Device policy: Application Control settings
You can use application control for
Windows
and Linux
devices to restrict changes to executables on CylancePROTECT Desktop
devices. Only the applications that are present on a device before application control is enabled are allowed to execute. Typically, application control is used for fixed function devices that are not changed after they are set up (for example, point-of-sale devices).After you enable application control, any attempts to add applications or make changes to existing applications on devices are denied. Applications cannot be downloaded from browsers or copied from another device (for example, an external or shared drive). The main objectives of application control are to deny the execution of executable files from remote or external drives, to deny the creation of new executables on the local drive, and to deny changes to existing files on the local drive.
You can view application control activity in the device details in the management console.
Consider the following before you enable application control:
- If application control is enabled, the CylancePROTECT Desktop and CylanceOPTICS agent update process is disabled on devices that are assigned the policy.
- If application control is enabled, you cannot remove theCylancePROTECT DesktoporCylanceOPTICSagents from devices that are assigned the policy.
- It is not recommended to runCylanceOPTICSon systems that use application control. When application control is enabled,CylanceOPTICSdoes not function properly due to the restrictive nature of application control.
- To prevent production outages or excessive network activity, application control does not monitor file transfers to remote or external drives.
- OnLinuxdevices:
- Application control folder exclusions are not supported.
- When application control is enabled, an inventory of all executable files on the local file system is generated. File execution is restricted to the files in the inventory.
- Executable files can be added to the device after application control is enabled, but the executables cannot run. Only applications that are in the inventory when application control is enabled are allowed to run.
- Allowing an update when application control is enabled may cause issues.
Setting | Description |
---|---|
Application control | Enables application control. If you enable application control and save the device policy, the following policy settings are changed automatically (regardless of previous configuration):
You can change these settings by editing the device policy, but they are recommended for use with application control. |
Change window | When enabled, application control is turned off, allowing for new applications to be installed or for changes to be made to applications on the device (including agent updates). After performing the necessary changes, turn off this setting to close the change window and enable application control again. When you use this setting to temporarily disable application control, changes such as folder exclusions are retained. If you disable the Application control setting, all settings are reset to the defaults. |
Exclude folders: Add Exclusion | You can specify the absolute path of folders that are exempt from application control (for example, C:\Program Files\Microsoft SQL Server). Application control folder exclusions are supported for Windows devices only. Folder exclusions are available only for local internal drives. Exclusions for removable or remote drives are not supported. |