Application Manager. Installation and Upgrade Guide. Version 8 FR6

Application Manager Installation and Upgrade Guide Version 8 FR6

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE ii AppSense Limited, 2012 All rights reserved. No part of this document may be produced in any form (including photocopying or storing it in any medium) for any purposes without the written permission of AppSense Limited, except in accordance with applicable law. Furthermore, no part of this document may be sold, licensed or distributed. The doing of an unauthorized act in relation to a copyright work may result in both a civil claim for damages and criminal prosecution. The information contained in this document is believed to be accurate at the time of printing and may be subject to change without notice. Any reference to a manufacturer or product does not constitute an endorsement of, or representation or warranty (whether express, implied or statutory) in respect of, the manufacturer or product or the use of the product with any AppSense software. This document does not grant any right or license to you in respect of any patents, patent applications, trademarks, copyrights, or other intellectual property rights in or relating to the subject matter of this document. Where relevant, any AppSense software provided pursuant to or otherwise related to this document shall only be licensed to you on and subject to the end user license agreement which shall be displayed and which you shall be required to accept prior to accessing or using the software. AppSense is a registered trademark of AppSense Holdings Limited or its affiliated companies in the United Kingdom, the United States and/or other countries, Microsoft, Windows and SQL Server are all registered trademarks or Microsoft Corporation in the United States and/or other countries. The names of actual products and companies mentioned in this document may be the trademarks of their respective owners.

C O N T E N T S Welcome v About This Document vi Terms and Conventions vi Feedback vi Section 1 Introduction 1 Product Overview 2 Key Benefits 3 Feature Summary 3 Section 2 Installation 7 Prerequisites 8 Supported Languages 8 Supported Operating Systems and Technologies 8 Required Utilities and Components 8 Installed Components 9 Installing AppSense Application Manager 9 AppSense DesktopNow Installer 10 Enterprise Installation 10 Standalone Installation 15 Manual Installation 18 Licensing 19 Uninstallation 20 iii

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE iv Section 3 Upgrading 21 Upgrade Application Manager 22 Configuration Upgrade 25 Upgrading Configuration Functionality 27 Upgrades and Process Rules 27 Upgrades and Group Management 28 Section 4 Configuration 29 Post Installation Checklist 30 Console 31 Configuration 34 Agent 35 Analysis Service 35 Section 5 Patching 36 Patching Introduction 37 Patch Distribution 37 Patching Terminology 37 Installing Patches 38 Installing a Patch Using the Management Center 38 Installing and Uninstalling a Patch Using the Command Line 40 Rolling-back Patches 41 Appendixes Appendix A Licenses 43 Apache License 43 Appendix B Product Version Naming 44 Version Naming 45 Support for Releases 46 Glossary 47

WELCOME In this Section: About This Document on page vi Terms and Conventions on page vi Feedback on page vi

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE WELCOME About This Document vi ABOUT THIS DOCUMENT This Installation and Upgrade Guide shows how to install and setup the components of AppSense Application Manager. The guide also provides details on upgrading from previous versions of AppSense Application Manager. TERMS AND CONVENTIONS The following tables shows the textual and formatting conventions used in this document: Convention Bold Code Italic Green + underlined Use Highlights items you can select in Windows and the product interface, including nodes, menus items, dialogs and features. Used for scripting samples and code strings. Highlights values you can enter in console text boxes and titles for other guides and Helps in the documentation set. Indicates a glossary link. > Indicates the path of a menu option. For example, Select File > Open" means "click the File menu, and then click Open." Information tables - Highlights important points of the main text or provides supplementary information, additional techniques and help for users. Also used to provides links to further information which include more detail about the topic, either in the current document or related sources Caution/Warning Provides critical information relating to specific tasks or indicates important considerations or risks. FEEDBACK The AppSense Documentation team aim to provide accurate and high quality documentation to assist you in the installation, configuration and ongoing operation of AppSense products. We are constantly striving to improve the documentation content and value any contribution you wish to make based on your experiences with AppSense products. Please email any comments to: documentation.feedback@appsense.com

