Create a Device Level Windows Application Restriction Policy

Admins can configure this policy to restrict user access to designated applications. These restrictions can be configured for both individual devices and devices groups as needed. The device must be enrolled in JumpCloud MDM.

Note:

This is a device level policy that applies system-wide to the device and all of its users. You can bind this policy to individual devices or device groups. For policies that apply to a specific user's profile across devices, see Get Started: Policies and Learn More section of this article.

Prerequisites

  • Target Windows devices must be enrolled in Windows MDM (Mobile Device Management).
  • Target devices must be running Windows 10 version 1511 (10.0.10586), or any later versions. This policy is supported on the following Windows editions:
    • Windows Pro
    • Windows Enterprise
    • Windows Education
    • Windows SE
    • IoT Enterprise
    • IoT Enterprise LTSC
  • For more information on device compatibility, see Agent Compatibility, System Requirements, and Impacts.

Considerations

  • This policy comes into effect immediately after it is applied to the applicable Windows devices.

Creating the Policy

To create an Application Restriction policy for Windows devices, do the following:

Selecting the Policy Template

  1. Log in to the JumpCloud Admin portal.

Important:

If your data is stored outside of the US, check which login URL you should be using depending on your region. If your organization uses LDAP, RADIUS, or requires firewall allow list configuration, the Fully Qualified Domain Names (FQDNs) will also be region specific. See JumpCloud Data Centers for the URLs, FQDNs, and IP addresses.

  1. Go to Device Management > Policy Management. The Policy Management page is displayed.
  2. On the Policy Management page, click +Add New.
  3. Select Device Policy to assign the policy to devices and device groups. On the New Device Policy page:
    • Select the Windows tab.
    • Search and select the policy name and click Configure. The Details tab of the policy is displayed.
    • On the Details tab, configure the required policy configuration settings.
    • (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
    • (Optional) In the Policy Notes field, enter details such as creation date of the policy, and information on testing and deployment of the policy.

Configuring the Policy

  • In the Search Inbox Apps & Components section, search and select the system apps that you want to be blocked.
  • In the Blocked File Extensions section, add the file extensions that you want to be blocked.
    • Enter the Publisher Name and Product Name.
    • Enter the Binary Name.
    • Select the File Extension from the dropdown. Add more file extensions using the Add button.

Tip:

Retrieve the the publisher name and product name using the command Get-AppLockerFileInformation.

Here is an example:

PS C:\> Get-AppLockerFileInformation -Path "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" | Select -ExpandProperty Publisher

PublisherName : O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US

ProductName : MICROSOFT® WINDOWS® OPERATING SYSTEM

BinaryName : POWERSHELL.EXE

BinaryVersion : 10.0.26100.1

HasPublisherName : True

HasProductName : True

HasBinaryName : True

Windows directory or driveAppLocker path variableWindows environment variable
Windows%WINDIR%%SystemRoot%
System32 and sysWOW64%SYSTEM32%%SystemDirectory%
Windows installation directory%OSDRIVE%%SystemDrive%
Program Files%PROGRAMFILES%%ProgramFiles% and %ProgramFiles(x86)%
Removable media (for example, CD or DVD)%REMOVABLE% 
Removable storage device (for example, USB flash drive)%HOT% 
  • In the Blocked Microsoft Store Apps section, search and select the Microsoft Store apps that you want to be blocked.

Applying the Policy

  • (Optional) Select the Policy Groups tab. Select one or more policy groups where you want to add this policy. 
  • Select the Device Groups tab. Select one or more device groups where you want to apply this policy to. For device groups with multiple OS member types, the policy only applies when a user logs into a supported Windows device that is enrolled in MDM.
  • Or, select the Devices tab. Select one or more devices where you want to apply this policy.
  • Click Create Policy. A success message is displayed indicating the completion of policy creation.

Note:

You must select either a device or device group to create and apply this policy.

Viewing Policy Status

  1. Select the Status tab.
  2. To see the last Result Log for a device where this policy is applied, click view.

Note:
  • If any errors occur, they're listed in Exit Status. If you have an Exit Status of 0, no errors occurred when applying or enforcing this policy.

Once the policy is applied, when a user attempts to launch an application that is included in the policy list, the user will be blocked from accessing that application.
App Restriction message Windows

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case