AppSense Application Manager Install and Upgrade Guide PDF

Application
Manager
Install and
Upgrade Guide
Version 8 FR7 SP1
APPLICATION MANAGER INSTALL AND UPGRADE GUIDE
AppSense Limited, 2014

All rights reserved. No part of this document may be produced in any form (including
photocopying or storing it in any medium) for any purposes without the written permission of
AppSense Limited, except in accordance with applicable law. Furthermore, no part of this
document may be sold, licensed or distributed. The doing of an unauthorized act in relation
to a copyright work may result in both a civil claim for damages and criminal prosecution.
The information contained in this document is believed to be accurate at the time of printing
and may be subject to change without notice. Any reference to a manufacturer or product
does not constitute an endorsement of, or representation or warranty (whether express,
implied or statutory) in respect of, the manufacturer or product or the use of the product with
any AppSense software.
This document does not grant any right or license to you in respect of any patents, patent
applications, trademarks, copyrights, or other intellectual property rights in or relating to the
subject matter of this document. Where relevant, any AppSense software provided pursuant
to or otherwise related to this document shall only be licensed to you on and subject to the
end user license agreement which shall be displayed and which you shall be required to
accept prior to accessing or using the software.
AppSense is a registered trademark of AppSense Holdings Limited or its affiliated
companies in the United Kingdom, the United States and/or other countries, Microsoft,
Windows and SQL Server are all registered trademarks or Microsoft Corporation in the
United States and/or other countries. The names of actual products and companies
mentioned in this document may be the trademarks of their respective owners.
ii
C O NT E N TS
vi
Welcome
Section 1
About This Document
vii
Terms and Conventions
vii
Feedback
vii
Application Manager
About Application Manager
Key Benefits
Feature Summary
iii
Section 2
Install
Prerequisites
Supported Languages
Supported Operating Systems and Technologies
System Requirements
Required Utilities and Components
Installed Components
Installing AppSense Application Manager

AppSense DesktopNow Installer
10
11
Enterprise Installation
11
Standalone Installation
16
Manual Installation
Section 3
iv
18
Licensing
20
About AppSense DesktopNow Licensing Console
20
Managing Licenses
22
Service Pack Installation
23
Installing Service Packs
23
Rolling Back Service Packs
24
Rolling Back Service Packs Using Windows Control Panel
24
Rolling Back Service Packs Using Management Center 8 FR4
24
Uninstallation
25
Upgrade
26
Upgrade Application Manager
27
Configuration Upgrade
30
Upgrade Configuration Functionality
32
Upgrades and Process Rules
32
Upgrades and Group Management
33
Section 4
Configure Servers
34
Post Installation Checklist
35
Console
36
Configuration
40
Agent
40
Analysis Service
41
Licenses
43
Apache License
43
Appendices
Appendix A
Glossary
44
WELCOME
In this Section:
About This Document on page vii
Terms and Conventions on page vii
Feedback on page vii
WELCOME
About This Document
ABOUT THIS DOCUMENT

This Installation and Upgrade Guide shows how to install and setup the components of
AppSense Application Manager. The guide also provides details on upgrading from previous
versions of AppSense Application Manager.
TERMS AND CONVENTIONS

The following tables shows the textual and formatting conventions used in this document:
Convention
Use
Bold
Highlights items you can select in Windows and the product interface, including nodes,
menus items, dialogs and features.
Code
Used for scripting samples and code strings.
Italic
Highlights values you can enter in console text boxes and titles for other guides and
Helps in the documentation set.
Green + underlined
Indicates a glossary link.
>
Indicates the path of a menu option. For example,

Select File > Open" means "click the File menu, and then click Open."
Information tables - Highlights important points of the main text or provides supplementary
information, additional techniques and help for users. Also used to provides links to further
information which include more detail about the topic, either in the current document or related
sources
Caution/Warning Provides critical information relating to specific tasks or indicates

important considerations or risks.
FEEDBACK
The AppSense Documentation team aim to provide accurate and high quality documentation
to assist you in the installation, configuration and ongoing operation of AppSense products.
We are constantly striving to improve the documentation content and value any contribution
you wish to make based on your experiences with AppSense products.
Please email any comments to: documentation.feedback@appsense.com
vii
1
Application Manager
In this Section:
About Application Manager on page 2
Key Benefits on page 3
Feature Summary on page 3
1 APPLICATION MANAGER
About Application Manager
ABOUT APPLICATION MANAGER

AppSense Application Manager allows you to have control over a user environment whether
delivered through server based computing, virtual or physical desktop. It allows you to make
sure users only receive the applications they require.
Protective measures such as automatically blocking the execution of all unauthorized
applications is provided, eliminating the threat of a user introducing - either intentionally or
unintentionally - an executable file to the network.
Granular control is given so that you can decide at user level, who has the authority to run
specific applications.
Application Manager is part of a closely integrated system of management components and
can be centrally configured and deployed to desktops, servers and Terminal Servers
throughout the enterprise using the AppSense Management Center.
For more information on the Management Center see the AppSense Management Center Product
Guide.
APPLICATION MANAGER
Key Benefits
AppSense Application Manager consists of the following components:
Console on page 36
Configuration on page 40
Agent on page 40
Analysis Service on page 41
KEY BENEFITS
This section provides key benefits of using AppSense Application Manager, they are as
follows:
Protect against malicious code.
Selectively elevate or restrict administrative rights to access or run specific applications