1 Introduction In this Section: Product Overview on page 2 Key Benefits on page 3 Feature Summary on page 3

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 1 INTRODUCTION Product Overview 2 PRODUCT OVERVIEW AppSense Application Manager allows you to have control over a user environment whether delivered through server based computing, virtual or physical desktop. It allows you to make sure users only receive the applications they require. Protective measures such as automatically blocking the execution of all unauthorized applications is provided, eliminating the threat of a user introducing - either intentionally or unintentionally - an executable file to the network. Granular control is given so that you can decide at user level, who has the authority to run specific applications. Application Manager is part of a closely integrated system of management components and can be centrally configured and deployed to desktops, servers and Terminal Servers throughout the enterprise using the AppSense Management Center. For more information on the Management Center see the AppSense Management Center Product Guide.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 1 INTRODUCTION Key Benefits 3 AppSense Application Manager consists of the following components: Console on page 31 Configuration on page 34 Agent on page 35 Analysis Service on page 35 KEY BENEFITS This section provides key benefits of using AppSense Application Manager, they are as follows: Protect against malicious code. Selectively elevate or restrict administrative rights to access or run specific applications or access system settings. Protect out of the box against all unauthorized application usage. Manage processes at a granular level to control application access to child processes. Stop unauthorized device license usage. Apply time restrictions on when applications can or cannot be run. Control outbound network access at the process level. Control network access based on location. FEATURE SUMMARY Application Manager provides the following key features for application control: Group Management Group Management is a library for compiling reusable groups of files, folders, drives, signatures and network connections which can be associated with rules in the configuration. For example, these groups can be used to manage the licenses for a software suite by compiling all the necessary elements and components into a single group and allowing or restricting access to certain rules. User Rights Management User Rights Management allows you to create reusable user rights policies which can be associated with any rules and can elevate or restrict access to files, folders, signatures, application groups and Control Panel components. A more granular level of control allows you to assign specific privileges for debugging or installing software, or to set integrity levels for managing interoperability between different products, such as Microsoft Outlook and Microsoft Word. The Web Installation feature of User Rights Management allows the elevation to administrative rights for ActiveX installers from a particular domain. Self-Elevation allows an administrator to specify which applications can be self-elevated, that is, run with administrative rights, to enhance a standard user s ability to perform their role.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 1 INTRODUCTION Feature Summary 4 Allowing a user to have administrative rights provides them with access to all files, including important system files, and the ability to, for example, delete or rename them. These actions can compromise a system. The Secure Common Dialogs feature prohibits users from manipulating files. The dialog boxes still open and provide access to files but the files cannot be deleted or renamed. Application Manager does not restrict access to areas that a user ordinarily has access to. Trusted Ownership By default, only application files owned by an administrator or the local System are allowed to execute. Trusted Ownership is determined by reading the NTFS permissions of each file which attempts to run. Application Manager automatically blocks any file where ownership cannot be established, such as files located on non-ntfs drives, removable storage devices, or network locations. These files can optionally be allowed to run either by specifying them as Accessible Items or by configuring a Self-Authorizing User rule. The Trusted Owner list can be configured to suit each environment. User, Group, Device and Custom Rules Extend application accessibility by applying rules based on username, group membership, computer or connecting device, and combinations of these. Accessible and Prohibited Items, Trusted Vendors and User Rights can be specified in each rule, and are applied to a user session based on the environment in which the user operates. Scripted Rules Scripted Rules allow administrators to apply Accessible Items, Prohibited Items, Trusted Vendors and User Rights Management policies based on the outcome of a Windows PowerShell or VBScript. Scripts can be run for each individual user session or run once per computer. Trusted Vendors Allow authentic applications to run which have digital certificates signed by trusted sources, and which are otherwise prohibited by Trusted Ownership checking. Define a list of Trusted Vendor certificates for each User, Group, Device, Custom, Scripted and Process rule in the configuration. Process Rules Process rules allow you to manage access for an application to run child processes which might otherwise be managed differently in other rules. You can add Accessible Items, Prohibited Items, Trusted Vendors and User Rights to the rule. Application Termination Application Termination allows you to control triggers, behavior and warning messages for terminating applications on managed computers. You can also control the manner in which applications are terminated and how the user is notified.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 1 INTRODUCTION Feature Summary 5 URL Redirection URL Redirection is setup using the URL Redirection dialog accessed from the General Features ribbon. It provides the functionality to automatically redirect a user when they attempt to access a sensitive URL from an unsecured location. Network Connections Block access to certain applications accessed via IP, UNC or host name. Application Manager has the ability to manage access based on the location of the requester, for example if they are connecting via VPN or directly to the network. Digital Signatures SHA-1 signature checks may be applied to any number of application control rules, providing enhanced security where NTFS permissions are weak or non-existent, or for applications on non-ntfs formatted drives. A digital signature wizard allows easy creation and maintenance of large digital signature lists. Endpoint Analysis Allows an administrator to browse to any endpoint and retrieve a list of applications that have been installed on that endpoint. Search for any executable files and add them to the configuration. Application Manager records which applications are started and by whom. The recording of data is started and stopped by the administrator. Endpoint Analysis is on demand and inactive by default. Auditing Events are raised by Application Manager according to the default Event Filtering configuration and audited directly to a local file log or the Windows Event Log. For more information on Events, see the AppSense Application Manager Product Guide and the AppSense Management Center Product Guide. Windows Scripting Host Validation The default configuration in Application Manager validates all Windows Scripting Host (WSH) scripts, such as VBS or PowerShell, against configuration rules. This ensures that users can only invoke authorized scripts, eliminating the risk of introducing WSH scripts that contain viruses or malicious code. The Validation settings can be disabled in the Options dialog available from the General Features ribbon, along with validation of cmd.exe, self-extracting zip files, registry files and Windows installer (MSI) files.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 1 INTRODUCTION Feature Summary 6 Rights Discovery Mode Allows administrators to monitor what users are running and will identify the applications and tasks that use administrative rights. All the data collected by the Analysis Service is stored on the Analysis Server. The Analysis Server is the machine that the Analysis Service is installed on. Once a scan has completed details of the applications that have used administrative rights can be viewed in the Rights Discovery Results work areas accessed from Rights Discovery Results navigation button. For more information on Rights Discovery, see the AppSense Application Manager Product Guide. Enable and Disable Functionality Settings Enable and disable certain features in Application Manager either when not in use or when troubleshooting issues in your configuration. The functionality which you can manage in this way includes: Application Access Control Application Network Access Control User Rights Management Functionality settings are all enabled by default. It is recommended to disable any functionality which you do not use in your configuration. Patching Application Manager Using the AppSense Management Center Products in the AppSense DesktopNow can be patched, using a Windows Installer patch (MSP file). A patch is an MSP file which, when installed, updates files and registry keys on an existing MSI. For more information, see Patching Introduction.

2 Installation In this Section: Prerequisites on page 8 Installing AppSense Application Manager on page 9 Licensing on page 19 Uninstallation on page 20

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 2 INSTALLATION Prerequisites 8 PREREQUISITES This section provides details on the System Requirements for AppSense Application Manager. Supported Languages English German Supported Operating Systems and Technologies Required Utilities and Components The Supported Operating Systems and Technologies are detailed in the compatibility matrix available on myappsense. Select Software > Application Manager > Compatibility Matrix Console Windows Server 2008 R2 (Standard and Enterprise) optional: Service Packs Windows Server 2008 (Standard and Enterprise) optional: Service Packs Windows Server 2003 R2 (Standard and Enterprise) optional: Service Packs Windows Server 2003 (Standard and Enterprise) SP1 minimum Windows 7 (Professional, Ultimate and Enterprise) optional: Service Packs Windows Vista (Business, Ultimate and Enterprise) optional: Service Packs Windows XP Professional SP2 minimum Agent Windows Server 2008 R2 (Standard and Enterprise) optional: Service Packs Windows Server 2008 (Standard and Enterprise) optional: Service Packs Windows Server 2003 R2 (Standard and Enterprise) optional: Service Packs Windows Server 2003 (Standard and Enterprise) SP1 minimum Windows 7 (Professional, Ultimate and Enterprise) optional: Service Packs Windows Vista (Business, Ultimate and Enterprise) optional: Service Packs Windows XP Professional SP2 minimum

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 2 INSTALLATION Installing AppSense Application Manager 9 Installed Components The following components are installed as part of the AppSense DesktopNow Installer: Windows Installer 3.1 Redistributable (v2) Microsoft Core XML Services (MSXML) 6.0 Microsoft.NET Framework 4.0 Full When the Microsoft.NET 4.0 Framework is installed and is running on the same machine as the Agent, the user installing it, must be a member of your Trusted Owners group. Microsoft.NET Framework 3.5 SP1 Redistributable Package Microsoft Visual C++ 2010 SP1 Redistributable package (x86) and (x64). Note that for Application Manager x64 both the x86 and x64 Redistributable packages are required. INSTALLING APPSENSE APPLICATION MANAGER Application Manager components can be installed using either the AppSense DesktopNow Installer or manually. Application Manager can be installed with the Management Center to create integrated enterprise scale solutions or installed as a standalone product aimed at evaluations. The AppSense DesktopNow Installer provides a comprehensive process for installing any combination of AppSense products in a single, fully integrated sequence. The installer performs a complete check for system prerequisites and provides you with the option of installing required technologies automatically. Alternatively, you can install each of the product components manually, by running the product installer packages for each component. When installing AppSense products manually, you must ensure that all required technologies and AppSense components are added. A list of required technologies and AppSense components is available in the Prerequisites section. AppSense DesktopNow Installer on page 10 Manual Installation on page 18 Packages Installer packages for each component in the AppSense Application Manager product set include 32-bit and 64-bit versions as follows: ApplicationManagerAgent.msi ApplicationManagerConsole.msi ApplicationManagerDocumentation.msi ApplicationManagerAnalysisService.msi

