A rule contains application(s) to allow or block a client. Meanwhile, a policy is where the rules are added or created.
Policies are deployed to a target client based on the matching criteria and not by the assigned rules. A client that uses any of the available policies is called Compliant Target.
Here are some considerations for creating a rule and deploying a policy:
- Identify the type of application to inspect and group the applications to Allow and Block.
Block Rules should have a larger scope than the Allow Rules.
Below are some sample rules when inspecting the Web Browser Add-ons:Block Rule:
Block All Web Browser Toolbars and PluginsAllow Rules:
Allow Adobe Flash Player
Allow Java Runtime Environment
Allow Microsoft SilverlightIt is advisable to create one (1) rule per allowed application to easily reuse it on other policies that might require that specific rule. - Group the target clients and identify the applications that they can only install.
For example, both Windows Servers and Workstations can install the Adobe Flash Player and Microsoft Silverlight, but only Windows Servers can install the Java Runtime Environment at the same time. However, if the logon user is Server Admin, there should be no restrictions.
The group can be similar to the following:Allowed Applications on Workstations: Adobe Flash Player and Microsoft Silverlight
Allowed Applications on Servers: Adobe Flash Player, Microsoft Silverlight, and Java Runtime Environment
Allowed Applications on Windows w/ Server Admin: Adobe Flash Player, Microsoft Silverlight, and Java Runtime Environment
- Create a policy based on the predefined applications in the rule and the targets.
- Use the Filter Criteria to appoint Target Clients and Logon User(s).
- Create the ruleset via Rules tab.
- Make sure that the names of the policies denote the target applications and clients.
From our previous samples, you can create three (3) possible policies similar to the following:
- Allowed Web Browser Plugins on Windows Servers
Filter Criteria: Windows 2000/2003/2008/2012
Rules:
Allow Adobe Flash Player
Allow Java Runtime Environment
Allow Microsoft Silverlight
Block All Web Browser Toolbars and Plugins - Allowed Web Browser Plugins on Windows Workstations
Filter Criteria: Windows XP/Vista/7/8
Rules:
Allow Adobe Flash Player
Allow Microsoft Silverlight
Block All Web Browser Toolbars and Plugins - Allowed Web Browser Plugins w/ user Server Admin
Filter Criteria: Server Admin, Windows XP/Vista/7/8/2000/2003/2008/2012
Rules:
Allow Adobe Flash Player
Allow Java Runtime Environment
Allow Microsoft Silverlight
Block All Web Browser Toolbars and Plugins
The ruleset or rules always contain the Block Rule below the Allowed Rules because the rules are processed by the following order to ensure that applications with no matching Allowed Rules are blocked.
Allowed > Blocked > Lockdown Mode
The Lockdown Mode prevents installing new applications on a client but the existing applications will still run. In addition, Windows System Applications, including Windows Updates, are allowed by default.
- Arrange the policies by priority.
A policy with a more specific criteria should have a higher priority. On the other hand, a policy with a wider range of targets should have lower priority.
In this case, the "Allowed Web Browser Plugins w/ user Server Admin" is more specific among the other policies because of the user Server Admin and should be assigned the first priority. The policies can be ordered like this:
- Priority 1: Allowed Web Browser Plugins w/ user Server Admin
- Priority 2: Allowed Web Browser Plugins on Windows Workstations
- Priority 3: Allowed Web Browser Plugins on Windows Servers
When you have a Deny Policy, make sure that you assigned it as lowest priority. Policies are processed in a downward direction so that the permitted applications are identified first before it fall under Blocked Policies.