or access system settings.
Protect out of the box against all unauthorized application usage.
Manage processes at a granular level to control application access to child processes.
Stop unauthorized device license usage.
Apply time restrictions on when applications can or cannot be run.
Control outbound network access at the process level.
Control network access based on location.
FEATURE SUMMARY
Application Manager provides the following key features for application control:
Group Management
Group Management is a library for compiling reusable groups of files, folders, drives,
signatures and network connections which can be associated with rules in the configuration.
For example, these groups can be used to manage the licenses for a software suite by
compiling all the necessary elements and components into a single group and allowing or
restricting access to certain rules.
User Rights Management
User Rights Management allows you to create reusable user rights policies which can be
associated with any rules and can elevate or restrict access to files, folders, signatures,
application groups and Control Panel components. A more granular level of control allows
you to assign specific privileges for debugging or installing software, or to set integrity levels
for managing interoperability between different products, such as Microsoft Outlook and
Microsoft Word.
The Web Installation feature of User Rights Management allows the elevation to
administrative rights for ActiveX installers from a particular domain.
Self-Elevation allows an administrator to specify which applications can be self-elevated,
that is, run with administrative rights, to enhance a standard users ability to perform their
role.
APPLICATION MANAGER
Feature Summary
Allowing a user to have administrative rights provides them with access to all files, including
important system files, and the ability to, for example, delete or rename them. These actions
can compromise a system. The Secure Common Dialogs feature prohibits users from
manipulating files. The dialog boxes still open and provide access to files but the files cannot
be deleted or renamed.
Application Manager does not restrict access to areas that a user ordinarily has access to.
Trusted Ownership
By default, only application files owned by an administrator or the local System are allowed
to execute. Trusted Ownership is determined by reading the NTFS permissions of each file
which attempts to run. Application Manager automatically blocks any file where ownership
cannot be established, such as files located on non-NTFS drives, removable storage
devices, or network locations. These files can optionally be allowed to run either by
specifying them as Accessible Items or by configuring a Self-Authorizing User rule. The
Trusted Owner list can be configured to suit each environment.
User, Group, Device and Custom Rules
Extend application accessibility by applying rules based on username, group membership,
computer or connecting device, and combinations of these. Accessible and Prohibited Items,
Trusted Vendors and User Rights can be specified in each rule, and are applied to a user
session based on the environment in which the user operates.
Scripted Rules
Scripted Rules allow administrators to apply Accessible Items, Prohibited Items, Trusted
Vendors and User Rights Management policies based on the outcome of a Windows
PowerShell or VBScript. Scripts can be run for each individual user session or run once per
computer.
Trusted Vendors
Allow authentic applications to run which have digital certificates signed by trusted sources,
and which are otherwise prohibited by Trusted Ownership checking. Define a list of Trusted
Vendor certificates for each User, Group, Device, Custom, Scripted and Process rule in the
configuration.
Process Rules
Process rules allow you to manage access for an application to run child processes which
might otherwise be managed differently in other rules. You can add Accessible Items,
Prohibited Items, Trusted Vendors and User Rights to the rule.
Application Termination
Application Termination allows you to control triggers, behavior and warning messages for
terminating applications on managed computers. You can also control the manner in which
applications are terminated and how the user is notified.
APPLICATION MANAGER
Feature Summary
URL Redirection
URL Redirection is setup using the URL Redirection dialog accessed from the General
Features ribbon. It provides the functionality to automatically redirect a user when they
attempt to access a sensitive URL from an unsecured location.
Network Connections
Block access to certain applications accessed via IP, UNC or host name. Application
Manager has the ability to manage access based on the location of the requester, for
example if they are connecting via VPN or directly to the network.
Digital Signatures
SHA-1 signature checks may be applied to any number of application control rules, providing
enhanced security where NTFS permissions are weak or non-existent, or for applications on
non-NTFS formatted drives. A digital signature wizard allows easy creation and maintenance
of large digital signature lists.
Endpoint Analysis
Allows an administrator to browse to any endpoint and retrieve a list of applications that have
been installed on that endpoint. Search for any executable files and add them to the
configuration.
Application Manager records which applications are started and by whom. The recording of
data is started and stopped by the administrator.
Endpoint Analysis is on demand and inactive by default.
Auditing
Events are raised by Application Manager according to the default Event Filtering
configuration and audited directly to a local file log or the Windows Event Log.
For more information on Events, see the AppSense Application Manager Product Guide and the
AppSense Management Center Product Guide.
Windows Scripting Host Validation

The default configuration in Application Manager validates all Windows Scripting Host
(WSH) scripts, such as VBS or PowerShell, against configuration rules. This ensures that
users can only invoke authorized scripts, eliminating the risk of introducing WSH scripts that
contain viruses or malicious code.
The Validation settings can be disabled in the Options dialog available from the General
Features ribbon, along with validation of cmd.exe, self-extracting ZIP files, registry files and
Windows installer (MSI) files.
Only self-extracting EXEs formatted using the ZIP specification are supported. For additional
information, see ZIP Specifications.
APPLICATION MANAGER
Feature Summary
Rights Discovery Mode

Allows administrators to monitor what users are running and will identify the applications and
tasks that use administrative rights. All the data collected by the Analysis Service is stored
on the Analysis Server.
The Analysis Server is the machine that the Analysis Service is installed on.
Once a scan has completed details of the applications that have used administrative rights
can be viewed in the Rights Discovery Results work areas accessed from Rights Discovery
Results navigation button.
For more information on Rights Discovery, see the AppSense Application Manager Product Guide.
Enable and Disable Functionality Settings

Enable and disable certain features in Application Manager either when not in use or when
troubleshooting issues in your configuration. The functionality which you can manage in this
way includes:
Application Access Control
Application Network Access Control

Functionality settings are all enabled by default. It is recommended to disable any functionality
which you do not use in your configuration.
Service Pack Installation Using the AppSense Management Center

Products in the AppSense DesktopNow can be patched, using a Windows Installer patch
(MSP file). A patch is an MSP file which, when installed, updates files and registry keys on
an existing MSI.
2
Install
In this Section:
Prerequisites on page 8
Installing AppSense Application Manager on page 10
Licensing on page 20
Service Pack Installation on page 23
Uninstallation on page 25
2 INSTALL
Prerequisites
PREREQUISITES
This section provides details on the System Requirements for AppSense Application
Manager.
Supported Languages
English
German
Supported Operating Systems and Technologies

The Supported Operating Systems and Technologies are detailed in the compatibility matrix
available on myAppSense.
Select Software > DesktopNow > Application Manager > AM Compatibility Matrix
System Requirements
The table below contains the minimum and recommended hardware requirements for
running Application Manager.
Component
Requirement
Application Manager
Agent
See Microsoft system requirements for the specific Windows version.
Application Manager
Console
Processor
Minimum speed: 1 GHz (x86) or 1.4 GHz (x64)

Recommended speed: 2 GHz or faster
Minimum # of CPUs: 1
Recommended # CPUs: 2 or greater
Refer to Windows editions documentation on support for
more than 4 CPUs
Memory
Minimum: 2 GB RAM
Recommended: 4 GB RAM or greater
Refer to Windows editions documentation on support for
more than 4 GB RAM (x86) and 32 GB RAM (x64)
Available Disk Space
Minimum: 1 GB
2 INSTALL
Prerequisites
Required Utilities and Components

Console
Windows Server 2008 R2 (Standard and Enterprise) optional: Service Packs
Windows Server 2008 (Standard and Enterprise) optional: Service Packs
Windows Server 2003 (Standard and Enterprise) SP1 minimum
Windows 7 (Professional, Ultimate and Enterprise) optional: Service Packs
Windows Vista (Business, Ultimate and Enterprise) optional: Service Packs
Windows XP Professional SP2 minimum
Windows 8 (Professional and Enterprise)
Agent
Windows Server 2008 (Standard and Enterprise) optional: Service Packs
Windows Server 2003 (Standard and Enterprise) SP1 minimum
Windows 7 (Professional, Ultimate and Enterprise) optional: Service Packs
Windows Vista (Business, Ultimate and Enterprise) optional: Service Packs
Windows XP Professional SP2 minimum
Windows 8 (Professional and Enterprise)
Installed Components
The following components are installed as part of the AppSense DesktopNow Installer:
Windows Installer 3.1 Redistributable (v2)
Microsoft Core XML Services (MSXML) 6.0
Microsoft .NET Framework 4.0 Full

When the Microsoft.NET 4.0 Framework is installed and is running on the same machine as the
Agent, the user installing it, must be a member of your Trusted Owners group.
Microsoft .NET Framework 3.5 SP1 Redistributable Package
Microsoft Visual C++ 2010 SP1 Redistributable package (x86) and (x64). Note that for
Application Manager x64 both the x86 and x64 Redistributable packages are required.
2 INSTALL
INSTALLING APPSENSE APPLICATION MANAGER