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 2 INSTALLATION Installing AppSense Application Manager 10 Additional prerequisite third-party software components are provided with the installation media and can be installed automatically via the DesktopNow Installer or manually by running the relevant packages provided. AppSense DesktopNow Installer A quick test to ensure that AppSense Application Manager has installed correctly is to go to the Task Manager and check the running Processes for AMAgent.exe. Note: On Windows Vista or later you need to select the Show processes from all users option. This section provides an overview of the installation processes using the DesktopNow Installer as follows: Enterprise Installation on page 10 Standalone Installation on page 15 Enterprise Installation Enterprise installation allows you to install the full suite of product consoles together with the AppSense server components. You are prompted to select which server products to install. The Enterprise Suite includes: AppSense Application Manager AppSense Environment Manager AppSense Performance Manager AppSense Management Center Enterprise installation is completed by running the Server Configuration Utility (SCU) for each installed server product. Servers, SQL databases and consoles for each of the products in Enterprise mode installations can be installed either together on one computer or distributed across the network on separate computers. Enterprise Installation is only available when the AppSense DesktopNow Installer is launched on a Server operating system. In a distributed environment where product consoles and server components are installed on separate management computers, you need to run the installer again on each computer to install the relevant components.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 2 INSTALLATION Installing AppSense Application Manager 11 Enterprise Installation Using the DesktopNow Installer 1. Run the Installer by executing setup.exe, on the installation media. 2. In the Welcome screen, click Next. 3. In the User Information screen, provide username and company details. 4. In the License Agreement screen, read the license agreement, if you accept the terms, select and click Next. 5. In the License Validation screen, enter a product license code and activation code or select to use the evaluation license (valid for 21 days). For more information about product licenses, see Licensing on page 19 You manage the licenses for Enterprise mode installations using the Enterprise Licensing view in the AppSense Management Console. See the AppSense Management Center Product Guide for further details. 6. In the Installation Type screen, select Enterprise to install product consoles and server-based products. The Application Manager agent is entered into the Management Center database when you run the Management Server Configuration Utility after the installation has completed.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 2 INSTALLATION Installing AppSense Application Manager 12 7. In the Product Selection screen, select the products you want to install. In this case the Management Center is selected. When installing in Enterprise mode, the Application Manager console is installed with the Management Center and the Application Manager agent is added to the Management Center database ready to be deployed to endpoints. To use the Application Manager Rights Discovery feature, select Application Manager Rights Discovery from the list of options. This will install the Analysis Service required to collate the Rights Discovery information to allow you to create Application Manager configurations. For further information on deploying agents from the AppSense Management Center refer to the AppSense Management Center Installation and Upgrade Guide. 8. In the SQL Server Installation screen, if no local Microsoft SQL Server is detected, you are prompted either to install a Microsoft SQL Server or browse to select an existing remote SQL Server. If no existing SQL server is selected, the Installer installs Microsoft SQL Server 2005 Express Edition. If you select this option, read the license agreement, if you accept the terms, select and click Next and follow the prompts of the Microsoft SQL Server 2005 Setup to complete the installation. You can skip this step and configure remote servers later using the Server Configuration Utility for each of the products.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 2 INSTALLATION Installing AppSense Application Manager 13 9. In the Prerequisite Management screen, a list of required components displays, split into Installed, Not Installed and Requires Manual Installation. Select Install next to each Not Installed component or select Install All. Manually Install any required software prerequisites which are not already present. Once all components are installed click Next. Some prerequisite components require manual installation. The Installation Media directory includes installer packages for some prerequisite components. Other prerequisite components, such as Internet Information Services (IIS), are part of the operating system and must be installed using the relevant Server configuration options.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 2 INSTALLATION Installing AppSense Application Manager 14 10. In the Installation Directory screen, select a location for installing the AppSense product files. The default location is C:\Program Files\AppSense. After installing the Management Center, you can browse to the web page at the following link to download the console and documentation installers: http://[servername]/managementserver 11. The Summary screen lists the products you installed, the installation mode, license details, installation directory, and a notification that no reboot is required. 12. When installation is complete, you are prompted to launch the Management Server Configuration Utility to configure each server in turn from the Installer console. Alternatively, you can complete this step later from the product directories in the Start menu.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 2 INSTALLATION Installing AppSense Application Manager 15 For further information on the AppSense Management Server Configuration Utility and deploying agents and configurations refer to the AppSense Management Center documentation. Standalone Installation Standalone installation installs the product consoles and agents together on the host computer. Standalone Installation using the DesktopNow Installer 1. Run the Installer by executing setup.exe from the installation media. 2. In the Welcome screen, click Next. 3. In the User Information screen, provide username and company details. 4. In the License Agreement screen, read the license agreement, if you accept the terms, select and click Next. 5. In the License Validation screen, enter a product license code and activation code or select to use the evaluation license (valid for 21 days). For more information about product licenses, see Licensing on page 19 You can change license settings later for Standalone installations using the AppSense DesktopNow Licensing console which you can launch from the following directory: Start > All Programs > AppSense > Licensing

