Adding Applications to Applications Policy Group
Upon creating an application group successfully, the user is supposed to assign applications to that group. When the user clicks on the settings icon on the application policy group a menu will be opened. From this menu, a user can edit existing attributes of an application group, add a new application to the group, or delete the application group. Clicking on edit will prompt the exact same flow while creating a group with existing attributes.
Upon clicking add a new application button, Kron PAM will ask for application attributes. As said earlier, the user can either manually input these attributes or select discovered applications as shown in the figure below. Application name is mandatory while adding a new application, but users can choose to add its hash, version, vendor, path, publisher, certificate, or not.
Match Type of the “Application” is “Exactly” and “Start with”
Match Type of the “Hash” is only “Exactly.”
Match Type of the “Version” is “Exactly”, “Greater Than” and “Less Than”
Match Type of the “Path” is “Exactly” and “Start with”
Match Type of the “Publisher” is only “Exactly.”
Match Type of the “Certificate” is “Exactly”
Match Type of the “Vendor” is “Exactly”
On the above screen if there are more than any parameters this can be chosen or written freely like the below screen. So this feature helps you to write a single policy with different metadata of the application. Such a policy will be handled by an agent with separate rules. This means that you choose 2 different hashs with an application named xyz.exe so, when the end user executes xyz.exe, both of the hashs will be checked and if there is a matching hash policy will be applied.
Certificate as metadata means that hash of the certificate on the application. If a certificate exists on the application, we extract the hash of the certificate, and this is generally unique data for the Vendor.
While adding an application to the application policy group there are some special use cases only for path and vendor, for instance;
- If the app name is chosen as *.* and the vendor is Microsoft Corporation.
This means that every application whose vendor’s metadata is Microsoft Corporation will be policed as allowed, blocked, or elevated according to your choice.
This feature is generally used for allowing well-known vendors all applications but can be dangerous. Hence while using, be careful.
- If the app name is chosen as *.* and the path is specified in the rule. When an app is executed under that path, the policy will be applied as allow, block, or elevate. So, if the policy is allowed, all applications executed under that path will be allowed.
After selecting the application name or other values, the user can optionally select the child process configuration of this application. Since this is also selected while creating an application policy group, users’ choice here will overwrite that configuration if a different choice is made. After clicking the save button application will add to the group successfully.
To add an application to an Application Policy Group there is an easy way. If the applications are discovered and you can see them in the Discovered Applications section under the Application Catalog, you can click the green button on the application and fill in the necessary information then assign it to an Application Policy Group.
