Certain aspects of Windows apps can be managed through Group Policy. The previous
section detailed the Group Policy setting to enable LOB Apps to be installed. Other settings
are configured using AppLocker.
Creating the rules for Windows apps involves configuring rules within the “Packaged
app Rules” section. You can either configure rules manually, use the Automatically Generate
Rules option, or Create Default Rules from the context menu. Choosing to Create Default
Rules automatically generates a rule to allow everyone to run all signed apps, as shown in
Figure 6-19
However, a default rule to allow everyone to run all signed packaged apps may not be a
likely (or very secure) policy for most organizations. Therefore, you can change this policy to
Deny within its Properties dialog, as shown in Figure 6-20.
Once the rule has been changed to a default Deny policy, you can then add exceptions for
apps that will be allowed to run. This is accomplished through the Exceptions tab. Within the
Exceptions tab, shown in Figure 6-21, you can manage the current exceptions.
Adding an exception is accomplished by clicking Add, which reveals the Add Exception
dialog. Figure 6-22 shows the Add Exception dialog box used to configure an exception for
the app developed earlier in this chapter.
In addition to configuring exceptions for individual apps using their app package, you can
also choose to add exceptions using an installed package. In order for this to work, the app
has to be installed on the computer from which you’re using AppLocker. In the case of
Figure 6-23, AppLocker was run from a Windows 8 Enterprise computer, therefore exceptions
can be granted for any of the apps installed there.
The enterprise scenario here is to configure exceptions for apps that are allowed, while
disallowing apps that an organization doesn’t want its users to run. It’s worth noting that
exceptions can be configured based on Active Directory group membership, so certain
groups could be allowed to run the Finance or Travel app.