Environment
- App Control Server: All Supported Versions
- App Control Agent: All Supported Versions
Question
What is the App Control Policy Enforcement level?
Answer
Enforcement level is the protection applied on a computer running the App Control Agent, the following table describes each enforcement level:
| Enforcement Level | Use When |
|---|---|
| High (Block Unapproved Files) | For the highest protection level, and when it is practical to pre-approve the applications you need and want to run on computers in the policy, use High enforcement. High enforcement permits only explicitly approved files to run. Computers on which the application configuration seldom changes – servers or single-purpose systems, for example – are good candidates for High enforcement. For computers with more dynamic application configurations, High enforcement might be usable if you also pre-approve files via trusted directories, trusted users, approved publishers, enabled updaters, or reputation approvals. Except for files already identified and banned on the App Control Server, all files that exist on computers before you install the App Control Agent are locally approved and permitted to run on that computer under High enforcement. High enforcement is available to policies in Control mode. |
| Medium (Prompt Unapproved) | To operate in a condition that prevents unchallenged execution of unapproved files but does not completely block them, use Medium enforcement. Medium enforcement blocks all Unapproved files from executing but displays a dialog on client computers that lets the user decide whether to run the file. If the user allows the file to run, it is locally approved on that computer and always permitted to run. If an Unapproved file is run remotely from a network share or removable device and allowed by the user, it is temporarily approved to run (the approval remains for 14 days). NOTE: Some removable or network drives are not recognized by App Control, especially on non-Windows systems. Files run from these drives are treated like local files. |
| Low (Monitor Unapproved Files) | When you are not concerned about unknown files and only need to block files that you have specifically banned, use Low enforcement. Low enforcement blocks banned files while allowing users to install software that are Approved or Unapproved (neither banned nor approved). Although Unapproved files are permitted to execute, you can monitor them and respond with emergency lockdown if necessary. Low enforcement is available to policies in Control mode. |
| None (Visibility) | To track file activity without blocking it, set the Enforcement Level to None (Visibility). Visibility mode tracks executable file activity on your computers through App Control’s reporting and asset management features (drift reports, event reports, file inventory, etc.), but enforces no rules. It can be a first step on the way to implementing a more controlled environment. Click Visibility in the Mode line to choose this level. |
| None (Disabled) | To stop all enforcement and tracking activities, choose None (Disabled) mode. You might do this if:
Click Disabled in the Mode line to choose this level. NOTE: An agent in None (Disabled) mode continues to monitor (but not report to the server) certain operations to avoid gaps in file and process information if the agent is later brought back into an active mode. This normally requires a very minimal amount of resources on the agent computer, although if an extremely large number of writes are performed, the impact may be noticeable. |
Additional Notes
The following are the effects of a Policy by Enforcement Level it is configured for:
This is a article attached imageRelated Content
Thank you for your feedback.
Your feedback has been submitted and will be reviewed.