually Install any required software prerequisites which are not already present.
10. Once all components are installed click Next
Some prerequisite components require manual installation. The Installation Media directory
includes installer packages for some prerequisite components.
Other prerequisite components, such as Internet Information Services (IIS), are part of the
operating system and must be installed using the relevant Server configuration options
11. In the Installation Directory screen, select a location for installing the AppSense product
files.
The default location is C:\Program Files\AppSense.
After installing the Management Center, you can browse to the web page at the following link to
download the console and documentation installers:
http://[servername]/ManagementServer
14
2 INSTALL
Installing AppSense Application Manager
12. The Summary screen lists the products you installed, the installation mode, license
details, installation directory, and a notification that no reboot is required.
13. When installation is complete, you are prompted to launch the Management Server
Configuration Utility to configure each server in turn from the Installer console.
Alternatively, you can complete this step later from the product directories in the Start
menu.
For further information on the AppSense Management Server Configuration Utility and deploying
agents and configurations refer to the AppSense Management Center documentation.
15
2 INSTALL
Installing AppSense Application Manager
Standalone Installation
Standalone installation installs the product consoles and agents together on the host
computer.
Standalone Installation using the DesktopNow Installer
1. Run the Installer by executing setup.exe from the installation media.
2. In the Welcome screen, click Next.
3. In the User Information screen, provide username and company details.
4. In the License Agreement screen, read the license agreement, if you accept the terms,
select and click Next.
5. In the License Validation screen, enter a product license code and activation code or
select to use the evaluation license (valid for 21 days).
For more information about product licenses, see Service Pack Installation on page 23
You can change license settings later for Standalone installations using the AppSense
DesktopNow Licensing console which you can launch from the following directory:
6. In the Installation Type screen, select Standalone to locally install product console and
product agents.
16
2 INSTALL
Installing AppSense Application Manager
7. In the Product Selection screen, select the products you want to install. In this case, we
are only concerned with installing Application Manager.
A message displays informing you the installation of Application Manager will require a reboot.
Click OK to continue.
8. In the Prerequisite Management screen, a list of required components displays split into
Installed and Not Installed components.
9. Select Install next to each Not Installed component or select Install All to install all
missing prerequisites.
17
2 INSTALL
Installing AppSense Application Manager
11. In the Installation Directory screen, select the location in which to install the AppSense
product files.
The default location is C:\Program Files\AppSense.
12. The Summary screen lists the products you selected to install, the installation mode,
license details, install directory and whether a reboot is required. Click Install.
When the installation is complete, you are prompted to reboot the computer to complete the
installation of the product agents.
Standalone products can be installed on server or desktop computers.
Manual Installation
The table below, shows the list of the Windows Installer Packages (MSI) for each of the
components in the AppSense DesktopNow suite, which you can run manually on the host
computers. The list is organized per product and includes details about which components
require a reboot of the host computer after installation.
When installing AppSense products manually, you must ensure that all required technologies and
AppSense components are added. A list of required technologies and AppSense components is
available in the Prerequisites section.
18
Installation File
Description
2 INSTALL
Installing AppSense Application Manager
Reboot
Application Manager
ApplicationManagerConsole32.msi
ApplicationManagerConsole64.msi
Not required.
ApplicationManagerAgent32.msi
ApplicationManagerAgent64.msi
ApplicationManagerDocumentation32.msi
ApplicationManagerDocumentation64.msi
Not required.
ApplicationManagerAnalysisService32.msi
ApplicationManagerAnalysisService64.msi
Not Required.
ManagementConsole32.msi
ManagementConsole64.msi
Not required.
ManagementServer32.msi
ManagementServer64.msi
Not required.
ClientCommunicationsAgent32.msi
ClientCommunicationsAgent64.msi
ManagementCenterDocumentation32.msi
ManagementCenterDocumentation64.msi
Not required.
Not required.
Management Center
Licensing
LicensingConsole32.msi
LicensingConsole64.msi
19
INSTALL
Licensing
LICENSING
The AppSense License Manager allows you to add and manage AppSense product
licenses.
This section provides details about using the console and describes the following processes:
Export license packages to MSI file format for saving to the AppSense Management
Center or other computers which can be remotely accessed.
