LukaszDziwisz
Hot Shot
Hot Shot

Application Blocking with UEM

Hello Everyone,

I would like to get some guidance about Application Blocking through UEM. What we would like to accomplish is to pack as many applications as we can into Master Image but then use UEM to block usage of them on all users with the exception of the AD group that should be able to use it. We have many in-house  applications that run from the root of C drive instead of Program Files directories.

From what I see the first step is to Enable application blocking. After I do that I get the following message:

pastedImage_0.png

So to me it means that only programs from those 2 directories will be able to run.  Question 1: do I set the condition set here to Domain Users?

Question 2:Then, in order to allow those other applications to run from outside of %Program FIles% can I just simply say  to allow C:\* and set it to allow for all and then specify another rule to block a specific application and set the condition set to whoever who is not part of a particular AD group?

Question 3: Is it working like firewall where more specific rule should be on top and all all C:\* should be on the bottom? Or does it not matter?

As a good example I would like to put MS Visio on a  Master Image because it is a little bit of a pain to maintain it with it being on appstack and having multiple master images in different pools. Since it is a licensed product we only want to allow specific group of people to have access to it.

Also, I should probably also mention that we use Appvolumes writable profile only and couple of appstacks

Any advice would be much appreciated

4 Replies
DEMdev
VMware Employee
VMware Employee

Hi LukaszDziwisz,

Whoa, that's a lot of questions Smiley Happy, and some of them have "it depends..." answers, but let me give it a shot.

If you enable application blocking without any additional configuration, only executables from the Windows and Program Files folders are allowed. Everything else will be blocked. Whether you should put a condition on this global configuration setting depends on what exactly you'd like to achieve. If there are power users who should just have access to everything, you might want to use a condition here.

For your Root of C:\ applications, I would add specific path-based allow rules:

pastedImage_6.png

You can use conditions on such a setting to make sure it's only applied to user who should have access.

For Visio, it's the other way around, in a sense. As it's installed in Program Files, the application blocking's global configuration grants access by default, so you would need to block it (with the correct path, unlike my example below Smiley Happy):

pastedImage_9.png

Condition-wise, you'd need to use something like:

pastedImage_10.png

If you don't use conditions, the setting will apply to everyone, blocking Visio for everyone.

Whether applications are installed in the base image or coming from an AppStack should not affect UEM's application blocking. The Work with Multiple Types of Application Blocking topic describes how the different application blocking settings interact.

0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

Thank you UEMdev​ I think I understand it now. It looks like it works pretty slick and had to add c:* to allow those odd programs to function. The only problem now we are seeing is that since we are redirecting Desktop, DOcuments, etc libraries it doesn't let me execute from desktop for example because to uem it looks like it is being executed from \\fileshare and I cannot add it to UEM as it only allows absolute paths

0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi LukaszDziwisz,

Happy to hear that it's (mostly) working now! For those redirected folders: have you tried adding their "target locations" in UNC format as allowed paths?

0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

Hi UEMdev​,

you're right it appears that I can do like \\server\share\* not sure what I was thinking that I cannot. FOr some reason when I tried it before it told me that only absolute path is accepted.

I'll give that a shot and let you know