Application Manager components can be installed using either the AppSense DesktopNow
Installer or manually.
Application Manager can be installed with the Management Center to create integrated
enterprise scale solutions or installed as a standalone product aimed at evaluations.
The AppSense DesktopNow Installer provides a comprehensive process for installing any
combination of AppSense products in a single, fully integrated sequence. The installer
performs a complete check for system prerequisites and provides you with the option of
installing required technologies automatically.
Alternatively, you can install each of the product components manually, by running the
product installer packages for each component.
When installing AppSense products manually, you must ensure that all required
technologies and AppSense components are added. A list of required technologies and
AppSense components is available in the Prerequisites section.
AppSense DesktopNow Installer on page 11
Manual Installation on page 18
Packages
Installer packages for each component in the AppSense Application Manager product set
include 32-bit and 64-bit versions as follows:
ApplicationManagerAgent.msi
ApplicationManagerConsole.msi
ApplicationManagerDocumentation.msi
ApplicationManagerAnalysisService.msi
Additional prerequisite third-party software components are provided with the installation
media and can be installed automatically via the DesktopNow Installer or manually by
running the relevant packages provided.
A quick test to ensure that AppSense Application Manager has installed correctly is to go to the
Task Manager and check the running Processes for AMAgent.exe.
Note: On Windows Vista or later you need to select the Show processes from all users option.
10
2 INSTALL
AppSense DesktopNow Installer

This section provides an overview of the installation processes using the DesktopNow
Installer as follows:
Enterprise Installation on page 11
Standalone Installation on page 16
Enterprise Installation
Enterprise installation allows you to install the full suite of product consoles together with the
AppSense server components. You are prompted to select which server products to install.
The Enterprise Suite includes:
AppSense Application Manager
AppSense Environment Manager
AppSense Performance Manager
AppSense Management Center
Enterprise installation is completed by running the Server Configuration Utility (SCU) for
each installed server product.
Servers, SQL databases and consoles for each of the products in Enterprise mode
installations can be installed either together on one computer or distributed across the
network on separate computers.
Enterprise Installation is only available when the AppSense DesktopNow Installer is launched on
a Server operating system.
In a distributed environment where product consoles and server components are installed on
separate management computers, you need to run the installer again on each computer to install
the relevant components.
Enterprise Installation Using the DesktopNow Installer

1. Run the Installer by executing setup.exe, on the installation media.
2. In the Welcome screen, click Next.
3. In the User Information screen, provide username and company details.
4. In the License Agreement screen, read the license agreement, if you accept the terms,
select and click Next.
5. In the License Validation screen, enter a product license code and activation code or
select to use the evaluation license (valid for 21 days).
For more information about product licenses, see Service Pack Installation on page 23
You manage the licenses for Enterprise mode installations using the Enterprise Licensing
view in the AppSense Management Console. See the AppSense Management Center
Product Guide for further details
11
2 INSTALL
6. In the Installation Type screen, select Enterprise to install product consoles and
server-based products.
The Application Manager agent is entered into the Management Center database when you run
the Management Server Configuration Utility after the installation has completed.
12
2 INSTALL
7. In the Product Selection screen, select the products you want to install. In this case the
Management Center is selected.
When installing in Enterprise mode, the Application Manager console is installed with the
Management Center and the Application Manager agent is added to the Management Center
database ready to be deployed to endpoints.
To use the Application Manager Rights Discovery feature, select Application Manager Rights
Discovery from the list of options. This will install the Analysis Service required to collate the
Rights Discovery information to allow you to create Application Manager configurations.
For further information on deploying agents from the AppSense Management Center refer to
the AppSense Management Center Installation and Upgrade Guide.
8. In the SQL Server Installation screen, if no local Microsoft SQL Server is detected, you
are prompted either to install a Microsoft SQL Server or browse to select an existing
remote SQL Server.
If no existing SQL server is selected, the Installer installs Microsoft SQL Server 2005
Express Edition. If you select this option, read the license agreement, if you accept the
terms, select and click Next and follow the prompts of the Microsoft SQL Server 2005
Setup to complete the installation.
You can skip this step and configure remote servers later using the Server Configuration Utility
for each of the products.
13
2 INSTALL
9. In the Prerequisite Management screen, a list of required components displays, split into
Installed, Not Installed and Requires Manual Installation.
Select Install next to each Not Installed component or select Install All.
Manually Install any required software prerequisites which are not already present.
10. Once all components are installed click Next
Some prerequisite components require manual installation. The Installation Media directory
includes installer packages for some prerequisite components.
Other prerequisite components, such as Internet Information Services (IIS), are part of the
operating system and must be installed using the relevant Server configuration options
11. In the Installation Directory screen, select a location for installing the AppSense product
files.
The default location is C:\Program Files\AppSense.
After installing the Management Center, you can browse to the web page at the following link to
download the console and documentation installers:
http://[servername]/ManagementServer
14
2 INSTALL
12. The Summary screen lists the products you installed, the installation mode, license
details, installation directory, and a notification that no reboot is required.
13. When installation is complete, you are prompted to launch the Management Server
Configuration Utility to configure each server in turn from the Installer console.
Alternatively, you can complete this step later from the product directories in the Start
menu.
For further information on the AppSense Management Server Configuration Utility and deploying
agents and configurations refer to the AppSense Management Center documentation.
15
2 INSTALL
Standalone Installation
Standalone installation installs the product consoles and agents together on the host
computer.
Standalone Installation using the DesktopNow Installer
1. Run the Installer by executing setup.exe from the installation media.
For more information about product licenses, see Service Pack Installation on page 23
You can change license settings later for Standalone installations using the AppSense
DesktopNow Licensing console which you can launch from the following directory:
Start > All Programs > AppSense > Licensing
6. In the Installation Type screen, select Standalone to locally install product console and
product agents.
16
2 INSTALL
7. In the Product Selection screen, select the products you want to install. In this case, we
are only concerned with installing Application Manager.
A message displays informing you the installation of Application Manager will require a reboot.
Click OK to continue.
8. In the Prerequisite Management screen, a list of required components displays split into
Installed and Not Installed components.
9. Select Install next to each Not Installed component or select Install All to install all
missing prerequisites.
17
2 INSTALL
10. Once all components are installed click Next.
11. In the Installation Directory screen, select the location in which to install the AppSense
product files.
12. The Summary screen lists the products you selected to install, the installation mode,
license details, install directory and whether a reboot is required. Click Install.
When the installation is complete, you are prompted to reboot the computer to complete the
installation of the product agents.
Standalone products can be installed on server or desktop computers.
Manual Installation
The table below, shows the list of the Windows Installer Packages (MSI) for each of the
components in the AppSense DesktopNow suite, which you can run manually on the host
computers. The list is organized per product and includes details about which components
require a reboot of the host computer after installation.
When installing AppSense products manually, you must ensure that all required technologies and
AppSense components are added. A list of required technologies and AppSense components is
available in the Prerequisites section.
18
Installation File
Description
2 INSTALL
Reboot
Application Manager
ApplicationManagerConsole32.msi
ApplicationManagerConsole64.msi
Installs the Application Manager console for

creating configurations to deploy to managed
computers hosting the agent.
Not required.
ApplicationManagerAgent32.msi
ApplicationManagerAgent64.msi
Installs the Application Manager agent on

managed computers. When a configuration is
installed, the agent implements the
configuration rules.
Installation, uninstallation and upgrades.
ApplicationManagerDocumentation32.msi
ApplicationManagerDocumentation64.msi
Installs the Application Manager Installation

and Upgrade Guide, the Application Manager
Product Guide and the Application Manager
Help.
Not required.
ApplicationManagerAnalysisService32.msi
ApplicationManagerAnalysisService64.msi
Installs the Analysis Service used for Rights

