How to use Application Blocking in Patch and Compliance Manager

Creating a Custom Blocked Application

The steps below outline the steps for configuring Application Blocking

Important: This only applies if you are going to block applications on every device in your system or use different configurations for your groups. If you anticipate needing to separate systems and block applications only on some devices or need to block different applications for different groups, please skip to “Blocking Applications Using Custom Groups.”

1. Click on Tools | Security and Compliance | Patch and Compliance
2. Change the type to Blocked Applications
   
3. Under Blocked Applications (All items) right-click the Block folder and select Add File.
4. Enter the file name that you would like to block, enter a Title, and enter any other desired information in the other sections.
   Important: Blocked applications will block any executable with the name you enter.  Creating a file with the name "setup.exe" with the intent of blocking a specific install will block any install that uses the name "setup.exe"

Ensure that the Vulnerability Scanner includes the Blocked Applications type
Make sure that in theDistribution and Patch Settingshave theBlocked Applicationsdefinition type selected.

1. Open the Security and Compliance tool group
2. Select the Agent Settings tool
3. Double-click the Distribution and Patch setting that you would like to edit.
4. Under Patch-Only settings and Scan Options ensure that under Type you have the check mark next to  Blocked Applications checked.
   This will cause the Security and Compliance scanner to include Blocked Applications in the type of content that it will scan for.

Blocking applications using Custom Groups
There are times when blocking the application for everyone in your environment may not be desired. For example, some Administrators choose to block Windows Media Player from the majority of their production users but choose to allow other employees in the company to have access to the Windows Media Player. The steps below will outline the process of blocking an application or group of applications for a particular client computer or group of computers, but still allow the other devices in the network to run those same applications without having to change the agent configuration.

1. Click on Tools | Security and Compliance | Patch and Compliance
2. Change the type to Blocked Applications
   
3. Create the applications you need to be blocked, or use the pre-defined list that comes down in LANDESK Content when downloading definitions in the Windows | Security | Applications to Block group within the Download Updates tool.

Create and populate Custom Group(s)

1. Within the left-hand pane of the Patch and Compliance tool, expand the tree to show Groups | Custom Groups | My Custom Groups or Public Custom Groups
2. Right-click My Custom Groups or Public Custom Groups and select New Group
3. Give the new group a descriptive name and press Enter
4. At this point, you can create sub-folders under this newly created group.  Reasons for this may vary.  One reason may be that you want to set the Distribution and Patch settings for distinct folders of Blocked Applications restrictions.
5. Locate the applications that you wish to block in the Block folder under Blocked Applications (All Items) at the top of the left-hand pane.
   If the application you are trying to block is not in the Block folder it will not be blocked.The application may exist in the Do Not Block or Unassigned folder.  If the application does exist in one of those folders, drag it to the Block folder in order for it to be blocked. If the application does not exist in any of the folders you can right-click the Block folder and select the Add File option.

Configure Distribution and Patch Settings to include the Blocked Applications type and focus on your custom group
If necessary you can create a new Distribution and Patch settings that includes scanning for and enforcing the Blocked Applications type.

1. Open the Security and Compliance tool group
2. Select the Agent Settings tool
3. Under My Agent Settings or Public Agent Settings right-click the Distribution and Patch setting group and select New.
4. Under Patch-Only settings and Scan Options ensure that under Type you have the check mark next to Blocked Applications checked.
5. Then you can select either All Blocked Apps or Only Apps in Group and browse to your custom group.
   This will cause the Security and Compliance scanner to include Blocked Applications in the type of content that it will scan for and in the group you have created.

Unblocking an Application Using Custom Groups.Once a scan has been run on a client to block an application, that application will continue to be blocked until another scan is run on the client that does not have that application listed as an application that should be blocked. This applies to a scheduled push or a policy. If the task was scheduled as a push you will have to reschedule the task after you have removed the definition from the group folder or the blocked folder. If the task was scheduled as a policy and you want to stop blocking the application for everyone in that group simply remove the definition and the next time the policy syncs it will not be blocked. Deleting the policy will still leave the applications blocked.

Scheduling the Security Scan to Block Applications

1. Go back to Patch and Compliance and click on the Create task (Calendar with clock) icon and select Security scan from the drop-down menu.
2. Select the option to Create a scheduled task.
3. Give the task an appropriate name.
4. Under the Agent Settings section in the left-hand pane, select the Distribution and Patch setting you just created.
5. Select any other options you wish to select in these dialogs
6. Click Save to save the task.  At this point, the Scheduled Tasks tool will open.
7. Locate the devices that you wish to block the application on and drag them to the task.
8. Start the task.s

     Helpful Tip: Create a query for the group of computers you would like to have the application blocked for and schedule it as a policy. As you add computers they will get the blocked apps and when you add apps they will get updated on the next policy sync. Also if your target machine already has blocked applications and you set it to scan against a different set, the new set will remove all of the old settings.