Creating Dynamically Updated Allowed Application Rules

You can configure Endpoint Application Control rules and policies to dynamically update "Allowed application" lists based on the applications installed to a test endpoint maintained by your Endpoint Application Control administrator or IT department.

You can authorize IT administrators to intentionally install new applications on a test endpoint that trigger the "Block" action. Through use of the automatically added tags, the IT administrator can then create an "Allow" rule using the Known and dynamic search filter that searches for the policy-action and action-block tags. The agent dynamically updates the "Allow" list and allows all applications with the applied tags.

  1. Prepare a test endpoint on which you want to install applications that you want to allow users to install or execute.
  2. Install the Endpoint Application Control agent on the test endpoint.
  3. Go to Management > Rules.

    The Management > Rules screen appears.

  4. Click Add Rule and select Lockdown.
  5. Type a Name for the rule.
  6. Beside Log-only mode, select Enabled – Allow matched application file access or start and log as allow (exclude list) or block (lockdown) in policy actions with "log-only" tag applied.
  7. Click Save.
  8. Go to Management > Policies.

    The Management > Policies screen appears.

  9. Click Add Policy and select New.
  10. Type a Name for the policy.
  11. In the Users and Endpoints filter criteria, specify the test endpoint.

    For example, select IP address from the drop-down and then type the IP address of the test endpoint.

  12. Click the Rules section.
  13. Click Assign Rule and select the Lockdown rule you just created.
  14. Click the Logging section.
  15. Select the Enable "Policy action" log transfer to monitor applications with the Block action option in the Logging section of the policy screen.
  16. Click Save.
  17. Install a new "Allowed" application on the test endpoint.

    Because the new application is not in the "Allowed applications" list, Endpoint Application Control tags the application with the policy-action and action-block tags.

  18. Go to Management > Rules.

    The Management > Rules screen appears.

  19. Click Add Rule and select Allow.
  20. Type a Name for the rule.
  21. In the Allowed applications section, select to Match using: Known and dynamic search.
  22. Select to Include matches from: Policy Actions.
  23. Add both the action-block "AND" policy-action tags to the filter criteria.
  24. Click Save.
  25. Go to Management > Policies.

    The Management > Policies screen appears.

  26. Click Add Policy and select New.
  27. Type a Name for the policy.
  28. In the Users and Endpoints filter criteria, specify the endpoints to which the dynamic allowed applications list should apply.
  29. Click the Rules section.
  30. Click Assign Rule and select the Allow rule you just created.
  31. Click Save.

    Every time you install a new application on the test endpoint using the Enable "Policy action" log transfer to monitor applications with the Block action option, all endpoints dynamically update the allowed application list with the newly-installed application the next time the agent receives updated policy settings.

Parent topic: About Rules and Policies