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 2 INSTALLATION Installing AppSense Application Manager 16 6. In the Installation Type screen, select Standalone to locally install product console and product agents. 7. In the Product Selection screen, select the products you want to install. In this case, we are only concerned with installing Application Manager. A message displays informing you the installation of Application Manager will require a reboot. Click OK to continue.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 2 INSTALLATION Installing AppSense Application Manager 17 8. In the Prerequisite Management screen, a list of required components displays split into Installed and Not Installed components. Select Install next to each Not Installed component or select Install All to install all missing prerequisites. Once all components are installed click Next. 9. In the Installation Directory screen, select the location in which to install the AppSense product files. The default location is C:\Program Files\AppSense. 10. The Summary screen lists the products you selected to install, the installation mode, license details, install directory and whether a reboot is required. Click Install. When the installation is complete, you are prompted to reboot the computer to complete the installation of the product agents. Standalone products can be installed on server or desktop computers.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 2 INSTALLATION Installing AppSense Application Manager 18 Manual Installation The table below, shows the list of the Windows Installer Packages (MSI) for each of the components in the AppSense DesktopNow, which you can run manually on the host computers. The list is organized per product and includes details about which components require a reboot of the host computer after installation. When installing AppSense products manually, you must ensure that all required technologies and AppSense components are added. A list of required technologies and AppSense components is available in the Prerequisites section. Installation File Description Reboot Application Manager ApplicationManagerConsole32.msi ApplicationManagerConsole64.msi ApplicationManagerAgent32.msi ApplicationManagerAgent64.msi ApplicationManagerDocumentation32.msi ApplicationManagerDocumentation64.msi ApplicationManagerAnalysisService32.msi ApplicationManagerAnalysisService64.msi Management Center ManagementConsole32.msi ManagementConsole64.msi ManagementServer32.msi ManagementServer64.msi ClientCommunicationsAgent32.msi ClientCommunicationsAgent64.msi ManagementCenterDocumentation32.msi ManagementCenterDocumentation64.msi Installs the Application Manager console for creating configurations to deploy to managed computers hosting the agent. Installs the Application Manager agent on managed computers. When a configuration is installed, the agent implements the configuration rules. Installs the Application Manager Installation and Upgrade Guide, the Application Manager Product Guide and the Application Manager Help. Installs the Analysis Service used for Rights Discovery to monitor Applications that use Administrative Rights to run. When installed and configured, the Service collates data and allows you to create configurations based on the Rights Discovery Results report. Installs the Management Center console which provides an interface to the Management Server and the other components of the Management Center. Installs the Management Server which manages data access and storage, security control, network discovery services and software deployment to managed computers, resource management and enterprise auditing. Must be configured using the Management Center Server Configuration Utility. Installs the Client Communications Agent (CCA) to manage communications between the product agents and the AppSense Management Center. Installs the Management Center Installation and Upgrade Guide, the Management Center Product Guide and the Management Center Help. Not required. Installation, uninstallation and upgrades. Not required. Not Required. Not required. Not required. Installation, uninstallation and upgrades. Not required.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 2 INSTALLATION Licensing 19 Installation File Description Reboot Licensing LicensingConsole32.msi LicensingConsole64.msi Installs the Licensing console for managing licenses for products installed in Standalone mode. Not required. LICENSING The table below provides a list of AppSense product license types. License AppSense DesktopNow AppSense Application Manager Evaluation Description Full Suite license. Requires activation using the activation code sent from AppSense with the license code. Single product license. Requires activation using the activation code sent from AppSense with the license code. Full Suite or single product licenses. Evaluation licenses are available during the first installation of the product and do not require activation. They are valid for 21 days. Requires Activation No If AppSense Application Manager was installed in Standalone mode, a quick test to check the product is licensed correctly is to go to the Task Manager and check the running Processes for AMAgentAssist.exe

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 2 INSTALLATION Uninstallation 20 UNINSTALLATION Uninstall AppSense Application Manager by using the AppSense DesktopNow Installer. DesktopNow Installer Uninstallation Procedure 1. Run the AppSense DesktopNow Installer by executing setup.exe on the installation media. 2. The Welcome screen displays where you are provided with three options, Modify, Repair and Uninstall. 3. Select Uninstall and click Next. 4. The Summary screen lists the product selected to uninstall, the installation mode, the installation directory and whether a reboot is required. Click Uninstall. 5. The installed Application Manager agent is uninstalled and the process is complete. Any user created configurations will not be uninstalled with the product. You must manually delete these.

3 Upgrading In this Section: Upgrade Application Manager Configuration Upgrade Upgrading Configuration Functionality

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 3 UPGRADING Upgrade Application Manager 22 UPGRADE APPLICATION MANAGER To find out the version number of AppSense Application Manager you are currently using, use the About option in the Home ribbon. Upgrades Existing AppSense software packages upgrade automatically during the installation process, including database schemas, agents and configurations. Before proceeding, make sure you backup all existing AppSense databases and save product configuration packages as MSI files to disk from the existing product consoles. If necessary, save earlier versions of the product agent software which you would like to maintain. For more information about saving configuration files from product consoles, see the Application Manager Product Guide. Upgrading Application Manager in Enterprise mode 1. Run the Installer by executing setup.exe, on the installation media. 2. In the Welcome screen, three options are provided, Modify, Upgrade and Uninstall. Select Upgrade and click Next. 3. In the Prerequisite Management screen, a list of required components displays split into Installed and Not Installed components. Select Install next to each Not Installed component or select Install All to install all missing prerequisites. Once all components are installed click Next.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 3 UPGRADING Upgrade Application Manager 23 4. The Summary screen lists the products ready to be upgraded, the installation mode, install directory and whether a reboot is required. Click Upgrade. 5. The Upgrade Complete screen displays, the Restart the computer now check box is selected, deselect if you want to manually restart later. Once the computer has been restarted the upgrade process is complete. Upgrading Application Manager in Standalone mode 1. Run the Installer by executing setup.exe, on the installation media. 2. In the Welcome screen, click Next. 3. In the User Information screen, provide username and company details. 4. In the License Agreement screen, read the license agreement, if you accept the terms, select and click Next. 5. In the License Validation screen, enter a product license code and activation code or select to use the evaluation license (valid for 21 days). For more information about product licenses, see Licensing.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 3 UPGRADING Upgrade Application Manager 24 6. In the Installation Type screen, select Standalone to install the product console and agent. 7. In the Product Selection screen, select the product you want to upgrade and Click Next. 8. A message displays informing you the installation of Application Manager will require a reboot. Click OK to continue. 9. A further message displays informing you that there are already previous versions of Application Manager installed and they will be upgraded. Click OK to continue with the upgrade. 10. In the Prerequisite Management screen, a list of required components displays split into Installed and Not Installed components. Select Install next to each Not Installed component or select Install All to install all missing prerequisites. Once all components are installed click Next. 11. In the Installation Directory screen, select the location in which to install the AppSense product files. The default location is C:\Program Files\AppSense. 12. The Summary screen lists the products you selected to install, the installation mode, install directory and whether a reboot is required. Click Install. When the installation is complete, you are prompted to reboot the computer to complete the installation of the product agents. The upgrade process is complete.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 3 UPGRADING Configuration Upgrade 25 CONFIGURATION UPGRADE AppSense product configurations must be upgraded sequentially by major product version. Version numbering is categorized as follows: Major is n.x.x.x Minor is x.n.x.x Build is x.x.n.x Version is x.x.x.n You cannot upgrade directly from version 6.x to version 8.x and must proceed from v6.x to version 7.x, and from version 7.x to version 8.x. It is recommended that the Agents and Configurations belong to the same major and minor version numbers. Configurations are upgraded by exporting from the source product console to MSI file format and importing the configuration file into the next major version of the product console. Upgrade Application Manager configurations created with version 6.x and version 7.x product consoles by saving to disk as MSI files using the old console. Open 7.x configuration MSI files in the version 8.x product console: v7.x MSI v8.x Open version 6.x configuration MSIs in a version 7.x console and save before repeating these steps and open again in the version 8.x console: v6.x MSI v7.x MSI v8.x Upgrade the configuration by loading the MSI file into the new console using the Import option in the Application Menu. Once the configuration is upgraded, you can save the configuration to the local computer, a remote computer, to the Management Center or as a file on disk, according to requirements. As new features and improvements are introduced in Application Manager, new configurations may not always be compatible with older versions of the Agent and Console. It is recommended that you upgrade the Configuration, Agent and Console to ensure compatibility.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 3 UPGRADING Configuration Upgrade 26 Standalone Configuration Upgrade Process v6.0 > v7.0 > v8.0 1. Launch a 6.x or 7.x version of Application Manager and in the Standalone Configuration node, select Export Configuration in the Action menu. 2. In the Export Configuration dialog, save the configuration to disk in MSI format. 3. Completely uninstall the current version of AppSense Application Manager you are upgrading and install the new version. 4. Launch the new Application Manager console and import the saved MSI configuration to perform the upgrade. Configuration Import steps In Version 7.x, highlight the AppSense Application Manager node and select Import Configuration on the Action menu to import the configuration you saved using the previous version of the product. In Version 8.x, click the Application button, select Import & Export > Import configuration from MSI and import the configuration MSI file. 5. Save and close the configuration to complete the upgrade. Standalone Configuration Upgrade Process Version 8.x to AM8 FRx Since the introduction of support for Patching a new naming convention is being used. For details see Product Version Naming. To upgrade a configuration from version 8.x to version AM8 FRx you must Open and Save the configuration in the AM8 FRx console. Once the configuration has been saved in this console it will be compatible and therefore ready to be deployed using a deployment mechanism. AppSense Management Center Configuration Upgrade Process Version 8.x to AM8 FRx To upgrade a configuration from version 8.x to AM8 FRx you must Open the configuration and use the Save As command. All other Save commands are disabled. This will ensure that the configuration version is correct. When you open and upgrade a 8.x configuration in the Management Center the configuration is initially locked. The Save As command releases the lock on the file.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 3 UPGRADING Upgrading Configuration Functionality 27 UPGRADING CONFIGURATION FUNCTIONALITY If upgrading configurations used in previous versions of Application Manager the introduction of the Process Rules and Group Management functionality may render the following parts of the configuration redundant: Upgrades and Process Rules Trusted Applications see Upgrades and Process Rules Signature Groups see Upgrades and Group Management Network Connection Groups see Upgrades and Group Management If the Application Manager configuration contains Trusted Application rules, the upgrade will preserve the Trusted Applications feature s behavior although some functionality regarding the three Trusted Applications options may be lost. The table below shows how the various Trusted Application states will be converted to Process rules during a configuration upgrade. Trusted Application State Off Disable Trusted Applications Checking Only when blocked by Trusted Ownership Always Process Rules No Process rules added. No Process rules added. For each Trusted Application defined: A new Process rule is created with the name Upgraded Trusted Application Rule (*).Where * represents a number automatically incremented from 1 to the number of Trusted Application rules present in the configuration being upgraded. A new Process Identifier is added to the newly created Process rule. If the Trusted Application rule was defined using a full file path then the process identifier list has one file name entry with the exact same text. If the Trusted Application rule was defined using a digital signature then the process identifier has one digital signature entry with the same digital signature. Any file name information is preserved. For each of the trusted content entries for the Trusted Application rule, a new Accessible Item is added. The Trusted Ownership setting is set to Off, for all added entries.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 3 UPGRADING Upgrading Configuration Functionality 28 Upgrades and Group Management If the Application Manager configuration contains Signature Groups and Network Connection Groups, the upgrade directly converts them to Group Management and renames them Groups. The name of the Signature or Network Connection Group remains the same and the contents of the Signature or Network Connection Group remain the same. To avoid any problems that may be encountered if the upgrade produces any duplicate names each upgraded Group will be suffixed with its origin and that it was an upgrade. Example A version 8.0 configuration with a Signature Group called A, becomes a Group called A - Upgraded Signature Group. A version 8.0 configuration with a Network Connection Group called B, becomes a Group called B - Upgraded Network Connection Group.

