How to import multiple application in a Low Flex App Group in BT EPM

Hi Marius.

That can be done by creating generic rules for SCCM.
Anything that is deployed from SCCM gets Trusted ownership and exist in protected locations, we know where the files exist on the endpoint when deployed from SCCM

c:\Windows\ccmcache \ccm etc.

Here we can create rules for MSI and EXE files using the Trusted Ownership and filepath.

NOTE: The trusted location requires admin rights to access (High Flex default have access) which is a risk.

The older quickstart policy did have the rules in place for this, but they got removed related to some risk issues. which could be the default access to those folders for high flex.

I have attached a copy of the old rule in a policy XML.

Make a copy of your current policy, then merge the SCCM.xml into your policy and review if that will work for you.

all the best
Jens

Thank you Jens, that will help me a lot. how about application enrolled in Intune, is there a way to make something similar for Intune?

You are welcome.

You can use the same logic for any deployment tool, most important is Trusted ownership, and a Secure Location, as we do not want end-user to be able to misuse our rules.

I typically strip a lot of options from High Flex users for being able to use the a lot of the Recommended Restricted functions, as I do not see Dev users having a need for SysPrep UAC settings etc. including the File/operations that would have allowed them access to protected locations.

Also MS has made a change to the OS when using the File/operation it automatically adds ownership, to users which causes a whole other level of issues.

Jens

Then just to add additional info. You only need to have rules in place for application that runs in the context of the logged on user.

Normally that should be very limited, when pushing software from a deployment tool, SCCM, Intune, Alteris etc. these tools can default run the majority in context of system, and do not require rules to be created for them.

Jens

Thank you, Again Jens. The goal i am trying to reach is to block all apps to be installed from internet or external sources and only allow the ones that are enrolled in Intune and SCCM. i already have a block all rule in place and on top of that i want to create a rule that will allow users in our environment to install and run application from those 2 locations.

This will require quite a lot of allow listing to be done.

The QuickStart Policy Low Flexibility workstyle default comes with a block for all unknown, Starting of with a message “Allow Message (Support Desk)” on “(Default) Any Application” 

We can’t do that out of the gate, so allow-listing has to be completed. Create a Events view like this

This will be what need to be allow-listed.

Once you have eliminated events coming from here, we can either block or show the support desk message again, and you are good to go.

KR Jens