Skip to main content

App Locker

The App Locker feature in SureMDM enables IT administrators to control application execution on managed Windows devices. By allowing or denying execution of .exe, .msi, and script files, App Locker ensures only approved applications and scripts run on devices, enhancing security and preventing unauthorized usage.

  • Block or allow applications that are not explicitly added to the profile.
  • Specify folders or user groups where unlisted applications can run.
  • Simplify app discovery and inclusion in profiles using the App Inventory Tool.

Configuration Steps

  1. Navigate to the SureMDM Web Console > Profiles > Windows > Add > App Locker > Blocklist Apps or Allowlist Apps.
  2. Enter a Profile Name and click Add.
  3. Configure the App Locker settings and click Add > Save.

App Configuration

1. Store Apps

OptionDescription
Allow all other signed store apps not added in this profileAllow: Permits unlisted signed store apps to run.
Deny: Blocks all unlisted signed store apps.

2. EXE Apps

OptionDescription
Allow all other .exe apps not added in this profileDefine whether to allow or deny execution of .exe files that are not explicitly listed.
Allow: Permits unlisted .exe files to run.
Deny: Blocks all unlisted .exe files.
Allow all other .exe apps in these foldersSpecify folder paths where unlisted .exe files are permitted to run.
Default Paths:
C:\Program Files
C:\Windows\System32
Note: Removing default folders may block critical system processes and render the device unusable.
Allow all other .exe apps for Accounts in these User GroupsDefine user groups where unlisted .exe apps are allowed to run.
Use Security Identifiers (SIDs) to add user groups.
Default SID: S-1-5-32-544 (Administrators group).

3. MSI Apps

OptionDescription
Allow all other .msi apps not added in this profileDefine whether to allow or deny execution of .msi files that are not explicitly listed.
Allow: Permits unlisted .msi files to run.
Deny: Blocks all unlisted .msi files.
Allow all other .msi apps in these foldersSpecify folder paths where unlisted .msi files are permitted to run.
Default Paths:
C:\Program Files
C:\Windows\System32
Allow all other .msi apps for Accounts in these User GroupsDefine user groups where unlisted .msi apps are allowed to run.
Use SIDs to specify groups.
Default SID: S-1-5-32-544 (Administrators group).

4. Scripts

OptionDescription
Allow all other scripts in these foldersSpecify folders where unlisted scripts are allowed to run.
Default Paths:
C:\Program Files
C:\Windows\System32
Allow all other scripts for Accounts in these User GroupsDefine user groups for which unlisted script files can run.
Use SIDs to add groups.
Default SID: S-1-5-32-544 (Administrators group).

Add Apps

OptionDescription
Application ListSelect applications from the SureMDM app inventory.
Custom AppAdd a custom application.
- AppType: Select type of custom app to be added.
- Condition:
   1. Path/Package Name: Full file path or publisher of the app/script.
   2. Package Name: Package name of the application/script.
   3. Binary Name: Binary name of the application/script.
Customer Managed App InventorySelect a list of apps populated by administrators using the Customer Managed AppLocker Inventory Tool.
ActionAllow: Permit the app or script to run.
Deny: Block the app or script.

App Inventory Tool

The App Inventory Tool simplifies the discovery and management of applications installed on devices.

Purpose

  • The AppLocker App Inventory Tool is a utility used to help administrators manage and maintain the application inventory of portable .exe apps.
  • Install the tool to report a list of portable .exe files/apps.

Steps to Use the Tool

  1. Download and Run the App Inventory Tool on the desired device.
  2. Enter Username, Password, Customer ID, API Key, and Endpoint URL.
    • Username: The same username used to login to SureMDM console.
    • Password: Associated with the Username.
    • Customer ID or Account ID: The identification number of the SureMDM account.
      • Customer ID can be copied from the SureMDM Console (Settings > Account ID).
    • API Key: Copied from Account Settings in the SureMDM Console (Settings > Account Management).
      • Note: SureMDM Administrator would require appropriate RBAC to access it.
    • Endpoint URL: The URL used to login to SureMDM console.
  3. Once done, click Next.
  4. Once successfully configured, the AppLocker Inventory home screen will appear.
  5. Click on Back to details to go back and edit the account settings configuration.
  6. Click on Add App to add .exe applications to the inventory. Alternatively, drag and drop the .exe file into the tool to add applications.
  7. Click on Send Apps to send the applications to the console. Apps added in the inventory should reflect in the App Locker payload of Windows profile (Profiles > Windows > App Locker > Add Apps > Add > Customer Managed App Inventory).
  8. Click on Remove App to remove the app from the App Inventory Tool to prevent reporting it to Console.

The newly created profile will be listed in the Profiles section.

  1. Go back to the Home tab and select the Windows device(s) or group(s).
  2. Click Apply to launch the Apply Job/Profile To Device prompt.
  3. Select the profile under All Jobs/Profiles.
  4. Click Apply in the Apply/Profile To Device prompt.

Notes and Best Practices

  1. Avoid Removing Default Folders:
    • Paths like C:\Program Files and C:\Windows\System32 contain critical system files. Removing them may disrupt system functionality.
  2. Leverage App Inventory Tool:
    • Regularly scan devices using the tool to ensure no critical apps are inadvertently blocked.
  3. Granular User Group Control:
    • Use Security Identifiers (SIDs) to differentiate app permissions for administrators and standard users.
  4. Test Before Deployment:
    • Always test the App Locker configuration on a few devices before deploying it organization-wide.