4 Configuration In this Section: Post Installation Checklist on page 30 Console on page 31 Configuration on page 34 Agent on page 35

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 4 CONFIGURATION Post Installation Checklist 30 POST INSTALLATION CHECKLIST Once you have installed AppSense Application Manager using the AppSense DesktopNow Installer check you have the following: Console Agent Configuration Analysis Service Enterprise Go to the Start menu and check AppSense Application Manager Console is present. Run the Management Center Server Configuration Utility to create the database and upload the 32-bit and 64-bit agents. To check the agents are present go to the Management Center console and check they are listed under Packages. Note For details on deploying the agent to endpoints refer to the AppSense Management Center Installation and Upgrade Guide. Open the Application Manager console and select the Application menu button. You must save the blank configuration to implement the Application Manager default rules. Select Save As > Configuration in the Management Center. Note For details of Application Manager default rules refer to the Application Manager Product Guide. Open a browser and enter the following: http://<localhost>/ AMAnalysisQueryDataService Note: <Localhost> would be replaced with the name of the machine that the Service resides on. If the service is installed correctly a Service website will be displayed. Standalone Go to the Start menu and check AppSense Application Manager Console is present. Go to Task Manager and check AMAgent.exe is listed in the Running Processes. Note On Windows Vista or later you need to select the Show processes from all users option. Open the Application Manager console as an Administrator (if UAC is enabled) and select the Application Menu button. You must save the blank configuration to implement the Application Manager default rules. Select Save As > Live Configuration on this computer. Note For details of Application Manager default rules refer to the Application Manager Product Guide. Go to Task Manager and check AMAnalysisService.exe is listed in the Running Processes. Note On Windows Vista or later you need to select the Show processes from all users option.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 4 CONFIGURATION Console 31 CONSOLE The Application Manager console launches when the link is selected in the Start > All Programs > AppSense menu. Application Menu The Application menu provides options for managing configurations including create new, open existing, save, and import and export configurations. Application Menu Options Option New Open Save Description Creates a new default configuration which is locked for editing. Opens an existing configuration from one of the following locations: Live configuration on this computer. Configuration from the Management Center. Configuration file on a local or network drive: Application Manager Package Files format (aamp). Open a configuration from the System Center Configuration Manager. Note A live configuration is located on a computer which has an Application Manager agent installed and running. Saves the configuration in one of the following states: Save and continue editing - save the configuration and keep it locked and open for editing, you will not be able to deploy the configuration while it is locked. Save and unlock - save the configuration and unlock it ready for deployment. The current configuration closes and a new default configuration opens. Unlock without saving - unlock the configuration without saving changes. The current configuration closes and a new default configuration opens.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 4 CONFIGURATION Console 32 Option Save As Description Saves the configuration with a new name to one of the following locations: Live configuration on this computer Configuration in the Management Center Configuration file on a local or network drive: Application Manager Package Files format (aamp). Configuration in System Center Configuration Manager Note A live configuration is located on a computer which has a Application Manager agent installed and running. Warning If using a Microsoft Windows operating system with UAC enabled you must ensure that you open the console with administrator privileges. Import & Export Imports a configuration from MSI format, usually legacy configurations which have been exported and saved from legacy consoles. Exports a configuration to MSI format. Exit Preferences Closes the console. You are prompted to save any changes you have made to the current configuration. Launches the Console Preferences dialog box which include: Show splash screen on startup