Discovery to monitor Applications that use
Administrative Rights to run. When installed
and configured, the Service collates data and
allows you to create configurations based on
the Rights Discovery Results report.
Not Required.
ManagementConsole32.msi
ManagementConsole64.msi
Installs the Management Center console

which provides an interface to the
Management Server and the other
components of the Management Center.
Not required.
ManagementServer32.msi
ManagementServer64.msi
Installs the Management Server which

manages data access and storage, security
control, network discovery services and
software deployment to managed computers,
resource management and enterprise
auditing.
Must be configured using the Management
Center Server Configuration Utility.
Not required.
ClientCommunicationsAgent32.msi
ClientCommunicationsAgent64.msi
Installs the Client Communications Agent

(CCA) to manage communications between
the product agents and the AppSense
Management Center.
Installation, uninstallation and upgrades.
ManagementCenterDocumentation32.msi
ManagementCenterDocumentation64.msi
Installs the Management Center Installation

and Upgrade Guide, the Management Center
Product Guide and the Management Center
Help.
Not required.
Installs the Licensing console for managing

licenses for products installed in Standalone
mode.
Not required.
Management Center
Licensing
LicensingConsole32.msi
LicensingConsole64.msi
19
INSTALL
Licensing
LICENSING
The AppSense License Manager allows you to add and manage AppSense product
licenses.
This section provides details about using the console and describes the following processes:
Add a License on page 22
Import a License File on page 22
Export a License File on page 22
ABOUT APPSENSE DESKTOPNOW LICENSING CONSOLE

Use AppSense DesktopNow Licensing Console to manage individual AppSense product
licenses, DesktopNow licenses and evaluation licenses for computers operating in
Standalone mode.
For information about Enterprise license management and deployment, see the AppSense
Management Center Product Guide.
The AppSense DesktopNow Licensing Console allows you to:
Manage licenses for DesktopNow products or Evaluation licenses.
Export license packages to MSI file format for saving to the AppSense Management
Center or other computers which can be remotely accessed.
It is recommended to use the Management Center Enterprise Licensing for Enterprise
installations.
Import and manage licenses from MSI file format.
20
2 INSTALL
About AppSense DesktopNow Licensing Console
When the Licensing Console is launched, all the current licenses display.
The installation of AppSense Application Manager requires one of the following licenses:
License
Description
AppSense DesktopNow
Application Manager
Evaluation
Full Suite license.

May require activation using an activation code sent from AppSense. with
the license code.
Single product license.
May require activation using an activation code sent from AppSense with
the license code.
Full Suite or single product licenses.
Evaluation licenses are available during the first installation of the product
and do not require activation.
21
2 INSTALL
Managing Licenses
MANAGING LICENSES
The following procedures describe how to add and activate a new license, import and export
licenses to Microsoft Windows Installer files (*.msi) or to backup a set of licenses.
ADD A LICENSE
1. Click Add.
The Add License Key dialog displays.
2. Enter the license key and click Add.
You can manually enter each digit or copy and paste the license in to the entry box.
When a license entry is highlighted, a description displays in the bottom section of the
console and includes the following details:
License ID
License State
Issue Date
Expiry Date
Customer Name
Description The type of license, the product and version it relates to.
3. Some license types may need activating. Click Activate, enter the activation code and
click Enter.
Once a license is active, the icon changes to indicate the current license state.
4. Close the Licensing console. The settings are automatically saved.
IMPORT A LICENSE FILE
1. Click Import.
The Open dialog displays.
2. Select the required license MSI file.
3. Click Open.
The license file is loaded in to the DesktopNow Licensing Console.
EXPORT A LICENSE FILE
1. Click Export.
The Save As dialog displays.
2. Browse to the required location, provide a name for the file and click Save to save the
file.
You can copy this file to any network location and load the file in Application Manager or in
Management Center Enterprise Licensing.
22
2 INSTALL
SERVICE PACK INSTALLATION

AppSense Service Packs are self contained packages or patches that are used to update
specific files within a DesktopNow application without reinstalling the full application. Service
packs can be applied more often and reduce the need for system restarts on your endpoints.
Service packs are delivered as a Windows Installer patch (MSP) file and are often referred to
as patch files.
To view previously installed patches, navigate to Control Panel > Programs > Programs
and Features > Installed Updates.
Installing Service Packs

Service Packs can be installed or deployed using the same technology and techniques used
when installing MSIs. Both Microsoft System Center and the AppSense Management Center
8 FR4 can deploy MSPs. If neither of these products are available, service packs can be
installed using the command line interface.
For example, the command:
msiexec.exe /p ApplicationManagerAgent64.msp
installs any files that have been amended as part of the patch for just Application Manager
64 bit agent.
The following command installs the base version of the Application Manager Agent (MSI)
and the Application Manager patch file (MSP) simultaneously:
msiexec.exe /i ApplicationManagerAgent64.msi
PATCH=c:\fullpath\ApplicationManagerAgent64.msp
A base version must be installed before the patch file can be applied.
If the patch file contains driver or hook files that are currently in use on the machine the
patch is being applied to, you are informed that a reboot is required. If you chose to continue,
the system is restarted when the patch has been applied.
For information on installing and upgrading service packs using Management Center 8 FR4, see the
AppSense Management Center Install and Upgrade Guide.
Installation Order and Dependencies

It is recommended that all components of a service pack are installed.
23
2 INSTALL
Rolling Back Service Packs

There are two ways to roll back, or uninstall AppSense Service Packs:
Using the Windows Control Panel
Using Management Center 8 FR4

If a service pack is uninstalled the installation reverts to the previous latest build, whether a service
pack or base version.
All agent and console service pack components can be uninstalled.
Rolling Back Service Packs Using Windows Control Panel

The procedure used to roll back service packs varies depending on the Operating System:
For Windows 7
1. Navigate to Control Panel > Programs > Programs and Features > Installed
Updates.
2. Highlight the selected patch and click Uninstall.
When using Windows XP
1. Navigate to Start > Control Panel > Add or Remove Programs > Change or Remove
Programs.
2. Select Show updates.
3. Highlight the selected patch and click Remove.
Rolling Back Service Packs Using Management Center 8 FR4

1. In the Management Center console, select Overview > Deployment Groups tab >
Deployment Groups.
2. Highlight the Deployment Group and select Settings > Assigned Packages.
The Assigned Packages work area displays a list of all the AppSense products and their
associated packages.
3. Highlight the required Application Manager service pack and click Unassign from the
Actions menu.
4. Click Review and Submit.
The Submit Changes dialog displays.
5. Check the details are correct and click Submit.
The patch is unassigned based on the deployment group Installation Schedule.
24
2 INSTALL
Uninstallation
UNINSTALLATION
Uninstall AppSense Application Manager by using the AppSense DesktopNow Installer.
DesktopNow Uninstallation Procedure
1. Run the AppSense DesktopNow Installer by executing setup.exe on the installation
media.
2. The Welcome screen displays where you are provided with three options, Modify, Repair
and Uninstall.
3. Select Uninstall and click Next.