It is recommended to use the Management Center Enterprise Licensing for Enterprise
installations.
20
2 INSTALL
About AppSense DesktopNow Licensing Console
When the Licensing Console is launched, all the current licenses display.
The installation of AppSense Application Manager requires one of the following licenses:
License
Description
AppSense DesktopNow
Application Manager
Evaluation
21
2 INSTALL
Managing Licenses
MANAGING LICENSES
The following procedures describe how to add and activate a new license, import and export
licenses to Microsoft Windows Installer files (*.msi) or to backup a set of licenses.
ADD A LICENSE
1. Click Add.
The Add License Key dialog displays.
2. Enter the license key and click Add.
You can manually enter each digit or copy and paste the license in to the entry box.
When a license entry is highlighted, a description displays in the bottom section of the
console and includes the following details:
License ID
License State
Issue Date
Expiry Date
Customer Name
Description The type of license, the product and version it relates to.
3. Some license types may need activating. Click Activate, enter the activation code and
click Enter.
Once a license is active, the icon changes to indicate the current license state.
4. Close the Licensing console. The settings are automatically saved.
1. Click Import.
The Open dialog displays.
2. Select the required license MSI file.
3. Click Open.
The license file is loaded in to the DesktopNow Licensing Console.
1. Click Export.
The Save As dialog displays.
2. Browse to the required location, provide a name for the file and click Save to save the
file.
You can copy this file to any network location and load the file in Application Manager or in
Management Center Enterprise Licensing.
22
2 INSTALL
Service Pack Installation
23
2 INSTALL
Service Pack Installation
24
2 INSTALL
Uninstallation
UNINSTALLATION
Uninstall AppSense Application Manager by using the AppSense DesktopNow Installer.
DesktopNow Uninstallation Procedure
1. Run the AppSense DesktopNow Installer by executing setup.exe on the installation
media.
2. The Welcome screen displays where you are provided with three options, Modify, Repair
and Uninstall.
25
3
Upgrade
In this Section:
3 UPGRADE
Upgrade Application Manager
Upgrades
Existing AppSense software packages upgrade automatically during the installation process,
including database schemas, agents and configurations. Before proceeding, make sure you
backup all existing AppSense databases and save product configuration packages as MSI
files to disk from the existing product consoles. If necessary, save earlier versions of the
product agent software which you would like to maintain.
For more information about saving configuration files from product consoles, see the Application
Manager Product Guide.
3. In the Prerequisite Management screen, a list of required components displays split into
Installed and Not Installed components.
Select Install next to each Not Installed component or select Install All to install all
missing prerequisites.
Once all components are installed click Next.
27
3 UPGRADE
Upgrade Application Manager
4. The Summary screen lists the products ready to be upgraded, the installation mode,
install directory and whether a reboot is required. Click Upgrade.
5. The Upgrade Complete screen displays, the Restart the computer now check box is
selected, deselect if you want to manually restart later. Once the computer has been
restarted the upgrade process is complete.
Upgrading Application Manager in Standalone mode
1. Run the Installer by executing setup.exe, on the installation media.
2. In the Welcome screen, click Next.
3. In the User Information screen, provide username and company details.
4. In the License Agreement screen, read the license agreement, if you accept the terms,
select and click Next.
5. In the License Validation screen, enter a product license code and activation code or
select to use the evaluation license (valid for 21 days).
6. In the Installation Type screen, select Standalone to install the product console and
agent.
7. In the Product Selection screen, select the product you want to upgrade and Click Next.
8. A message displays informing you the installation of Application Manager will require a
reboot. Click OK to continue.
9. A further message displays informing you that there are already previous versions of
Application Manager installed and they will be upgraded. Click OK to continue with the
upgrade.
28
3 UPGRADE
Upgrade Application Manager
10. In the Prerequisite Management screen, a list of required components displays split into
Installed and Not Installed components.
Select Install next to each Not Installed component or select Install All to install all
missing prerequisites.
Once all components are installed click Next.
11. In the Installation Directory screen, select the location in which to install the AppSense
product files.
The default location is C:\Program Files\AppSense.
12. The Summary screen lists the products you selected to install, the installation mode,
install directory and whether a reboot is required. Click Install.
When the installation is complete, you are prompted to reboot the computer to complete the
installation of the product agents. The upgrade process is complete.