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 4 CONFIGURATION Console 33 Quick Access Toolbar The Quick Access toolbar provides quick functionality for managing the configuration setup, such as Save, Save and Unlock, Undo, Redo, and navigation to previously and next displayed views. Quick Access Toolbar Options Option Description Save Saves changes to the configuration. The configuration will remain locked if opened from the AppSense Management Center. Save and unlock Saves changes and unlocks the configuration. These changes can now be deployed from the Management Center. Undo Clears the action history. Up to 20 previous actions are listed. Select the point at which you want to clear the actions. The action selected and all proceeding actions are undone. Redo Re-applies the cleared action history. Up to 20 cleared actions are listed. Select the point at which you want to redo the actions. The action selected and all subsequent actions are redone. Back Navigates back through the views visited in this session. Forward Navigate forward through the views visited this session. Ribbons Ribbons page include buttons for performing common actions arranged in ribbon groups according to the area of the console to which the actions relate. For example, the Home ribbon includes all common tasks, such as About, Cut, Paste and Copy, Help, AppSense website and Support links. You can find the version number of AppSense Application Manager you are using, by selecting the About option in the Home ribbon. Split ribbon buttons contain multiple options and are indicated by an arrow just below the button. Click the arrow to display and select the list of options, or simply click the button for the default action. Double-click a ribbon to show and hide the ribbon pages.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 4 CONFIGURATION Configuration 34 Help The Home ribbon includes a Help button which launches the Help for the product and displays the topic relating to the current area of the console in view. A smaller icon for launching the Help displays at the far right of the console, level with the ribbons, for convenience when the Home ribbon is not in view. You can also click F1 to launch the Help topic for the current view. Navigation Pane The Navigation pane consists of the navigation tree and navigation buttons. The navigation tree is the area for managing nodes of the configuration. The navigation buttons allow you to view the different areas of the console. Work Area The Work area provides the main area for managing the settings of the configuration and product. The contents of the work area vary according to the selected nodes in the navigation tree and the selected navigation buttons. Sometimes the work area is split into two panes. For example, one pane can provide a summary of the settings in the other pane. Additional Console Features Shortcut Menu right-click shortcuts are available in the navigation tree and some areas of the console. Drag and Drop this feature is available in some nodes of the navigation tree. For further drag and drop details on specific functionality see the Application Manager Help. Cut/Copy/Paste these actions can be performed using the buttons in the Home ribbon page, shortcut menu options and also using keyboard shortcuts. Recommended screen resolution for the console is 1024 x 768 pixels. CONFIGURATION Application Manager configuration files contain the rule settings for securing your system. The agent checks the configuration rules to determine the action to take when intercepting file execution requests. Configurations are stored locally in the All Users profile and are protected by NTFS security. In Standalone mode, configuration changes are saved in the custom.aamp format (AppSense Application Manager Package) and read by the agent. In Enterprise mode, configurations are stored in the AppSense Management Center database, and setup for deployment using the AppSense Management console. A default configuration loads when you run the console and can be used for immediate protection on all client computers to which the configuration is deployed. For details on the default configuration settings and immediate protection you receive refer to the AppSense Application Manager Product Guide.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE 4 CONFIGURATION Agent 35 Configurations can also be exported and imported to and from MSI file format using the Application Manager console, which is useful for creating templates or distributing configurations using third-party deployment systems. After creating or modifying a configuration, you must save the configuration with the latest settings to ensure that they are implemented. The Application Manager console must be run as an administrator to be able to save any changes. AGENT Application Manager is installed and run on endpoints using a lightweight agent. The agent is deployed to managed computers to implement the configuration rules. In Standalone mode, the agent is installed directly onto the local computer. In Enterprise mode, configurations are stored centrally and deployed remotely across a network to multiple controlled computers using the AppSense Management Center. Agents are constructed as Windows Installer MSI packages which allows them to be distributed using any third-party deployment system which supports the MSI format. For more information about deploying AppSense Application Manager, see the AppSense Management Center Product Guide. ANALYSIS SERVICE The Analysis Service is installed on any selected machine as part of the Application Manager installation. It is a lightweight component that does not require typical server tools such as IIS or SQL Server. In the standalone mode, the service is installed on any selected machine. To install the Service as part of the Enterprise mode, the Application Rights Discovery option must be selected. For more information about Analysis Service, see the AppSense Management Center Product Guide.

5 Patching In this Section: Patching Introduction on page 37 Installing Patches on page 38

APPSENSE MANAGEMENT CENTER PRODUCT GUIDE 5 PATCHING Patching Introduction 37 PATCHING INTRODUCTION Products in the AppSense DesktopNow can be patched, using a Windows Installer patch (MSP file). A patch is an MSP file which, when installed, updates files and registry keys on an existing MSI. Support for installing MSP files lessens the impact installing a MSI has by reducing the need to reboot your systems and because the MSP file will only contain files changed since the original MSI. As a result, a save on network bandwidth is achieved. When a patch is installed, you can view the name of the patch that has been applied to the installed console by clicking About from the Help & Support ribbon in each of the DesktopNow products. As you can install agents of different versions to product console, the version displayed may not be related. Details of a patch can also be found in Programs > Control Panel > Programs > Programs and Features and Programs > Control Panel > Programs > Programs and Features > View installed updates. Patch Distribution Service Packs - will be distributed as an MSP Private Hotfixes - will be distributed as an MSP Patching Terminology Service Packs Service Packs are issued at regular intervals They will contain all the fixes from the last Private Hotfix and any previous Service Packs, plus any fixes that have been found internally for which a Private Hotfix was not issued. New Private Hotfixes are only issued for the latest Service Pack. Private Hotfix Issued at the discretion of AppSense Support team in response to a reported problem. This may be an existing Private Hotfix for a known issue or a new Hotfix to resolve a new problem. Private Hotfixes are cumulative in nature, in that they contain all previous Private Hotfixes.

APPSENSE MANAGEMENT CENTER PRODUCT GUIDE 5 PATCHING Installing Patches 38 INSTALLING PATCHES A patch can be installed using the following: Management Center Command Line The sections that follow document the processes required to install and deploy patches. Installing a Patch Using the Management Center Installing a patch on an endpoint using the Management Center is achieved using the following two part process: To demonstrate the procedures required to install a patch, an Environment Manager 32-bit patch will be deployed to a group called DocsGroup. S TEP 1 S TEP 2 U PLOAD THE MSI AND MSP FILES D EPLOY THE PATCH TO YOUR ENDPOINTS UPLOADING THE MSI AND MSP FILES 1. Select Package Library > Environment Manager. The updates will be automatically defined if it has been previously installed. If the Update is not installed, upload the Update before adding the patch. 2. From the Actions menu, select Add Package. The Browse for Package dialog displays. 3. Browse for the MSP associated with the applied MSI. If the patch is called AppSense Environment Manager Agent 8 FR4 HF1 the Update must be the same version and feature release, in this case, AppSense Environment Manager Agent 8 FR4. 4. Select the MSP file and click Open. The Package Upload wizard is displayed 5. On the Details page, check the information is correct. If required, enter a description of the package. 6. Click Next. 7. When the Patch has finished uploading, click Finish. If an MSI is being uploaded, a Prerequisites page will be displayed, use this page to install any prerequisites and click Next.