4. The Summary screen lists the product selected to uninstall, the installation mode, the
installation directory and whether a reboot is required. Click Uninstall.
5. The installed Application Manager agent is uninstalled and the process is complete.
Any user created configurations will not be uninstalled with the product. You must manually
delete these.
25
3
Upgrade
In this Section:
Upgrade Application Manager on page 27
Configuration Upgrade on page 30
Upgrade Configuration Functionality on page 32
3 UPGRADE
UPGRADE APPLICATION MANAGER

To find out the version number of AppSense Application Manager you are currently using, use the
About option in the Home ribbon.
Upgrades
Existing AppSense software packages upgrade automatically during the installation process,
including database schemas, agents and configurations. Before proceeding, make sure you
backup all existing AppSense databases and save product configuration packages as MSI
files to disk from the existing product consoles. If necessary, save earlier versions of the
product agent software which you would like to maintain.
For more information about saving configuration files from product consoles, see the Application
Manager Product Guide.
Upgrading Application Manager in Enterprise mode

2. In the Welcome screen, three options are provided, Modify, Upgrade and Uninstall.
Select Upgrade and click Next.
Select Install next to each Not Installed component or select Install All to install all
Once all components are installed click Next.
27
3 UPGRADE
4. The Summary screen lists the products ready to be upgraded, the installation mode,
install directory and whether a reboot is required. Click Upgrade.
5. The Upgrade Complete screen displays, the Restart the computer now check box is
selected, deselect if you want to manually restart later. Once the computer has been
restarted the upgrade process is complete.
Upgrading Application Manager in Standalone mode
6. In the Installation Type screen, select Standalone to install the product console and
agent.
7. In the Product Selection screen, select the product you want to upgrade and Click Next.
8. A message displays informing you the installation of Application Manager will require a
reboot. Click OK to continue.
9. A further message displays informing you that there are already previous versions of
Application Manager installed and they will be upgraded. Click OK to continue with the
upgrade.
28
3 UPGRADE
Select Install next to each Not Installed component or select Install All to install all
Once all components are installed click Next.
11. In the Installation Directory screen, select the location in which to install the AppSense
product files.
12. The Summary screen lists the products you selected to install, the installation mode,
install directory and whether a reboot is required. Click Install.
When the installation is complete, you are prompted to reboot the computer to complete the
installation of the product agents. The upgrade process is complete.
29
3 UPGRADE
CONFIGURATION UPGRADE
AppSense product configurations must be upgraded sequentially by major product version.
Version numbering is categorized as follows:
Major is n.x.x.x
Minor is x.n.x.x
Build is x.x.n.x
Version is x.x.x.n
You cannot upgrade directly from version 6.x to version 8.x and must proceed from v6.x to
version 7.x, and from version 7.x to version 8.x. It is recommended that the Agents and
Configurations belong to the same major and minor version numbers.
Configurations are upgraded by exporting from the source product console to MSI file format
and importing the configuration file into the next major version of the product console.
Upgrade Application Manager configurations created with version 6.x and version 7.x
product consoles by saving to disk as MSI files using the old console.
Open 7.x configuration MSI files in the version 8.x product console:
v7.x
MSI
v8.x
Open version 6.x configuration MSIs in a version 7.x console and save before repeating
these steps and open again in the version 8.x console:
v6.x MSI
v7.x
MSI
v8.x
Upgrade the configuration by loading the MSI file into the new console using the Import
option in the Application Menu.
Once the configuration is upgraded, you can save the configuration to the local computer, a
remote computer, to the Management Center or as a file on disk, according to requirements.
As new features and improvements are introduced in Application Manager, new configurations may
not always be compatible with older versions of the Agent and Console. It is recommended that you
upgrade the Configuration, Agent and Console to ensure compatibility.
30
3 UPGRADE
Standalone Configuration Upgrade Process v6.0 > v7.0 > v8.0

1. Launch a 6.x or 7.x version of Application Manager and in the Standalone Configuration
node, select Export Configuration in the Action menu.
2. In the Export Configuration dialog, save the configuration to disk in MSI format.
3. Completely uninstall the current version of AppSense Application Manager you are
upgrading and install the new version.
4. Launch the new Application Manager console and import the saved MSI configuration to
perform the upgrade.
Configuration Import steps
In Version 7.x, highlight the AppSense Application Manager node and select Import
Configuration on the Action menu to import the configuration you saved using the
previous version of the product.
In Version 8.x, click the Application button, select Import & Export > Import
configuration from MSI and import the configuration MSI file.
5. Save and close the configuration to complete the upgrade.

Standalone Configuration Upgrade Process Version 8.x to AM8 FRx
To upgrade a configuration from version 8.x to version AM8 FRx you must Open and Save
the configuration in the AM8 FRx console. Once the configuration has been saved in this
console it will be compatible and therefore ready to be deployed using a deployment
mechanism.
AppSense Management Center Configuration Upgrade Process Version 8.x to AM8
FRx
To upgrade a configuration from version 8.x to AM8 FRx you must Open the configuration
and use the Save As command. All other Save commands are disabled. This will ensure
that the configuration version is correct.
When you open and upgrade a 8.x configuration in the Management Center the
configuration is initially locked. The Save As command releases the lock on the file.
31
3 UPGRADE
UPGRADE CONFIGURATION FUNCTIONALITY

If you are upgrading configurations used in previous versions of Application Manager the
introduction of the Process Rules and Group Management functionality may render the
following parts of the configuration redundant:
Trusted Applications see Upgrades and Process Rules on page 32
Signature Groups see Upgrades and Group Management on page 33
Network Connection Groups see Upgrades and Group Management on page 33
Upgrades and Process Rules

If the Application Manager configuration contains Trusted Application rules, the upgrade will
preserve the Trusted Applications features behavior although some functionality regarding
the three Trusted Applications options may be lost.
The table below shows how the various Trusted Application states will be converted to
Process rules during a configuration upgrade.
Trusted Application
State
Process Rules
Off
No Process rules added.
Disable Trusted
Applications Checking
No Process rules added.
Only when blocked by

Trusted Ownership
Always
For each Trusted Application defined:

