Restrict Software on Windows Devices Using a Policy

Important: Software Restriction Policies were deprecated beginning with Windows 10 build 1803 as well as Windows Server 2019 and later. For more information, see Microsoft's documentation.

For Windows devices, you can add a Software Restrictions Policy to specify locations where applications can run. A policy can protect a device from potential threats, and you can control access to it by identifying which applications should be allowed access or which should be blocked. For general information on how JumpCloud policies using allow and deny lists work, see Manage Software Restrictions Using Policies.  

You can add file types, applications, and locations to an allow list or deny list in the following ways:

  • A list of file types identified by their extension that are allowed or blocked if they are in any of the paths you list. For example, to block all Microsoft Access Project files in the C:\Projects directory, you specify ADP as the file extension and add the directory path in the Directories and/or Paths field. Make sure you don’t include the period before the file extension or the policy won’t work. On Windows devices the following sample list allows or block Microsoft Access Project files, BASIC files, batch files, and JavaScript files:ADP, BAS, BAT, JS
  • A fully-qualified path that ends with a file name to allow or restrict the running of that one file. For example, on Windows devices where a deny policy is applied with the following restriction, user's can't run the StringFinder application from the Custom Utilities folder:C:\Program Files\Custom Utilities\StringFinder.exe
  • A directory to allow or restrict all executable files in that location from running. For example, on Windows devices where a deny policy is applied with the following restriction, user's can't run any applications in the apilibrary folder :C:\Projects\apilibrary
  • The % character to represent variables expanded by the OS. For example, adding the path %userprofile% to they deny list blocks applications from launching in a user’s specific file or folder.

You can use the following examples to understand how to construct environment variables to specify paths. Environment variables are dynamic objects containing an editable value which can be used by software programs. For example, you can use the %USERPROFILE% variable to find the directory structure owned by the user running the process.

  Environment Variable  Path
  %AppData%  C:\Users\{username}\AppData\Roaming\
  %LocalAppData%  C:\Users\{username}\AppData\Local\
  %Temp%  C:\Users\{Username}\AppData\Local\Temp\

The following environment variables and paths are common locations you can add to your allow or deny lists:

  • %appdata%\Microsoft\Internet Explorer\UserData\
  • %localappdata%\Microsoft\Windows\Temporary Internet Files\Content.Outlook\
  • %LocalAppData%\Google\Chrome\User Data\Default\Extensions\ %LocalAppData%\slack\*
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\
  • %ProgramFiles%\Google\Desktop\
  • %userprofile%\Downloads\
  • C:\Windows\Temp\

Considerations

You need to use the fully-qualified path to a file or directory to add it to an allow or deny list. You can also use a variable that resolves to one as described in the section above. For an application file, if all three of the following components are present, the path is fully-qualified or absolute. For a directory, if the first two of the following components are present, the path is fully-qualified or absolute:

  • A volume or drive letter - Must be followed by the volume separator (:).
  • A directory name - The directory separator character separates subdirectories in the nested directory hierarchy.
  • An optional filename - The directory separator character separates the file path and the filename.

Restart all devices where you applied this policy for this policy to take effect.

Determine the absolute path of any location in Windows:

  1. Open Windows Explorer and locate the file or folder.
  2. Right-click the file or folder, then click Properties.
  3. For the absolute path to the folder, use the path in Location. For example, c:\folder1\subfolder2.
  4. For the absolute path to a file, use the path in Location, then add a backslash and the file name to the end of the path. For example, c:\folder1\subfolder2\app.exe.

Creating the Policy

To create a Software Restrictions policy for Windows devices, do the following:

Selecting the Policy Template

  1. Log in to the JumpCloud Admin portal.

Important:

If your data is stored outside of the US, check which login URL you should be using depending on your region. If your organization uses LDAP, RADIUS, or requires firewall allow list configuration, the Fully Qualified Domain Names (FQDNs) will also be region specific. See JumpCloud Data Centers for the URLs, FQDNs, and IP addresses.

  1. Go to Device Management > Policy Management. The Policy Management page is displayed.
  2. On the Policy Management page, click +Add New.
  3. Select Device Policy to assign the policy to devices and device groups. On the New Device Policy page:
    • Select the Windows tab.
    • Search and select the policy name and click Configure. The Details tab of the policy is displayed.
    • On the Details tab, configure the required policy configuration settings.
    • (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
    • (Optional) In the Policy Notes field, enter details such as creation date of the policy, and information on testing and deployment of the policy.

Configuring the Policy

  • Under Settings, click Mode and choose Deny list or Allow list.
  • To bypass Allow list or Deny list restrictions on a local device, select Exclude Local Administrators.
  • Under Directories and/or Paths, click add filepath to add another directory or path. Enter either the fully-qualified path to the executable file or the entire application directory you want to list. 
  • Under Included File Extensions, click add file extension to add another extension. This action lets you add files types to the allow or deny list by entering the file extension. Don’t include the period before the file extension. 
  • To remove directories, paths and extensions from your list, click the trash can icon next to the item.

Applying the Policy

  • (Optional) Select the Policy Groups tab. Select one or more policy groups where you want to add this policy. 
  • Select the Device Groups tab. Select one or more device groups where you want to apply this policy to. For device groups with multiple OS member types, the policy only applies when a user logs into a supported Windows device that is enrolled in MDM.
  • Or, select the Devices tab. Select one or more devices where you want to apply this policy.
  • Click Create Policy. A success message is displayed indicating the completion of policy creation.

Note:

You must select either a device or device group to create and apply this policy.

Viewing Policy Status

  1. Select the Status tab.
  2. To see the last Result Log for a device where this policy is applied, click view.

Note:
  • If any errors occur, they're listed in Exit Status. If you have an Exit Status of 0, no errors occurred when applying or enforcing this policy.

Warning:

If you remove a JumpCloud Software Restriction policy, native Microsoft Software Restriction Policies (SRP) need to be manually reset. To do this, completely delete your native Microsoft SRPs and then re-administer them. For complete steps on how to work with SRPs, refer to the Microsoft documentation: Administer Software Restriction Policies.

Delete the software restriction policies that are applied to a Group Policy Editor (GPO)

  1. Open Group Policy Editor.
  2. In the console tree, right-click Software Restriction Policies.
  3. Click Delete Software Restriction Policies.

Note:

When you delete software restriction policies for a GPO, you also delete all software restriction policies rules for that GPO.

After you delete software restriction policies, you can create new software restriction policies for that GPO.

Create new software restriction policies:

  1. In Group Policy Editor, open Software Restriction Policies.
  2. On the Action menu, click New Software Restriction Policies.
  3. Optionally add any Designated File Types.
  4. (Optional) Configure Enforcement settings.
  5. (Optional) Configure Security Levels.
  6. (Optional) Apply policies to DLLs.
Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case