29
3 UPGRADE
Configuration Upgrade
CONFIGURATION UPGRADE
AppSense product configurations must be upgraded sequentially by major product version.
Version numbering is categorized as follows:
Major is n.x.x.x
Minor is x.n.x.x
Build is x.x.n.x
Version is x.x.x.n
You cannot upgrade directly from version 6.x to version 8.x and must proceed from v6.x to
version 7.x, and from version 7.x to version 8.x. It is recommended that the Agents and
Configurations belong to the same major and minor version numbers.
Configurations are upgraded by exporting from the source product console to MSI file format
and importing the configuration file into the next major version of the product console.
Upgrade Application Manager configurations created with version 6.x and version 7.x
product consoles by saving to disk as MSI files using the old console.
Open 7.x configuration MSI files in the version 8.x product console:
v7.x
MSI
v8.x
Open version 6.x configuration MSIs in a version 7.x console and save before repeating
these steps and open again in the version 8.x console:
v6.x MSI
v7.x
MSI
v8.x
Upgrade the configuration by loading the MSI file into the new console using the Import
option in the Application Menu.
Once the configuration is upgraded, you can save the configuration to the local computer, a
remote computer, to the Management Center or as a file on disk, according to requirements.
As new features and improvements are introduced in Application Manager, new configurations may
not always be compatible with older versions of the Agent and Console. It is recommended that you
upgrade the Configuration, Agent and Console to ensure compatibility.
30
3 UPGRADE
Configuration Upgrade
In Version 7.x, highlight the AppSense Application Manager node and select Import
Configuration on the Action menu to import the configuration you saved using the
previous version of the product.
In Version 8.x, click the Application button, select Import & Export > Import
configuration from MSI and import the configuration MSI file.
31
3 UPGRADE
Upgrade Configuration Functionality
Process Rules
Off
Disable Trusted
Applications Checking
32
3 UPGRADE
Upgrade Configuration Functionality
A version 8.0 configuration with a Signature Group called A, becomes a Group called A Upgraded Signature Group.
33
4
Configure Servers
In this Section:
Console on page 36
Configuration on page 40
Agent on page 40
4 CONFIGURE SERVERS
Post Installation Checklist
Standalone
Console
Agent
Configuration
Analysis
Service
35
CONFIGURE SERVERS
Console
CONSOLE
The Application Manager console launches when the link is selected in the Start > All
Programs > AppSense menu.
36
CONFIGURE SERVERS
Console
File Menu
The File menu provides options for managing configurations including create new, open
existing, save, and import and export configurations.
File Menu Options
Option
Description
New
Open
Save
Save As
Saves the configuration with a new name to one of the following locations:
Live configuration on this computer
Configuration in the Management Center
Configuration in System Center Configuration Manager
Configuration in Group Policy
Configuration file on a local or network drive: Application Manager Package Files
format (aamp).
Note A live configuration is located on a computer which has a Application Manager
agent installed and running.
Warning If using a Microsoft Windows operating system with UAC enabled you must
ensure that you open the console with administrator privileges.
Exit
Preferences
Imports a configuration from MSI format, usually legacy configurations which have
been exported and saved from legacy consoles.
Exports a configuration to MSI format.
37
CONFIGURE SERVERS
Console
Description
Save
Saves changes to the configuration. The configuration will remain locked if opened from the
AppSense Management Center.
Save and unlock
Saves changes and unlocks the configuration. These changes can now be deployed from the
Management Center.
Undo
Clears the action history. Up to 20 previous actions are listed. Select the point at which you want to
clear the actions. The action selected and all proceeding actions are undone.
Redo
Re-applies the cleared action history. Up to 20 cleared actions are listed. Select the point at which
you want to redo the actions. The action selected and all subsequent actions are redone.
Back
Navigates back through the views visited in this session.
Forward
Navigate forward through the views visited this session.
Ribbons
Ribbons page include buttons for performing common actions arranged in ribbon groups
according to the area of the console to which the actions relate. For example, the Home
ribbon includes all common tasks, such as About, Cut, Paste and Copy, Help, AppSense
website and Support links.
You can find the version number of AppSense Application Manager you are using, by selecting the
About option in the Home ribbon.