APPSENSE MANAGEMENT CENTER PRODUCT GUIDE 5 PATCHING Installing Patches 39 You are returned to the Package Library work area and the patch icon is displayed in the list. DEPLOYING THE PATCH TO YOUR ENDPOINTS 1. Select Overview > Deployment Groups tab >Deployment Groups > DocsGroup > Settings > Assigned Packages The Assigned Packages work area displays a list of all the AppSense products and their associated packages. 2. Highlight the Environment Manager 32-bit package and click Change Agent Version from the Action menu The Assign Packages wizard displays 3. From the drop-down, select Environment Manager 8 FR4 4. Highlight Agent 8 FR4 HF1. 5. Click Finish. Assigning a patch automatically installs the Update file. 6. When all the packages have been assigned, click Review and Submit. The Submit Changes dialog displays, listing all the packages for you to review.

APPSENSE MANAGEMENT CENTER PRODUCT GUIDE 5 PATCHING Installing Patches 40 7. Check the details are correct and click Submit. To remove a package click Undo next to the package to be removed. 8. Click Submit. The patch is installed based on the deployment group Installation Schedule. Installing and Uninstalling a Patch Using the Command Line As well as installing a patch using the AppSense Management Center, patches can also be installed from the command-line: It is recommended that logging is switched on when using the following commands, to enable logging add /l*vx Patch.log immediately after the /i or /p. For example: msiexec.exe /i /l*vx Patch.log Agent.msi Installing To install or upgrade an MSI: msiexec.exe /i Agent.msi To silently install or upgrade an MSI: msiexec.exe /qn /i Agent.msi To install an MSP Do not use /update when installing the MSP file as this will remove all existing features. msiexec.exe /p Agent.msp To install an MSI and MSP in a single operation: msiexec.exe /i Agent.msi PATCH=C:\FullPath\Agent.msp

APPSENSE MANAGEMENT CENTER PRODUCT GUIDE 5 PATCHING Installing Patches 41 Uninstalling To uninstall an MSI: msiexec.exe /x Agent.msi This will also uninstall all associated MSP files. To remove an MSP: msiexec.exe /i Agent.msi MSIPATCHREMOVE=C:\FullPath\Agent.msp Rolling-back Patches Using the Management Center to install patches, provides additional advantages such as the facility to downgrade newer versions of MSI files as well as removing MSP files to apply previous versions. To roll back to an older patch, just reapply the older version to your deployment group.

APPENDIXES In these Appendixes: Licenses Product Version Naming

A Licenses APACHE LICENSE Copyright 2012 AppSense Ltd Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/license-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

B Product Version Naming All of the products in AppSense DesktopNow Suite explicitly state if they are a Service Pack Release or a Feature Release.

APPLICATION MANAGER PRODUCT GUIDE B PRODUCT VERSION NAMING Version Naming 45 VERSION NAMING AppSense patching now makes a clear distinction between product releases that contain fixes and product releases that include new features and changes in the behavior of an AppSense DesktopNow product. Most bug fixes will be dealt with as Private Hotfixes and Service Packs (SP). Feature Releases (FR) will contain new features, fixes to bugs that cause a change in behavior and those fixes which cannot be incorporated into a Service Pack due to the technical limitations of MSP s. Hotfixes (HF) can also be distributed at the discretion of the AppSense Support team in response to a reported problem. This may be an existing Private Hotfix for a known issue or a new Hotfix to resolve a new problem. For example, version naming will appear as Application Manager 8 Feature Release 5 or FR5, rather than Application Manager 8.5 and Service Packs are named Service Pack or SP, Hotfixes will be referred to as HF. For example: Management Center 8 FR4 Environment Manager 8 FR4 SP2 Application Manager 8 FR5 SP2 HF2 The actual build numbers only appear in the product consoles About Box and in Add or Remove Programs.

APPLICATION MANAGER PRODUCT GUIDE B PRODUCT VERSION NAMING Version Naming 46 Support for Releases The following diagram provides a visual explanation of the support provided for releases. For the purpose of this example the Management Center (AMC) 8 FR5 is to be used. When AMC 8 FR5 is released, AMC 8 FR5, AMC 8 FR4 SP1 and AMC 8 FR3 SP2 will be serviceable. However, AMC 8 FR3, AMC 8 FR3 SP1 and AMC 8 FR4 will be classed as Not Serviceable. The information that follows explains the terminology used: Supported - All major N-1 products will receive support in terms of technical assistance from our Support department and this in no way effects your current terms and conditions. Serviceable - Only the tips of the Feature Release branches will be serviceable by product development in terms of providing new Hotfixes and Service Packs. You might need to upgrade to the latest Service Pack to resolve a technical problem or if a new Hotfix needs to be issued.

GLOSSARY Accessible Items Agent Analysis Service Application Limit Application Termination Audit Only CCA Configuration Configuration File Configuration Profiler Console Deploy Digital Signature Event Group Management Node OU Prohibited Items Process Rule Rights Discovery Security Identifier Security Level Self-Authorizing User Server Configuration Utility SID Time Limits Trusted Ownership Trusted Vendors