A new Process rule is created with the name Upgraded Trusted Application
Rule (*).Where * represents a number automatically incremented from 1 to
the number of Trusted Application rules present in the configuration being
upgraded.
A new Process Identifier is added to the newly created Process rule.
If the Trusted Application rule was defined using a full file path then the
process identifier list has one file name entry with the exact same text.
If the Trusted Application rule was defined using a digital signature then the
process identifier has one digital signature entry with the same digital
signature. Any file name information is preserved.
For each of the trusted content entries for the Trusted Application rule, a new
Accessible Item is added. The Trusted Ownership setting is set to Off, for all
added entries.
32
3 UPGRADE
Upgrades and Group Management

If the Application Manager configuration contains Signature Groups and Network Connection
Groups, the upgrade directly converts them to Group Management and renames them
Groups. The name of the Signature or Network Connection Group remains the same and the
contents of the Signature or Network Connection Group remain the same.
To avoid any problems that may be encountered if the upgrade produces any duplicate
names each upgraded Group will be suffixed with its origin and that it was an upgrade.
Example
A version 8.0 configuration with a Signature Group called A, becomes a Group called A Upgraded Signature Group.
A version 8.0 configuration with a Network Connection Group called B, becomes a

Group called B - Upgraded Network Connection Group.
33
4
Configure Servers
In this Section:
Post Installation Checklist on page 35
Console on page 36
Configuration on page 40
Agent on page 40
4 CONFIGURE SERVERS
Post Installation Checklist
POST INSTALLATION CHECKLIST

Once you have installed AppSense Application Manager using the AppSense DesktopNow
Installer check you have the following:
Enterprise
Standalone
Console
Go to the Start menu and check

AppSense Application Manager
Console is present.
Go to the Start menu and check AppSense

Application Manager Console is present.
Agent
Run the Management Center Server

Configuration Utility to create the
database and upload the 32-bit and 64-bit
agents.
To check the agents are present go to the
Management Center console and check
they are listed under Packages.
Note For details on deploying the agent
to endpoints refer to the AppSense
Management Center Installation and
Upgrade Guide.
Go to Task Manager and check AMAgent.exe is

listed in the Running Processes.
Note On Windows Vista or later you need to
select the Show processes from all users
option.
Configuration
Open the Application Manager console

and select the Application menu button.
You must save the blank configuration to
implement the Application Manager
default rules.
Select Save As > Configuration in the
Management Center.
Note For details of Application Manager
default rules refer to the Application
Manager Product Guide.
Open the Application Manager console as an

Administrator (if UAC is enabled) and select the
Application Menu button. You must save the
blank configuration to implement the Application
Manager default rules.
Select Save As > Live Configuration on this
computer.
Note For details of Application Manager
default rules refer to the Application Manager
Product Guide.
Analysis
Service
Open a browser and enter the following:

http://<localhost>/AMAnalysisService
Note: <Localhost> would be replaced
with the name of the machine that the
Service resides on.
If the service is installed correctly a
Service website will be displayed.
Go to Task Manager and check

AMAnalysisService.exe is listed in the Running
Processes.
Note On Windows Vista or later you need to
select the Show processes from all users
option.
35
CONFIGURE SERVERS
Console
CONSOLE
The Application Manager console launches when the link is selected in the Start > All
Programs > AppSense menu.
36
CONFIGURE SERVERS
Console
File Menu
The File menu provides options for managing configurations including create new, open
existing, save, and import and export configurations.
File Menu Options
Option
Description
New
Creates a new default configuration which is locked for editing.
Open
Opens an existing configuration from one of the following locations:

Live configuration on this computer.
Configuration from the Management Center.
Configuration file on a local or network drive: Application Manager Package Files
format (aamp).
Open a configuration from the System Center Configuration Manager.
Note A live configuration is located on a computer which has an Application Manager
agent installed and running.
Save
Saves the configuration in one of the following states:

Save and continue editing - save the configuration and keep it locked and open for
editing, you will not be able to deploy the configuration while it is locked.
Save and unlock - save the configuration and unlock it ready for deployment. The
current configuration closes and a new default configuration opens.
Unlock without saving - unlock the configuration without saving changes. The current
configuration closes and a new default configuration opens.
Save As
Saves the configuration with a new name to one of the following locations:
Live configuration on this computer
Configuration in the Management Center
Configuration in System Center Configuration Manager
Configuration in Group Policy
Configuration file on a local or network drive: Application Manager Package Files
format (aamp).
Note A live configuration is located on a computer which has a Application Manager
agent installed and running.
Warning If using a Microsoft Windows operating system with UAC enabled you must
ensure that you open the console with administrator privileges.
Import & Export
Exit
Preferences
Imports a configuration from MSI format, usually legacy configurations which have
been exported and saved from legacy consoles.
Exports a configuration to MSI format.
Closes the console.

You are prompted to save any changes you have made to the current configuration.
Launches the Console Preferences dialog box which include:
Show splash screen on startup
Quick Access Toolbar

The Quick Access toolbar provides quick functionality for managing the configuration setup,
such as Save, Save and Unlock, Undo, Redo, and navigation to previously and next
displayed views.
37
CONFIGURE SERVERS
Console
Quick Access Toolbar Options

