Why You Still Need Application Control on Modern Managed Devices

Ensuring Security Without Compromising User Experience

In today's digital landscape, the management of applications on modern devices is more critical than ever. Even when users are restricted to normal user rights, the potential for security vulnerabilities is still significant. In this blog I highlight the importance of using an application control solution to mitigate these risks effectively.

Understanding the Need for Application Control

Despite advancements in device management and the fact that we strip users from admin rights, users can still start applications directly from USB sticks or download and install software that exists within their user profile. For example, common applications like Zoom, Webex, and Chrome can install in such a manner, bypassing traditional administrative control. This scenario poses a significant challenge for IT administrators who need to ensure that only authorized and secure applications are running on the network and must keep applications up to date to minimize security risks for the company.

The Risks of Uncontrolled Application Installations

When users can install applications in their user profiles, it creates several security and management issues:

• Security Vulnerabilities: Unauthorized applications can introduce various types of malware, such as ransomware, spyware, and adware, which can lead to data breaches, financial loss, and reputational damage
• Version Control Issues: It becomes difficult to manage and update all instances of a particular application, leading to scenarios where multiple versions of software like Chrome are in use, some of which may be outdated and vulnerable.
• Compliance Challenges: Ensuring that all applications meet organizational and regulatory compliance standards becomes increasingly complex.

Case in Point: Managing Chrome Versions

In the last couple of months, several customers who moved to modern management have raised a common concern: How do we update all the user-installed applications?

What happened? They did a vulnerability scan in their environment and found that they have multiple applications installed in the user profiles, one of which is Google Chrome. One of those customers found more than 15 different versions exist in the company environment, flagging full red in their vulnerability scans. Even per device, multiple installations exist in the different user profiles on the device. The inability to collectively update these versions led to security risks and compliance issues.

Currently, there is no straightforward way to update these versions collectively. It is not possible to update applications that are installed on non-logged in users on a device. And even when they log in, it is hard to update those installations as most patch solutions can only update the system wide installation and not the different versions installed in user profiles.

The recommended approach is to prevent such installations in the user profile entirely by using a solution that does application control or application lockdown on the devices. Denying installations of applications downloaded from the internet, even when they just install in the user profile and denying the start of applications from a memory stick, allowing only approved applications to run. However, this brings us to the need for balancing security with user experience.

Maintaining User Experience While Ensuring Security

Blocking the installation of applications in user profiles can be perceived as restrictive, which may hinder user productivity and satisfaction. At worst people will try to work around the problem, introducing shadow IT and even shadow devices in the environment. Therefore, an effective application control solution must be flexible enough to address both security and usability and should also be combined with an application portal and patching solution.

New versions of applications should be placed in the portal quickly, while a patching solution patches to installed system applications as quickly as possible. To minimize downtime, you can use different schedules per risk level and even per application. Automation, insights, and deployment rings ensure minimum administrative efforts.

Flexibility and Administrative Empowerment

If an application installation is blocked, the user should first be redirected to the application portal to install approved applications. Administrators should monitor blocked applications and check if an application should be added to the application portal. The same blocked application message should also notice the user or a certain group of users (for example VIP users) that they can call the support desk to help them. For example, by making a temporary exception.

The ideal application control solution should:

• Allow Temporary Exceptions: Quickly enable the running of specific blocked applications when necessary. This can be once but also be used to quickly get the VIP employee to work, while administrators enable the application rules and evaluate those rules while the VIP do not have to wait, so next day everything is configured to directly work without restrictions.
• Empower Users: Provide users with the ability to perform certain administrative tasks without compromising the overall security posture. For example, give developers the possibility to use certain apps with higher privileges on demand, but with reporting of the reason.

Conclusion

In conclusion, while modern managed devices offer robust security features, the necessity for an Application Control solution stays paramount. Such a solution should not only prevent unauthorized installations but also should ensure that IT administrators can keep control over the application environment without sacrificing user experience. By implementing a flexible and responsive Application Control strategy, organizations can safeguard their digital infrastructure while keeping an high scoring end user experience.