Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

What's covered

Create an Environment Variable Action

Create a Blank Application Control Policy

Test the New Policy

 

Using Application Control Solution you can override UAC prompts for end-users. You can create custom messages that require users to submit a reason for requesting administrator rights, which replace UAC prompts for credentials.

You can create three types of custom messages: (For details on how to create this custom message, go to

  1. Self-Elevation Without Adding Administrator Rights will capture the reason and close the application. (For details on how to create this custom message, go to [READY] to Self-Elevation Without Adding Administrator Rights.) 
  2. Self-Elevation will capture the reason and allow end users to automatically have administrator rights. (For details on how to create this custom message, go to [READY] Self-Elevationelevation.)
  3. Request Elevation will capture the reason and go through an approval process with the help desk. (For details on how to create this custom message, go to [READY] Request Elevationelevation.)

 

Overriding UAC prompts is a three-step process:

  1. Create an There is an out-of-the-box Environment Variable Filter called User Access Control Consent Dialog Detected.
  2. Create an Environment Variable Action. this action is used There is an out-of-the-box Environment Variable Action called Suppress User Account Control Consent Dialog, which you'll use to prevent the UAC prompt from showingappearing.
  3. Create a Blank Application Control Policy.
  4. Test the New Policy 

To create an Environment Variable Filter, do the following steps:

...

Anchor
Policy
Policy
Create a Blank Application Control Policy

Next, create a Blank Application Control Policy by doing the following steps:

  1. In the file library in the left pane, navigate to to Policies > Arellia Thycotic Solutions > Application Control > Actions > Environment VariablesPolicies. 
  2. Right-click Environmental Variables and Policies and click New > Set Environment Variable Action.
    Image Removed Blank Application ControlPolicy. 
     Image Added
  3. In the Create Item dialog, enter a Name and Description
    Image Removed
     
  4. Set the Environmental Variable Name to __APPINFO_RUNADMIN
  5. Leave the Value field empty. 
  6. Click Save.
    Image Removed

 

Next, create a Blank Application Control Policy by doing the following steps:

  1. In the file library in the left pane, navigate toNavigate to Policies > Arellia Solutions > Application Control > Policies. 
  2. Right-click Policies and click New > Blank Application Control Policy. 
    Image Removed 
  3. Set the application target to the new UAC detected filter from step 2
  4.  

    Image Added
     
  5. In the right pane under the Applications to Control, click the Applications link and choose the new Environment Variable Filter. (Optionally you can change this so only certain applications or certain users will have see the UAC overridden UAC prompt overridden.)
  6. Image Removed
  7. Under Exclude conditions add Under Conditions (optional), click the Exclude any and add the Administrators filter to stop child processes (which inherit elevation) from triggering this policy.
    Image Added
  8. Click on the Application Actions tab and set the action to the Clear UAC dialog action from step 6
  9. Also set the action to include one of the following:
  10. Add Administrator Rights, and .
  11. To the right of Applications, select Application action and then click the Select link.
  12. In the Select Items dialog box, select the following:
  13. The Environment Variable Action you created previously.
    1. Add Administrator Rights.
    2. Justify Application Elevation Dialog (this will behave
    like [READY] Self
    1. like Self-Elevation).
    Add Administrator Rights, and
    1. Justify Application Elevation (kill process) Dialog (will behave
    like [READY] Self
    1. like Self-Elevation Without Adding Administrator Rights).
    Add Administrator Rights, and
    1. Approval Request Form Action (will behave
    like [READY] Request
    1. like Request Elevation).
    Image Removed
    1. Image Added
  14. Click Save

Anchor
Test
Test
Test the New Policy

To test the

...

new policy, do the following steps:

  1. Update the policies on an endpoint. 
  2. Test the policy by right-clicking Command Prompt and selecting click Run as administrator.

Image Modified

Instead of seeing UAC, you

...

will see the custom message

...

shown in the following screenshot.

Image Added

The recorded response will then be sent to the

...

Thycotic Management Server where it can be reviewed by the help desk team.