Option
Description
Save
Saves changes to the configuration. The configuration will remain locked if opened from the
AppSense Management Center.
Save and unlock
Saves changes and unlocks the configuration. These changes can now be deployed from the
Management Center.
Undo
Clears the action history. Up to 20 previous actions are listed. Select the point at which you want to
clear the actions. The action selected and all proceeding actions are undone.
Redo
Re-applies the cleared action history. Up to 20 cleared actions are listed. Select the point at which
you want to redo the actions. The action selected and all subsequent actions are redone.
Back
Navigates back through the views visited in this session.
Forward
Navigate forward through the views visited this session.
Ribbons
Ribbons page include buttons for performing common actions arranged in ribbon groups
according to the area of the console to which the actions relate. For example, the Home
ribbon includes all common tasks, such as About, Cut, Paste and Copy, Help, AppSense
website and Support links.
You can find the version number of AppSense Application Manager you are using, by selecting the
About option in the Home ribbon.
Split ribbon buttons contain multiple options and are indicated by an arrow just below the
button. Click the arrow to display and select the list of options, or simply click the button for
the default action.
Double-click a ribbon to show and hide the ribbon pages.
Help
The Home ribbon includes a Help button which launches the Help for the product and
displays the topic relating to the current area of the console in view. A smaller icon for
launching the Help displays at the far right of the console, level with the ribbons, for
convenience when the Home ribbon is not in view. You can also click F1 to launch the Help
topic for the current view.
38
CONFIGURE SERVERS
Console
Navigation Pane
The Navigation pane consists of the navigation tree and navigation buttons. The navigation
tree is the area for managing nodes of the configuration. The navigation buttons allow you to
view the different areas of the console.
Work Area
The Work area provides the main area for managing the settings of the configuration and
product. The contents of the work area vary according to the selected nodes in the
navigation tree and the selected navigation buttons. Sometimes the work area is split into
two panes. For example, one pane can provide a summary of the settings in the other pane.
Additional Console Features
Shortcut Menu right-click shortcuts are available in the navigation tree and some
areas of the console.
Drag and Drop this feature is available in some nodes of the navigation tree.
For further drag and drop details on specific functionality see the Application Manager Help.
Cut/Copy/Paste these actions can be performed using the buttons in the Home
ribbon page, shortcut menu options and also using keyboard shortcuts.
Recommended screen resolution for the console is 1024 x 768 pixels.
39
CONFIGURE SERVERS
Configuration
CONFIGURATION
Application Manager configuration files contain the rule settings for securing your system.
The agent checks the configuration rules to determine the action to take when intercepting
file execution requests.
Configurations are stored locally in the All Users profile and are protected by NTFS security.
In Standalone mode, configuration changes are saved in the custom .aamp format
(AppSense Application Manager Package) and read by the agent. In Enterprise mode,
configurations are stored in the AppSense Management Center database, and setup for
deployment using the AppSense Management console.
A default configuration loads when you run the console and can be used for immediate protection
on all client computers to which the configuration is deployed.
For details on the default configuration settings and immediate protection you receive refer to the
AppSense Application Manager Product Guide.
Configurations can also be exported and imported to and from MSI file format using the
Application Manager console, which is useful for creating templates or distributing
configurations using third-party deployment systems.
After creating or modifying a configuration, you must save the configuration with the latest
settings to ensure that they are implemented.
The Application Manager console must be run as an administrator to be able to save any changes.
AGENT
Application Manager is installed and run on endpoints using a lightweight agent. The agent is
deployed to managed computers to implement the configuration rules. In Standalone mode,
the agent is installed directly onto the local computer. In Enterprise mode, configurations are
stored centrally and deployed remotely across a network to multiple controlled computers
using the AppSense Management Center.
Agents are constructed as Windows Installer MSI packages which allows them to be
distributed using any third-party deployment system which supports the MSI format.
For more information about deploying AppSense Application Manager, see the AppSense
Management Center Product Guide.
40
CONFIGURE SERVERS
Analysis Service
ANALYSIS SERVICE
The Analysis Service is installed on any selected machine as part of the Application
Manager installation. It is a lightweight component that does not require typical server tools
such as IIS or SQL Server. In the standalone mode, the service is installed on any selected
machine. To install the Service as part of the Enterprise mode, the Application Rights
Discovery option must be selected.
For more information about Analysis Service, see the AppSense Application Manager Product
Guide.
41
APPENDICES
In this Appendix:
Licenses
A
Licenses
APACHE LICENSE
Copyright 2014 AppSense Ltd
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the
License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
OF ANY KIND, either express or implied. See the License for the specific language
governing permissions and limitations under the License.
GLOSSARY
Accessible Items
Agent
Analysis Service
Application Limit
Audit Only
CCA
Configuration
Configuration File
Configuration Profiler
Console
Deploy
Digital Signature
Event
Group Management
Node
OU
Prohibited Items
Process Rule
Rights Discovery
Security Identifier
Security Level
Self-Authorizing User
Server Configuration Utility
SID
Time Limits
Trusted Ownership
Trusted Vendors
Wildcards
GLOSSARY
ACCESSIBLE ITEMS
CCA
Accessible Items
Accessible Items are files, folders, drives or digitally signed files or groups of files in an
Application Manager configuration Rights Discovery which are allowed to run when file
execution requests are matched with the rule security settings and would otherwise be
prohibited by other configuration settings.
See also: Prohibited Items, Trusted Vendors, User Rights Management
Agent
A proactive software component which implements the product configuration rules. For
example, the Application Manager Agent is software that runs as a Windows service to
validate execute requests according to the rules in the configuration installed on a computer
Analysis Service
The Analysis Service is installed on any machine and is used to collect the data from the
Rights Discovery.
Application Limit
Application Limits specify the number of instances of an application a user can run. An
application limit can be applied to an item in the Accessible Items node.
Application Termination allows you to set triggers, behavior and warning messages for
terminating applications on managed computers. You can also control the manner in which
applications are terminated and how the user is notified.
Audit Only
Security Level assigned to users, groups or devices in an Application Manager Rights
Discovery which audits events according to the Auditing Configuration without applying the
rule. Used for passive monitoring in evaluations to assess application usage on the host
environment.
CCA
Client Communications Agent. Installed on computers operating in an Enterprise
installation to provide a link between the product agent running on a managed computer and
the AppSense Management Center.
The CCA sends event data generated by the product agents to the Management Server and
also polls the Management Server to manage the download and installation for software
configuration, agent and package updates.
The CCA can be downloaded and installed directly on managed machines from the
Management Server website.
45
GLOSSARY
CONFIGURATION
Event
Configuration
The Application Manager configuration consists of lists of files/folders that you have decided
should be Accessible Items, Prohibited Items and Trusted Vendors. The configuration also
contains optional settings and text to be displayed to the user. A configuration is created and
managed using the Application Manager Console and used by the Application Manager
Agent and is saved in Application Manager Package Files (*.aamp). The agent uses the
configuration settings to determine whether or not an execute request is to be denied.
Configuration File
An Application Manager configuration exported from the Console and saved to Windows
Installer MSI file format. The file can be installed on any computer and the configurations
rules applied when an Application Manager Agent is present and running as a service on the
computer.
Configuration Profiler
Generates reports detailing the current settings in the Configuration. Filtering options allow
you to query settings affecting specific users or groups, devices, and files or folders.
Console
AppSense Application Manager software interface.
Deploy
To deliver a configuration or AppSense software component to one or more computers,
which can include the local machine.
Digital Signature
Application Manager uses the SHA-1 algorithm for applying a digital signature to uniquely
identify files.
The signature can be used as a security measure when adding files as Accessible Items,
Prohibited Items and Trusted Vendors.
Signatures can also be used for allowing applications on non-NTFS formatted drives to run,
which Application Manager would otherwise block by default. Add the digital signatures to
the Accessible Items list and disable trusted ownership checking for the individual files.
Signature Group Management provides easier administration for large groups of signatures.
Accessible Items with digital signatures can be used to verify that the file which the user is
attempting to run is actually the file permitted by the administrator.
Prohibited Items with digital signatures can be used to ensure the file is always prevented
from executing, even when the user renames the file.
Event
An Event is generated by Application Manager to report file execution requests, overwrites
or renames and Self-Authorizing User decisions. The event number indicates the outcome of
the request. Events are logged according to the method set up in the Auditing node.
46
GLOSSARY
GROUP MANAGEMENT
Security Identifier
Group Management
Group Management is a library for compiling reusable groups of files, folders, drives,
signatures and network connections which can be associated with rules in the configuration.
For example, Groups can be used to manage licenses for a suite of software or common
sets of applications for assigning to certain user groups.
Network Connection Item
Network Connection identify.
Node
A node is a term used in the Application Manager Console to represent a branch in the
navigation tree.
OU
Organizational Unit. A Microsoft Active Directory container that includes users and
computers.
Prohibited Items
Prohibited items are files, folders, drives or digitally signed files or groups of files specified in
an Application Manager Rights Discovery which are not allowed to run when file execution
requests are matched with the rule security settings and would otherwise be allowed by
other Configuration settings.
See also: Accessible Items and Trusted Vendors
Process Rule
Process rules allow you to manage access for a parent process to run child processes which
might be managed differently in other rules. Process rules include settings for adding
Prohibited Items, Accessible Items, Trusted Vendors and User Rights Management.
Rights Discovery
Rights Discovery allows you to monitor what users are running applications that use
Administrative Rights and generates reports based on the results.
Rule
A Configuration rule assigns a Security Level to the specified users or groups, devices and
combinations of these and contains control lists for Accessible Items, Prohibited Items,
Trusted Vendors and Process Rule. The Application Manager agent intercepts kernel level
file execution requests and matches these with the configuration rules to implement security
controls.
Security Identifier
(SID). A data structure of variable length that identifies user, group, and computer accounts.
Every account on a network is issued a unique SID when the account is first created. Internal
processes in Windows refer to an accounts SID rather than the accounts user or group
47
GLOSSARY
SECURITY LEVEL
Trusted Ownership
name. Likewise Application Manager also refers to a user or group SID unless the SID could
not be found when added to the configuration.
Security Level
Application Manager configuration Rights Discovery settings include security levels which
specify how to manage requests to run unauthorized applications by the users, groups or
devices which a rule matches.
Restricted Only authorized applications can run. These include files owned by members
of the Trusted Owners list and files listed in Accessible Items, Trusted Vendors and Trusted
Ownership.
Self-Authorizing Users are prompted for decisions about blocking or running unauthorized
files on the host device.
Audit only All actions are permitted but events are logged and audited, for monitoring
purposes.
Unrestricted All actions are permitted without event logging or auditing.
Self-Authorizing User
User, group or device granted control to choose whether to block or run an unauthorized
application on the host computer. The Self-Authorizing Security Level can be assigned in an
Application Manager Rights Discovery to match a file execute request for users, groups or
devices.
Server Configuration Utility
Utility to configure and maintain AppSense server products.
SID
See Security Identifier.
Time Limits
Settings applied to entries in the Accessible Items and Prohibited Items nodes of an
Application Manager Rights Discovery which determine day and time ranges when the
controls apply.
For example, an entry in the Prohibited Items node of a rule can restrict use of the local web
browser to users except between the hours of 12pm and 2pm on specific days of the week.
Trusted Ownership
Trusted Ownership checking is a secure method Application Manager uses to prevent users
running unauthorized applications. On NTFS formatted drives, files have owners and
Application Manager is configured by default, to only allow files to be executed if the file
owner is a member of the Trusted Owners list. If a user tries to run a file that is not owned
by a trusted owner, the execute request is denied and a message notifies the user. Any files
downloaded from the internet or received in email are owned by the user, so those files are
not permitted to run unless ownership is held by members of the trusted owner list.
48
GLOSSARY
TRUSTED VENDORS
Wildcards
By default, Application Manager blocks execution requests for all applications on non-NTFS
formatted drives.
Trusted Vendors
Trusted Vendors are digital certificates signed by trusted sources. Trusted Vendor checking
allows applications which fail Trusted Ownership checking to match digital certificates with
the Trusted Vendors list.
A list of Trusted Vendors can be defined for each User, Group, Device, Custom, Scripted,
and Process rule of the configuration.
Application Manager queries each file execution which fails Trusted Ownership checking to
detect the presence of a digital certificate. If the file has a digital certificate which is signed by
a certificate authority matching a valid entry in the Trusted Vendor list, the file is allowed to
run.
Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership
checking and Trusted Application checking.
User Rights Management provides a granular approach to delegating administrative rights to
users and applications by assigning rights according to merit. This level of control can be
deployed to elevate or restrict privileges on a case by case basis according to the preferred
approach taken in the environment.
Wildcards
Both the asterisk (*) and question mark (?) characters can be used in a file or folder path in
the Application Manager console. The asterisk represents one or more characters, excluding
the back slash (\) character, whilst the question mark wildcard represents one character,
excluding the forward slash (/) character. Both of the wildcard characters can be used in any
part of a file path, including the drive letter for local paths.
For example, c:\sample path\test?\*.exe, matches all files with the .exe extension that
existed in the folders c:\sample path\test1, c:\sample path\test2, ... c:\sample path\test(n),
etc. But since the question mark can only replace one character, it does not match c:\sample
path\test100. The only limitation imposed by Application Manager on the use of wildcards is
that the asterisk cannot be used to match more than one subdirectory.
49

