AppLocker is Microsoft’s latest release of Software Restriction Policies.  It requires Server 2008 R2 Active Directory policies to enable and configure and allows you to configure white and black lists to allow/disallow executables, installers and scripts.

In my SCCM 2012 environment I have configured App-V 5 packages to be deployed to User Collections that are populated via a query. The query is simply, ‘is the user a member of a particular AD group’. Therefore I can publish, for example,  MS Visio 2010 App-V to members of the MS Visio AD user group.

If I’m not a member of the AD group the package will not be published, however, with enough knowledge and access I can publish the package using PowerShell and therefore consume a licence for the application.

AppLocker allows me to restrict the access to the App-V package using certain criteria, in this instance I will allow the package to be run only by members of the AD group.

Enable the Application Identity service

AppLocker requires the Application Identity service to be running on devices. If not enabled by default, this can be enabled by GPO.

In a GPO navigate to Computer Configuration\Policies\Windows Settings\System Services and set the Application Identity server to Automatic startup.

AppLock01

Create AppLocker Allow Rule

To configure an AppLocker policy, open the Group Policy Management Console, navigate to Computer Configuration\ Policies\Windows Settings\Security Settings \Application Control Policies\AppLocker\Executable Rules

Right click and choose Create New Rule.

AppLock02

Click Next.

AppLock03

Ensure that the Action is set to Allow and then click Select.

AppLock04

Choose the relevant App-V AD group to allow access to – in this instance the Visio group. Click Ok. Click Next.

AppLock05

At the conditions window choose Path. This will allow you to choose a folder path to where the App-V package resides on the device. Click Next.

AppLock06

All App-V packages by default to the C:\ProgramData\App-V folder. Below this folder the hierarchy is\PackageID\VersionID.

To determine the PackageID\VersionID for a package, load up Powershell on a device where the package resides and type in the command Get-AppvClientPackage.

AppLock07

How the path is then entered in to the rule depends on how granular you want to be with your AppLocker rule.

App-V packages when updated retain the same PackageID, however the VersionID changes. You may decide that you will allow MS Visio and all its version changes to all Visio users. If this is the case then you can enter the path to allow as C:\ProgramData\App-V\PackageID\*.

You may be publishing different versions of the same package to specific users, again controlled by AD group, therefore you would need to allow the path C:\ProgramData\App-V\PackageID\VersionID\* and create seperate rules per AD group/Version ID.

At the Path window click Browse Folders

AppLock08

Drill down to the App-V folder for your package. In the PowerShell screenshot above the PackageID for Visio is a7258538-b18f-4b52-bffa-7f0c9f50f9fd, therefore the full path to allow is C:\ProgramData\App-V\PackageID\a7258538-b18f-4b52-bffa-7f0c9f50f9fd. Click Ok.

AppLock09

Click Next.

AppLock10

In this instance no Exceptions are required (for an understanding of an exception see here). Click Next.

AppLock11

Enter a name for the rule and click Create.

AppLock12

The new rule will appear in the AppLocker policy.

AppLock13

Note that if this is the first time you are creating an AppLocker rule you will be prompted to create the default rule set. You should click ‘Yes’ to this.

This will allow .exe files to be run for Everyone under the %PROGRAMFILES%\* folders (Program Files and Program Files (x86)) and anything under %WINDIR%\* – the Windows directory.

AppLock14

Testing the Rules

For anyone who is not allowed access to the application the following error will appear on the desktop.

AppLock15

Users allowed the application will be able to launch as normal.

AppLock16

 

 

 

Advertisements