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE GLOSSARY ACCESSIBLE ITEMS CCA 48 User Rights Management Wildcards Accessible Items Accessible Items are files, folders, drives or digitally signed files or groups of files in an Application Manager configuration Rights Discovery which are allowed to run when file execution requests are matched with the rule security settings and would otherwise be prohibited by other configuration settings. See also: Prohibited Items, Trusted Vendors, User Rights Management Agent A proactive software component which implements the product configuration rules. For example, the Application Manager Agent is software that runs as a Windows service to validate execute requests according to the rules in the configuration installed on a computer Analysis Service The Analysis Service is installed on any machine and is used to collect the data from the Rights Discovery. Application Limit Application Limits specify the number of instances of an application a user can run. An application limit can be applied to an item in the Accessible Items node. Application Termination Application Termination allows you to set triggers, behavior and warning messages for terminating applications on managed computers. You can also control the manner in which applications are terminated and how the user is notified. Audit Only Security Level assigned to users, groups or devices in an Application Manager Rights Discovery which audits events according to the Auditing Configuration without applying the rule. Used for passive monitoring in evaluations to assess application usage on the host environment. CCA Client Communications Agent. Installed on computers operating in an Enterprise installation to provide a link between the product agent running on a managed computer and the AppSense Management Center. The CCA sends event data generated by the product agents to the Management Server and also polls the Management Server to manage the download and installation for software configuration, agent and package updates. The CCA can be downloaded and installed directly on managed machines from the Management Server website.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE GLOSSARY CONFIGURATION Event 49 Configuration The Application Manager configuration consists of lists of files/folders that you have decided should be Accessible Items, Prohibited Items and Trusted Vendors. The configuration also contains optional settings and text to be displayed to the user. A configuration is created and managed using the Application Manager Console and used by the Application Manager Agent and is saved in Application Manager Package Files (*.aamp). The agent uses the configuration settings to determine whether or not an execute request is to be denied. Configuration File An Application Manager configuration exported from the Console and saved to Windows Installer MSI file format. The file can be installed on any computer and the configurations rules applied when an Application Manager Agent is present and running as a service on the computer. Configuration Profiler Generates reports detailing the current settings in the Configuration. Filtering options allow you to query settings affecting specific users or groups, devices, and files or folders. Console AppSense Application Manager software interface. Deploy To deliver a configuration or AppSense software component to one or more computers, which can include the local machine. Digital Signature Application Manager uses the SHA-1 algorithm for applying a digital signature to uniquely identify files. The signature can be used as a security measure when adding files as Accessible Items, Prohibited Items and Trusted Vendors. Signatures can also be used for allowing applications on non-ntfs formatted drives to run, which Application Manager would otherwise block by default. Add the digital signatures to the Accessible Items list and disable trusted ownership checking for the individual files. Signature Group Management provides easier administration for large groups of signatures. Accessible Items with digital signatures can be used to verify that the file which the user is attempting to run is actually the file permitted by the administrator. Prohibited Items with digital signatures can be used to ensure the file is always prevented from executing, even when the user renames the file. Event An Event is generated by Application Manager to report file execution requests, overwrites or renames and Self-Authorizing User decisions. The event number indicates the outcome of the request. Events are logged according to the method set up in the Auditing node.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE GLOSSARY GROUP MANAGEMENT Security Identifier 50 Group Management Group Management is a library for compiling reusable groups of files, folders, drives, signatures and network connections which can be associated with rules in the configuration. For example, Groups can be used to manage licenses for a suite of software or common sets of applications for assigning to certain user groups. Network Connection Item Network Connection identify. Node A node is a term used in the Application Manager Console to represent a branch in the navigation tree. OU Organizational Unit. A Microsoft Active Directory container that includes users and computers. Prohibited Items Prohibited items are files, folders, drives or digitally signed files or groups of files specified in an Application Manager Rights Discovery which are not allowed to run when file execution requests are matched with the rule security settings and would otherwise be allowed by other Configuration settings. See also: Accessible Items and Trusted Vendors Process Rule Process rules allow you to manage access for a parent process to run child processes which might be managed differently in other rules. Process rules include settings for adding Prohibited Items, Accessible Items, Trusted Vendors and User Rights Management. Rights Discovery Rights Discovery allows you to monitor what users are running applications that use Administrative Rights and generates reports based on the results. Rule A Configuration rule assigns a Security Level to the specified users or groups, devices and combinations of these and contains control lists for Accessible Items, Prohibited Items, Trusted Vendors and Process Rule. The Application Manager agent intercepts kernel level file execution requests and matches these with the configuration rules to implement security controls. Security Identifier (SID). A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an accounts SID rather than the accounts user or group

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE GLOSSARY SECURITY LEVEL Trusted Ownership 51 name. Likewise Application Manager also refers to a user or group SID unless the SID could not be found when added to the configuration. Security Level Application Manager configuration Rights Discovery settings include security levels which specify how to manage requests to run unauthorized applications by the users, groups or devices which a rule matches. Restricted Only authorized applications can run. These include files owned by members of the Trusted Owners list and files listed in Accessible Items, Trusted Vendors and Trusted Ownership. Self-Authorizing Users are prompted for decisions about blocking or running unauthorized files on the host device. Audit only All actions are permitted but events are logged and audited, for monitoring purposes. Unrestricted All actions are permitted without event logging or auditing. Self-Authorizing User User, group or device granted control to choose whether to block or run an unauthorized application on the host computer. The Self-Authorizing Security Level can be assigned in an Application Manager Rights Discovery to match a file execute request for users, groups or devices. Server Configuration Utility Utility to configure and maintain AppSense server products. SID See Security Identifier. Time Limits Settings applied to entries in the Accessible Items and Prohibited Items nodes of an Application Manager Rights Discovery which determine day and time ranges when the controls apply. For example, an entry in the Prohibited Items node of a rule can restrict use of the local web browser to users except between the hours of 12pm and 2pm on specific days of the week. Trusted Ownership Trusted Ownership checking is a secure method Application Manager uses to prevent users running unauthorized applications. On NTFS formatted drives, files have owners and Application Manager is configured by default, to only allow files to be executed if the file owner is a member of the Trusted Owners list. If a user tries to run a file that is not owned by a trusted owner, the execute request is denied and a message notifies the user. Any files downloaded from the internet or received in email are owned by the user, so those files are not permitted to run unless ownership is held by members of the trusted owner list.

APPLICATION MANAGER INSTALLATION AND UPGRADE GUIDE GLOSSARY TRUSTED VENDORS Wildcards 52 By default, Application Manager blocks execution requests for all applications on non-ntfs formatted drives. Trusted Vendors Trusted Vendors are digital certificates signed by trusted sources. Trusted Vendor checking allows applications which fail Trusted Ownership checking to match digital certificates with the Trusted Vendors list. A list of Trusted Vendors can be defined for each User, Group, Device, Custom, Scripted, and Process rule of the configuration. Application Manager queries each file execution which fails Trusted Ownership checking to detect the presence of a digital certificate. If the file has a digital certificate which is signed by a certificate authority matching a valid entry in the Trusted Vendor list, the file is allowed to run. Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership checking and Trusted Application checking. User Rights Management User Rights Management provides a granular approach to delegating administrative rights to users and applications by assigning rights according to merit. This level of control can be deployed to elevate or restrict privileges on a case by case basis according to the preferred approach taken in the environment. Wildcards Both the asterisk (*) and question mark (?) characters can be used in a file or folder path in the Application Manager console. The asterisk represents one or more characters, excluding the back slash (\) character, whilst the question mark wildcard represents one character, excluding the forward slash (/) character. Both of the wildcard characters can be used in any part of a file path, including the drive letter for local paths. For example, c:\sample path\test?\*.exe, matches all files with the.exe extension that existed in the folders c:\sample path\test1, c:\sample path\test2,... c:\sample path\test(n), etc. But since the question mark can only replace one character, it does not match c:\sample path\test100. The only limitation imposed by Application Manager on the use of wildcards is that the asterisk cannot be used to match more than one subdirectory.