Split ribbon buttons contain multiple options and are indicated by an arrow just below the
button. Click the arrow to display and select the list of options, or simply click the button for
the default action.
Double-click a ribbon to show and hide the ribbon pages.
Help
The Home ribbon includes a Help button which launches the Help for the product and
displays the topic relating to the current area of the console in view. A smaller icon for
launching the Help displays at the far right of the console, level with the ribbons, for
convenience when the Home ribbon is not in view. You can also click F1 to launch the Help
topic for the current view.
38
CONFIGURE SERVERS
Console
Navigation Pane
The Navigation pane consists of the navigation tree and navigation buttons. The navigation
tree is the area for managing nodes of the configuration. The navigation buttons allow you to
view the different areas of the console.
Work Area
The Work area provides the main area for managing the settings of the configuration and
product. The contents of the work area vary according to the selected nodes in the
navigation tree and the selected navigation buttons. Sometimes the work area is split into
two panes. For example, one pane can provide a summary of the settings in the other pane.
Additional Console Features
Shortcut Menu right-click shortcuts are available in the navigation tree and some
areas of the console.
Drag and Drop this feature is available in some nodes of the navigation tree.
For further drag and drop details on specific functionality see the Application Manager Help.
Cut/Copy/Paste these actions can be performed using the buttons in the Home
ribbon page, shortcut menu options and also using keyboard shortcuts.
39
CONFIGURE SERVERS
Configuration
CONFIGURATION
Application Manager configuration files contain the rule settings for securing your system.
The agent checks the configuration rules to determine the action to take when intercepting
file execution requests.
Configurations are stored locally in the All Users profile and are protected by NTFS security.
In Standalone mode, configuration changes are saved in the custom .aamp format
(AppSense Application Manager Package) and read by the agent. In Enterprise mode,
configurations are stored in the AppSense Management Center database, and setup for
deployment using the AppSense Management console.
A default configuration loads when you run the console and can be used for immediate protection
on all client computers to which the configuration is deployed.
For details on the default configuration settings and immediate protection you receive refer to the
AppSense Application Manager Product Guide.
Configurations can also be exported and imported to and from MSI file format using the
Application Manager console, which is useful for creating templates or distributing
configurations using third-party deployment systems.
After creating or modifying a configuration, you must save the configuration with the latest
settings to ensure that they are implemented.
The Application Manager console must be run as an administrator to be able to save any changes.
AGENT
Application Manager is installed and run on endpoints using a lightweight agent. The agent is
deployed to managed computers to implement the configuration rules. In Standalone mode,
the agent is installed directly onto the local computer. In Enterprise mode, configurations are
stored centrally and deployed remotely across a network to multiple controlled computers
using the AppSense Management Center.
Agents are constructed as Windows Installer MSI packages which allows them to be
distributed using any third-party deployment system which supports the MSI format.
For more information about deploying AppSense Application Manager, see the AppSense
Management Center Product Guide.
40
CONFIGURE SERVERS
Analysis Service
ANALYSIS SERVICE
The Analysis Service is installed on any selected machine as part of the Application
Manager installation. It is a lightweight component that does not require typical server tools
such as IIS or SQL Server. In the standalone mode, the service is installed on any selected
machine. To install the Service as part of the Enterprise mode, the Application Rights
Discovery option must be selected.
For more information about Analysis Service, see the AppSense Application Manager Product
Guide.
41
APPENDICES
In this Appendix:
Licenses
A
Licenses
APACHE LICENSE
Copyright 2014 AppSense Ltd
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the
License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
OF ANY KIND, either express or implied. See the License for the specific language
governing permissions and limitations under the License.
GLOSSARY
Accessible Items
Agent
Analysis Service
Application Limit
Application Termination
Audit Only
CCA
Configuration
Configuration File
Configuration Profiler
Console
Deploy
Digital Signature
Event
Group Management
Node
OU
Prohibited Items
Process Rule
Rights Discovery
Security Identifier
Security Level
Self-Authorizing User
SID
Time Limits
Trusted Ownership
Trusted Vendors
Wildcards
GLOSSARY
ACCESSIBLE ITEMS
CCA
Accessible Items
Accessible Items are files, folders, drives or digitally signed files or groups of files in an
Application Manager configuration Rights Discovery which are allowed to run when file
execution requests are matched with the rule security settings and would otherwise be
prohibited by other configuration settings.
