Creating App Policies
A brief and simple guide to create app policies for your apps and certificates.
Methods to Add Trust
If you are in a situation that you have hundreds of computers on a subgroup and you want to filter based on certain conditions, you have options, you have the "More" button which will expand the filter menu.
Note: You can use the Pivot Table to visualize and apply other kind of filtering operations if that is what you need, you can not start a learn mode session from the Pivot Table.
Note about the use of Learn Mode sessions created
Before we proceed further, I want to touch on a few things. Learn Mode usage should be for situations such as when you update your system and want to learn new apps and CERTs for a certain time frame.
Learn Mode usage is not recommended when you initially created a subgroup and attached computers for the first time when your Trust-List is empty.
When you on-board new computers you should trust apps and certificates manually to make sure you have an accurate, efficient and manageable Trust-List.
Starting a Learn Mode session
If you want to start a Learn Mode session, it is important to look for the computer you want to initiate this process on. Click on the "Show Hosts" icon, this will show you all of your computers in that specific subgroup.
This is the Host List Filtering Options menu that also can provide you with additional filters by clicking on the "Filters" button.
There are two ways of starting a Learn Mode session.
First way to start it is by clicking on the "Learn Mode" button you see when you hover in one of your systems, or the second
Click on the "Learn Mode" button to see the Learn Mode options to choose your preferred one.
Learn Mode Options
We are now presented with four different options:
Learn Only CERTs and Unsigned Apps: In this setting, CERTs and unsigned apps will be learned and at the end of the Learn Mode session, the CERTs and unsigned apps that were used during the session will be added to your Trust-List as one item indicating it is a Learn Mode session and all the apps and CERTs learned.
Only CERTs: In this setting, only the CERTs of the apps used during the session will be learned and then they will be added to your Trust-List as a one item that indicates a Learn Mode session was done.
Only Handprints: In this setting, only the handprints are going to be learned. Then, the session will be added to your Trust-List as a one item that indicates a Learn Mode session was done.
Learn All CERTs and Handprints: In this setting all CERTs and Handprints are learned and added to your Trust-List as a one item that indicates a Learn Mode session was done.
The second way to start a Learn Mode session it is to select a computer in your Host List and scroll down to see more options.
You should be able to see a red button saying "Start Learn Mode". Click on "Start Learn Mode to see more options, so you can choose the one that fit your needs.
Click "Start Learn Mode"
If you need to know what each does, please go back in this guide, because I expand more on them.
In this case, I decided that I want to start a learn mode session because I downloaded a new program and I do not want it to get blocked. I want to start a Learn Mode session and I will choose the "Only CERTs" option, in order to learn the certs used during the session.
This is how the red button of "Start Learn Mode" changes to yellow letting you know that a Learn Mode session has started.
This is how your computer is letting you know that a Learn Mode session is in progress, it provides you with a time in which the session will stop. Please make sure you "Stop" the session before the time is up, or if you do not want to stop it, you can "Extend" the session duration.
Now, I will stop my Learn Mode session, so I click on "Stop/Extend" to choose more options.
Click "Stop Learn Mode" to stop the Learn Mode session.
Something to remember after doing a Learn Mode session is that sometimes, based on past experiences, the Learn Mode session will be added to your Trust-List, but it is not marked as a trusted app, it is marked as a distrusted item, please, if this happens to you, only click the "Trust" button to activate learned apps trust.
Trusting an App
This is a very simple process. In this example, I have a number of blocked alerts in one of my groups called "Test Lab". Click on the Blocked Apps button (The red lock at the subgroup options menu).
Note: The alert number means the quantity of events that happened when seen through the "Groups I Manage" or "Groups with Alerts".
I see that HXOUTLOOK.EXE was blocked and this is one of the apps I need right now, so, I click the event for more information.
I see that this Outlook app has a code-signing certificate, but I do not want to trust the certificate for now, in this case I want to trust the App ( This is trusting the Handprint only).
Click "App"
Click on "Trust This App" to add this program to your Trust-List. Immediately when you add this program to your Trust-List, there should not be any problems in your system, this means that this app will work right now, unless the app requires other components to work, in that case you could use Trusted Children to trust the components of a "Parent" app.
I hope I do not confuse you with the word "Components". I try to refer the word "Components" to all the "Moving parts" of an executable program(.exe files) and what they need to properly work and accomplish their purpose. You can see the Trusted Children as all of those moving parts that work together to make sure the program does not fail.
Trusting a CERT
Let's now trust a CERT, in this example I want to trust an app's certificate, so this way, all the apps signed with this CERT will be allowed to run. Click on the event to see more information.
Click the certificate name to trust this certificate.
Click "Trust This CERT" after you filled up the information about this certificate.
Accessing your Trust-List
Click "Show Trust-Lists" to access your Trust-List and verify that the trust was added successfully.
Click on "Apps"
Here we have the two apps we added today. Click on the Trust-List item to see more information about when this policy was added and by whom.
Click "Distrust" if you decide you want to disable the trust for this app.
If you want to remove this app from the Trust-List, first, you have to do the previous step of distrusting the app by clicking "Distrust"and now click "Disable App" to fully remove it from your Trust-List.
Click "Disable It"
If you want to remove a certificate, it is the same process as removing an app. Click this Trust-List item to see more information.
Click "Distrust"
Click "Disable App"
Click "Disable It"
You can also select a period in time to see the apps that were trusted on a specific date range.
I wanted to see all the apps that were trusted from February 07 2024 to Jun 25 2024 thanks to the calendar filters.
If you want to see what apps have been added to your Trust-List recently, click "My Recent" to see a full list of the apps added recently, and if needed, you can distrust them and disable them from there too if you need to act fast.