IBM Security MaaS360

 View Only

Achieving Advanced Application Compliance for Windows 10 with IBM MaaS360 with Watson

By Prasad Balasubramanian posted Tue September 24, 2019 09:19 AM

  

In the modern enterprise, needless to say application distribution is essential. What’s more critical? Adequate control of the applications that run on laptops, desktops, and other devices. The last thing you want to hear is that a malicious program ran on a device and is now spreading to other devices within your environment at the speed of lightning.

Advanced App Compliance available from IBM MaaS360 with Watson is here to reverse those fears, giving you the power to prevent such incidents within your organization.

The Advanced App Compliance feature, released along with new Windows policies in May 2019, helps Infrastructure & Operations (I&O) managers define and efficiently manage & control the apps installed through or outside of MaaS360.

A modernized blacklist & whitelist approach and support for universal & traditional apps for Windows desktops/laptops/tablets form the core of this capability. Read further to learn the ins-and-outs of this feature – plus an explanation of why you need to migrate your desktop app compliance rules from ‘App Compliance’ tab to this new tab.

Per the below screenshot, the new tab Advanced App Compliance comes right below Application Compliance under Device settings in Windows Policy.

image_1.jpg

It supports both Universal Apps (.appx, .appxbundle - deployed from the App store or sided-loaded) & traditional desktop apps (MSI, EXE, Scripts).

Universal Apps: Let me explain Universal Apps as shown on the right side pane. There is an option for blacklisting any native universal apps that are part of the Windows 10 OS (Alarms, Skype App, Windows Photos, Bing News, Windows Sound recorder etc.) If you prefer not to enable these apps for your enterprise, simply disable them (Note: disabling native apps might affect the basic functioning of the device).

image_2.jpg

The next section is for managing app compliance rules for other LOB universal apps:

image_3.jpg

What you are creating is just one blacklist or whitelist, based on a specific publisher or an app. You can create multiple lists corresponding to different publishers and apps, making it easy for you to organize and remember. Just the publisher name will ensure that all the apps by that publisher are included in the list. Multiple such exceptions can be created, helping you to exclude any apps from a blacklist/whitelist of a publisher and ensure that the mandatory apps are installed, though there is a compliance restriction at a publisher level.

image_4.jpg

Desktop Apps:  The new capability supports the traditional MSI, EXE and Scripts as well and has a separate section in the right side pane. Here you can disable any native desktop apps that come with the OS. The app compliance section for Desktop apps is very similar to universal apps, except a few changes. There are three new parameters that help you bring in fine-grained control: App type, Based On (File Path and Hash).

image_5.jpg


 App Type is to indicate whether the list is for MSI, EXE or Scripts.

Based On can be Publisher, File Path, or File Hash.

File Hash is a new parameter introduced to make it more difficult to break the compliance rule. Using File Hash will ensure that the compliance rule kicks in, even if the executable name is renamed, a tactic that many defaulters use to escape the blacklist rules. 

What distinguishes the Advanced App Compliance and App Compliance sections?

The App Compliance tab had blacklist and whitelist flows for both phones and desktops. As Windows Phone usage is reducing due to EOL announcement by Microsoft, we’re deprecating desktop/laptop section under the original App Compliance tab and moving them under the Advanced App Compliance tab. As we will have support for Windows Phones for some more time after December 2019 (EOL date), the original App Compliance tab will be restricted to Silverlight app management.


image_6.jpg

Migrating compliance rules from App Compliance to Advanced App Compliance

As the deprecation will anyway be effected soon, you should move your existing desktop/laptop blacklist/whitelists from the App Compliance tab to Advanced App Compliance tab. Here are some high level steps for moving the blacklist/whitelists:

  • Go to the old App Compliance tab
  • Open Application Compliance for Universal Apps’ Take a note of the different blacklist and whitelist entries
  • Similarly, take a note of the traditional desktop apps blacklist/whitelist entries
  • Uncheck the Configure Restricted Universal Applications (App Blacklist) and Configure Allowed Universal Applications (App Whitelist)
  • Unchecking will remove all the desktop/laptop blacklists & whitelists from the App Compliance part of policy.
  • Open the Advanced App Compliance tab
  • Create the same blacklist/whitelist entries for the Universal apps and desktops/laptops apps by feeding in the publisher name or app name or File path
  • The blacklist/whitelist name is a new parameter and you can give a meaningful name
  • Feel free to configure File Hash as well, making your app compliance policies undeterrable


Due to this deprecation, keeping desktop app blacklist/whitelists in both App Compliance and Advanced App Compliance tabs will no longer be permitted (you will receive an error message). For this reason, we suggest that you move and build all your desktop app compliance rules under Advanced App Compliance tab.

This new app compliance capability makes it easy to keep your organization secure from any malware attacks or any unwarranted apps. MaaS360, a UEM industry leader, will continue to churn out new capabilities that help I&O managers achieve their goal to provide the highest flexibility to users – simultaneously keeping their devices very secure. Try out the new Advanced App Compliance capability today!





#MaaS360
0 comments
15 views

Permalink