See also: Prohibited Items, Trusted Vendors, User Rights Management
Agent
A proactive software component which implements the product configuration rules. For
example, the Application Manager Agent is software that runs as a Windows service to
validate execute requests according to the rules in the configuration installed on a computer
Analysis Service
The Analysis Service is installed on any machine and is used to collect the data from the
Rights Discovery.
Application Limit
Application Limits specify the number of instances of an application a user can run. An
application limit can be applied to an item in the Accessible Items node.
Application Termination
Application Termination allows you to set triggers, behavior and warning messages for
terminating applications on managed computers. You can also control the manner in which
applications are terminated and how the user is notified.
Audit Only
Security Level assigned to users, groups or devices in an Application Manager Rights
Discovery which audits events according to the Auditing Configuration without applying the
rule. Used for passive monitoring in evaluations to assess application usage on the host
environment.
CCA
Client Communications Agent. Installed on computers operating in an Enterprise
installation to provide a link between the product agent running on a managed computer and
the AppSense Management Center.
The CCA sends event data generated by the product agents to the Management Server and
also polls the Management Server to manage the download and installation for software
configuration, agent and package updates.
The CCA can be downloaded and installed directly on managed machines from the
Management Server website.
45
GLOSSARY
CONFIGURATION
Event
Configuration
The Application Manager configuration consists of lists of files/folders that you have decided
should be Accessible Items, Prohibited Items and Trusted Vendors. The configuration also
contains optional settings and text to be displayed to the user. A configuration is created and
managed using the Application Manager Console and used by the Application Manager
Agent and is saved in Application Manager Package Files (*.aamp). The agent uses the
configuration settings to determine whether or not an execute request is to be denied.
Configuration File
An Application Manager configuration exported from the Console and saved to Windows
Installer MSI file format. The file can be installed on any computer and the configurations
rules applied when an Application Manager Agent is present and running as a service on the
computer.
Configuration Profiler
Generates reports detailing the current settings in the Configuration. Filtering options allow
you to query settings affecting specific users or groups, devices, and files or folders.
Console
AppSense Application Manager software interface.
Deploy
To deliver a configuration or AppSense software component to one or more computers,
which can include the local machine.
Digital Signature
Application Manager uses the SHA-1 algorithm for applying a digital signature to uniquely
identify files.
The signature can be used as a security measure when adding files as Accessible Items,
Prohibited Items and Trusted Vendors.
Signatures can also be used for allowing applications on non-NTFS formatted drives to run,
which Application Manager would otherwise block by default. Add the digital signatures to
the Accessible Items list and disable trusted ownership checking for the individual files.
Signature Group Management provides easier administration for large groups of signatures.
Accessible Items with digital signatures can be used to verify that the file which the user is
attempting to run is actually the file permitted by the administrator.
Prohibited Items with digital signatures can be used to ensure the file is always prevented
from executing, even when the user renames the file.
Event
An Event is generated by Application Manager to report file execution requests, overwrites
or renames and Self-Authorizing User decisions. The event number indicates the outcome of
the request. Events are logged according to the method set up in the Auditing node.
46
GLOSSARY
GROUP MANAGEMENT
Security Identifier
Group Management
Group Management is a library for compiling reusable groups of files, folders, drives,
signatures and network connections which can be associated with rules in the configuration.
For example, Groups can be used to manage licenses for a suite of software or common
sets of applications for assigning to certain user groups.
Network Connection Item
Network Connection identify.
Node
A node is a term used in the Application Manager Console to represent a branch in the
navigation tree.
OU
Organizational Unit. A Microsoft Active Directory container that includes users and
computers.
Prohibited Items
Prohibited items are files, folders, drives or digitally signed files or groups of files specified in
an Application Manager Rights Discovery which are not allowed to run when file execution
requests are matched with the rule security settings and would otherwise be allowed by
other Configuration settings.
See also: Accessible Items and Trusted Vendors
Process Rule
Process rules allow you to manage access for a parent process to run child processes which
might be managed differently in other rules. Process rules include settings for adding
Prohibited Items, Accessible Items, Trusted Vendors and User Rights Management.
