4 Replies Latest reply on Jun 14, 2019 7:34 AM by LukaszDziwisz

    Application Blocking with UEM

    LukaszDziwisz Enthusiast

      Hello Everyone,

      I would like to get some guidance about Application Blocking through UEM. What we would like to accomplish is to pack as many applications as we can into Master Image but then use UEM to block usage of them on all users with the exception of the AD group that should be able to use it. We have many in-house  applications that run from the root of C drive instead of Program Files directories.


      From what I see the first step is to Enable application blocking. After I do that I get the following message:



      So to me it means that only programs from those 2 directories will be able to run.  Question 1: do I set the condition set here to Domain Users?


      Question 2:Then, in order to allow those other applications to run from outside of %Program FIles% can I just simply say  to allow C:\* and set it to allow for all and then specify another rule to block a specific application and set the condition set to whoever who is not part of a particular AD group?


      Question 3: Is it working like firewall where more specific rule should be on top and all all C:\* should be on the bottom? Or does it not matter?


      As a good example I would like to put MS Visio on a  Master Image because it is a little bit of a pain to maintain it with it being on appstack and having multiple master images in different pools. Since it is a licensed product we only want to allow specific group of people to have access to it.


      Also, I should probably also mention that we use Appvolumes writable profile only and couple of appstacks


      Any advice would be much appreciated

        • 1. Re: Application Blocking with UEM
          DEMdev Master
          VMware Employees

          Hi LukaszDziwisz,


          Whoa, that's a lot of questions , and some of them have "it depends..." answers, but let me give it a shot.


          If you enable application blocking without any additional configuration, only executables from the Windows and Program Files folders are allowed. Everything else will be blocked. Whether you should put a condition on this global configuration setting depends on what exactly you'd like to achieve. If there are power users who should just have access to everything, you might want to use a condition here.


          For your Root of C:\ applications, I would add specific path-based allow rules:

          You can use conditions on such a setting to make sure it's only applied to user who should have access.


          For Visio, it's the other way around, in a sense. As it's installed in Program Files, the application blocking's global configuration grants access by default, so you would need to block it (with the correct path, unlike my example below ):

          Condition-wise, you'd need to use something like:

          If you don't use conditions, the setting will apply to everyone, blocking Visio for everyone.


          Whether applications are installed in the base image or coming from an AppStack should not affect UEM's application blocking. The Work with Multiple Types of Application Blocking topic describes how the different application blocking settings interact.

          • 2. Re: Application Blocking with UEM
            LukaszDziwisz Enthusiast

            Thank you DEMdev I think I understand it now. It looks like it works pretty slick and had to add c:* to allow those odd programs to function. The only problem now we are seeing is that since we are redirecting Desktop, DOcuments, etc libraries it doesn't let me execute from desktop for example because to uem it looks like it is being executed from \\fileshare and I cannot add it to UEM as it only allows absolute paths

            • 3. Re: Application Blocking with UEM
              DEMdev Master
              VMware Employees

              Hi LukaszDziwisz,


              Happy to hear that it's (mostly) working now! For those redirected folders: have you tried adding their "target locations" in UNC format as allowed paths?

              • 4. Re: Application Blocking with UEM
                LukaszDziwisz Enthusiast

                Hi DEMdev,


                you're right it appears that I can do like \\server\share\* not sure what I was thinking that I cannot. FOr some reason when I tried it before it told me that only absolute path is accepted.


                I'll give that a shot and let you know