8 Replies Latest reply on Dec 2, 2019 7:42 AM by cbaptiste

    Disable Application Blocking

    cbaptiste Enthusiast

      Hi,

       

      Do you know of a way to disable Application blocking completely for a pool while have it enabled for another. Currently I am using conditions but it seems like when Application Blocking is enable it is enabled for everything. With conditions I can simply tell it what to allow or prohibit.

       

      For example I say if this condition is met, allow C:\ so now anything that is on the local drive C is allowed. However, network paths are still blocked. I have to explicitly allow them.

       

      Anyway to just disable it completely. Even through registry would do just fine.

        • 1. Re: Disable Application Blocking
          DEMdev Master
          VMware Employees

          Hi cbaptiste,

           

          Once you enable application blocking through the Global Configuration button, it's on and only applications from the Windows folder, C:\Program Files, and C:\Program Files (x86) are allowed to run.

           

          Having said that, that global configuration has its own conditions support, so you can have it behave differently for different pools.

          1 person found this helpful
          • 2. Re: Disable Application Blocking
            cbaptiste Enthusiast

            Right. So can I then use the Global Configuration to tell it to only apply to a specific pool or pools.

             

            Example: Horizon Client Property - Property "Pool Name" is equal to "Pool-1"

             

            So then Pool-2 will not have it enabled?

             

            I only really need application blocking for two specific environment out of my 20 plus environments.

            • 3. Re: Disable Application Blocking
              DEMdev Master
              VMware Employees

              Hi cbaptiste,

               

              Correct, by putting pool-specific conditions on the global setting you can control which pools have application blocking enabled (further controlled by specific application blocking config files, if you wish) and which pools don't.

              2 people found this helpful
              • 4. Re: Disable Application Blocking
                cbaptiste Enthusiast

                Last question. Can I use conditions to enable application blocking on specific pools while still being able to block application specific other pools that does not match that condition?

                 

                For example: I want to enable Application Blocking for pool-1 through Global Configuration. So I set condition if pool match Pool-1. But I also want to prevent users from launch notepad.exe on Pool-2. Only notepad. How can I do that? Is that even possible. That's actually my use cases. I didn't realize on those pools where I don't wish to block everything i am however blocking three applications.

                 

                BTW: I never noticed Application Blocking had a condition option. I am glad it was moved on newer versions. I am currently running 9.4.0. There is no condition tab. But it is on the body of the window which is not the typical location for conditions.

                • 5. Re: Disable Application Blocking
                  DEMdev Master
                  VMware Employees

                  Hi cbaptiste,

                  I want to enable Application Blocking for pool-1 through Global Configuration. So I set condition if pool match Pool-1. But I also want to prevent users from launch notepad.exe on Pool-2. Only notepad. How can I do that? Is that even possible.

                  Sure. As you want to have application blocking enabled on both pools, you wouldn't be using conditions on the global configuration, but on the individual config files.

                   

                  For Pool-2 you'd configure a path-based allow for C:\*, and a few path-based blocks for the various notepad.exe's in the Windows folder.

                  • 6. Re: Disable Application Blocking
                    cbaptiste Enthusiast

                    Lol that is what I have currently. I have Global config without any conditions. I create specific policies to allow/prohibit applications. But then I can not find a way to allow all network paths. In one environment I want to manage what is allowed and/or prohibited. In another environment I simply want to block three applications and that is it. The users can launch anything from anywhere other than these three apps. That is my problem. And it doesn't seem like there is a way to do that.

                     

                     

                    If this is not something that is currently possible. Can it be added in future release.

                    • 7. Re: Disable Application Blocking
                      DEMdev Master
                      VMware Employees

                      Ah, I see. No, there's no way right now to configure allow-everything-including-all-network-locations-but-block-these-specific-executables. I'll keep it in mind as a potential future enhancement, thanks!

                      1 person found this helpful
                      • 8. Re: Disable Application Blocking
                        cbaptiste Enthusiast

                        Thank you sir. I believe that would be helpful. I realized I asked the question wrong so I will mark your first answer as right since it does answer the original post