AppSense Application Manager Install and Upgrade Guide PDF

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

AppSense Application Manager Install and Upgrade Guide PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Application

Version 8 FR7 SP1

APPLICATION MANAGER INSTALL AND UPGRADE GUIDE

AppSense Limited, 2014

About This Document

Terms and Conventions

About Application Manager

APPLICATION MANAGER INSTALL AND UPGRADE GUIDE

Supported Operating Systems and Technologies

Required Utilities and Components

Installing AppSense Application Manager

About AppSense DesktopNow Licensing Console

Service Pack Installation

Installing Service Packs

Rolling Back Service Packs

Rolling Back Service Packs Using Windows Control Panel

Rolling Back Service Packs Using Management Center 8 FR4

Upgrade Application Manager

Upgrade Configuration Functionality

Upgrades and Process Rules

Upgrades and Group Management

APPLICATION MANAGER INSTALL AND UPGRADE GUIDE

Post Installation Checklist

About This Document on page vii

Terms and Conventions on page vii

Feedback on page vii

APPLICATION MANAGER INSTALL AND UPGRADE GUIDE

ABOUT THIS DOCUMENT

TERMS AND CONVENTIONS

Used for scripting samples and code strings.

Indicates a glossary link.

Indicates the path of a menu option. For example,

Caution/Warning Provides critical information relating to specific tasks or indicates

About Application Manager on page 2

Key Benefits on page 3

Feature Summary on page 3

APPLICATION MANAGER INSTALL AND UPGRADE GUIDE

ABOUT APPLICATION MANAGER

APPLICATION MANAGER INSTALL AND UPGRADE GUIDE

AppSense Application Manager consists of the following components:

Analysis Service on page 41

Protect against malicious code.

Selectively elevate or restrict administrative rights to access or run specific applications

Protect out of the box against all unauthorized application usage.

Manage processes at a granular level to control application access to child processes.

Stop unauthorized device license usage.

Apply time restrictions on when applications can or cannot be run.

Control outbound network access at the process level.

Control network access based on location.

APPLICATION MANAGER INSTALL AND UPGRADE GUIDE

APPLICATION MANAGER INSTALL AND UPGRADE GUIDE

Windows Scripting Host Validation

APPLICATION MANAGER INSTALL AND UPGRADE GUIDE

Rights Discovery Mode

Enable and Disable Functionality Settings

Application Access Control

Application Network Access Control

User Rights Management

Service Pack Installation Using the AppSense Management Center

Installing AppSense Application Manager on page 10

Service Pack Installation on page 23

APPLICATION MANAGER INSTALL AND UPGRADE GUIDE