Rights Discovery
Rights Discovery allows you to monitor what users are running applications that use
Administrative Rights and generates reports based on the results.
Rule
A Configuration rule assigns a Security Level to the specified users or groups, devices and
combinations of these and contains control lists for Accessible Items, Prohibited Items,
Trusted Vendors and Process Rule. The Application Manager agent intercepts kernel level
file execution requests and matches these with the configuration rules to implement security
controls.
Security Identifier
(SID). A data structure of variable length that identifies user, group, and computer accounts.
Every account on a network is issued a unique SID when the account is first created. Internal
processes in Windows refer to an accounts SID rather than the accounts user or group
47
GLOSSARY
SECURITY LEVEL
Trusted Ownership
name. Likewise Application Manager also refers to a user or group SID unless the SID could
not be found when added to the configuration.
Security Level
Application Manager configuration Rights Discovery settings include security levels which
specify how to manage requests to run unauthorized applications by the users, groups or
devices which a rule matches.
Restricted Only authorized applications can run. These include files owned by members
of the Trusted Owners list and files listed in Accessible Items, Trusted Vendors and Trusted
Ownership.
Self-Authorizing Users are prompted for decisions about blocking or running unauthorized
files on the host device.
Audit only All actions are permitted but events are logged and audited, for monitoring
purposes.
Unrestricted All actions are permitted without event logging or auditing.
Self-Authorizing User
User, group or device granted control to choose whether to block or run an unauthorized
application on the host computer. The Self-Authorizing Security Level can be assigned in an
Application Manager Rights Discovery to match a file execute request for users, groups or
devices.
Server Configuration Utility
Utility to configure and maintain AppSense server products.
SID
See Security Identifier.
Time Limits
Settings applied to entries in the Accessible Items and Prohibited Items nodes of an
Application Manager Rights Discovery which determine day and time ranges when the
controls apply.
For example, an entry in the Prohibited Items node of a rule can restrict use of the local web
browser to users except between the hours of 12pm and 2pm on specific days of the week.
Trusted Ownership
Trusted Ownership checking is a secure method Application Manager uses to prevent users
running unauthorized applications. On NTFS formatted drives, files have owners and
Application Manager is configured by default, to only allow files to be executed if the file
owner is a member of the Trusted Owners list. If a user tries to run a file that is not owned
by a trusted owner, the execute request is denied and a message notifies the user. Any files
downloaded from the internet or received in email are owned by the user, so those files are
not permitted to run unless ownership is held by members of the trusted owner list.
48
GLOSSARY
TRUSTED VENDORS
Wildcards
By default, Application Manager blocks execution requests for all applications on non-NTFS
formatted drives.
Trusted Vendors
Trusted Vendors are digital certificates signed by trusted sources. Trusted Vendor checking
allows applications which fail Trusted Ownership checking to match digital certificates with
the Trusted Vendors list.
A list of Trusted Vendors can be defined for each User, Group, Device, Custom, Scripted,
and Process rule of the configuration.
Application Manager queries each file execution which fails Trusted Ownership checking to
detect the presence of a digital certificate. If the file has a digital certificate which is signed by
a certificate authority matching a valid entry in the Trusted Vendor list, the file is allowed to
run.
Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership
checking and Trusted Application checking.
User Rights Management
User Rights Management provides a granular approach to delegating administrative rights to
users and applications by assigning rights according to merit. This level of control can be
deployed to elevate or restrict privileges on a case by case basis according to the preferred
approach taken in the environment.
Wildcards
Both the asterisk (*) and question mark (?) characters can be used in a file or folder path in
the Application Manager console. The asterisk represents one or more characters, excluding
the back slash (\) character, whilst the question mark wildcard represents one character,
excluding the forward slash (/) character. Both of the wildcard characters can be used in any
part of a file path, including the drive letter for local paths.
For example, c:\sample path\test?\*.exe, matches all files with the .exe extension that
existed in the folders c:\sample path\test1, c:\sample path\test2, ... c:\sample path\test(n),
etc. But since the question mark can only replace one character, it does not match c:\sample
path\test100. The only limitation imposed by Application Manager on the use of wildcards is
that the asterisk cannot be used to match more than one subdirectory.
49