AppLocker is Microsoft’s latest release of Software Restriction Policies. It requires Server 2008 R2 Active Directory policies to enable and configure and allows you to configure white and black lists to allow/disallow executables, installers and scripts.
In my SCCM 2012 environment I have configured App-V 5 packages to be deployed to User Collections that are populated via a query. The query is simply, ‘is the user a member of a particular AD group’. Therefore I can publish, for example, MS Visio 2010 App-V to members of the MS Visio AD user group.
If I’m not a member of the AD group the package will not be published, however, with enough knowledge and access I can publish the package using PowerShell and therefore consume a licence for the application.
AppLocker allows me to restrict the access to the App-V package using certain criteria, in this instance I will allow the package to be run only by members of the AD group.
Enable the Application Identity service
AppLocker requires the Application Identity service to be running on devices. If not enabled by default, this can be enabled by GPO.
In a GPO navigate to Computer Configuration\Policies\Windows Settings\System Services and set the Application Identity server to Automatic startup.
Create AppLocker Allow Rule
To configure an AppLocker policy, open the Group Policy Management Console, navigate to Computer Configuration\ Policies\Windows Settings\Security Settings \Application Control Policies\AppLocker\Executable Rules
Right click and choose Create New Rule.
Ensure that the Action is set to Allow and then click Select.
Choose the relevant App-V AD group to allow access to – in this instance the Visio group. Click Ok. Click Next.
At the conditions window choose Path. This will allow you to choose a folder path to where the App-V package resides on the device. Click Next.
All App-V packages by default to the C:\ProgramData\App-V folder. Below this folder the hierarchy is\PackageID\VersionID.
To determine the PackageID\VersionID for a package, load up Powershell on a device where the package resides and type in the command Get-AppvClientPackage.
How the path is then entered in to the rule depends on how granular you want to be with your AppLocker rule.
App-V packages when updated retain the same PackageID, however the VersionID changes. You may decide that you will allow MS Visio and all its version changes to all Visio users. If this is the case then you can enter the path to allow as C:\ProgramData\App-V\PackageID\*.
You may be publishing different versions of the same package to specific users, again controlled by AD group, therefore you would need to allow the path C:\ProgramData\App-V\PackageID\VersionID\* and create seperate rules per AD group/Version ID.
At the Path window click Browse Folders
Drill down to the App-V folder for your package. In the PowerShell screenshot above the PackageID for Visio is a7258538-b18f-4b52-bffa-7f0c9f50f9fd, therefore the full path to allow is C:\ProgramData\App-V\PackageID\a7258538-b18f-4b52-bffa-7f0c9f50f9fd. Click Ok.
In this instance no Exceptions are required (for an understanding of an exception see here). Click Next.
Enter a name for the rule and click Create.
The new rule will appear in the AppLocker policy.
Note that if this is the first time you are creating an AppLocker rule you will be prompted to create the default rule set. You should click ‘Yes’ to this.
This will allow .exe files to be run for Everyone under the %PROGRAMFILES%\* folders (Program Files and Program Files (x86)) and anything under %WINDIR%\* – the Windows directory.
Testing the Rules
For anyone who is not allowed access to the application the following error will appear on the desktop.
Users allowed the application will be able to launch as normal.