Application Run Control

The easy availability of applications—games, consumer-oriented utilities and third party tools—for mobile devices results in end users installing and running unauthorized personal programs and recreational software on devices meant for business use. In addition to contributing to memory and battery life overhead, this situation also contributes to productivity losses. The installation of unauthorized and unapproved non-business applications contributes to a significantly higher volume of support calls, increasing the IT help desk's support burden. Most critically, it is imperative for security-conscious users to control and restrict the unauthorized installation of personal applications to ensure compliance with strict mobile data protection requirements.

MobiControl's application run control features reduce the risk of leakage of sensitive data and complement the existing network security model by preventing the introduction of malware and viruses into the network through the mobile devices. Additionally, it also allows memory management on the mobile devices to free up resources taken up by unnecessary processes, and allowing for better device performance. MobiControl integrates tightly with the operating system to prevent restricted applications from running entirely on the mobile device, making it much more efficient than competing white list and black list solutions which use CPU and battery-consuming processes to monitor for and destroy restricted applications.

Application Run Control Modes

MobiControl provides two modes of operation for Application Run Control with two control list types:

Note:

If an application is being run from the lockdown, and it is blacklisted on the device, the application will still run as the lockdown takes precedence over the blacklist.

The black list, or list of restricted applications, allows IT administrators to ensure that an application will not be allowed to execute on the device. The MobiControl Device Agent prevents any black-listed processes from executing on the device.
The white list, or list of approved/allowed applications, limits what programs can be executed on the devices. Only the applications and processes included in the white list are allowed to execute on the device. This provides an added layer of security for organizations concerned about unknown processes and applications that may be introduced to the device—maybe without the end user being aware of it, as is frequently the case with viruses, spy ware and other malicious applications.

Important:

If the white list is not set up correctly, you may end up blocking a potential system critical applications and cause the device to crash.

To enable application run control for a device or group of devices, select Application Run Control Policy from the MobiControl Security Center. (Please see the Device Security and Control page.)

Control List Creation Methods

Whether you are creating a white list or a black list, the use of learning mode is strongly encouraged.

Configuration of application run control begins with the creation of an application control list. An application control list is simply a listing of the names of the executables files that correlate to the application you may wish to allow or disallow on the mobile device. For example, pword.exe corresponds to Microsoft Word for Windows Mobile, and tmail.exe corresponds to Microsoft messaging client for Windows Mobile. The categorization of the application control list, either as a white list or a black list, determines whether the specified programs will be allowed or disallowed.

Application control lists may be specified manually or they can be auto-generated using learning mode.

Learning Mode

Learning mode can only be enabled or disabled on a device that is online. If you right-click on a device group or an offline device, you will receive an error message if you try to enable learning mode.

Learning mode allows you to quickly and easily capture the names of all the executable processes that might be relevant to the everyday use of the device by the end user. Once generated, you may edit the list that was created. One device can be used to capture the applications that are commonly used. A control list can then be applied to a larger set of devices, for instance by applying the control list at a group level.

Enable learning mode by selecting the New button in the Application Run Control dialog box, and then choosing Learning Mode in the Select List Creation Method dialog box.

Once you have enabled learning mode, begin using the device. If you wish to develop a white list, run all the applications that the typical end user will need (i.e. Microsoft Messaging, Microsoft Word, Calendar, Contacts). Go through normal, everyday situations like making and receiving a phone call, soft-resetting the device, etc. Use the device with learning mode enabled for as long as it takes you to ensure that all the applications that your user will need to execute have been launched at some point. (You can run it for an hour, a day, a week,…)

Once you are satisfied that you have fully trained the device's application run control, click the End Learning button.

Application Run Control Learning Mode dialog box

While the device is in learning mode, a red L icon will appear on the device until learning mode has ended.

The list of "learned" applications will be presented to in a dialog box that allows you to edit the list. For example, you may wish to delete an application that was mistakenly executed during the learning. Before saving the control list, you must name it.

Now the application run control list has been created, you may assign it to various devices and groups.

If you wish to develop a black list using the Learning Mode, run all the applications that you do not want your user to be able to access (i.e. Solitaire, Bubble Breaker, Internet Explorer, etc.) Once you are satisfied that you have executed all the applications that are to be banned, click End Learning. Since learning mode lists all the processes that were found to be running, it is important that you go through and remove from the blacklist those application that are not to be disallowed.

Manual Mode

Manual list creation is provided for the expert device administrator who already knows exactly which executables are to be put on the white list or black list. This advanced feature is only recommended if you have already used learning mode and are aware of the names of the executables that need to be allowed for correct device operation, and those that you wish to restrict.

You can manually create a new application control list by clicking the New button in the Application Run Control dialog box, and then choosing the Manually Create a New Control List option in the Select Control List Creation Method dialog box. The New Application Control List dialog pops up, allowing you to specify the application that you want to add to the list, and the platform for which this entry would be valid. This allows you to restrict applications on a device running a specific operating system (e.g. Windows Mobile 5), if you have a mix of devices with different operating systems in the same group.

Application run control can adversely impact the operation of the mobile device if configured incorrectly. After you have developed a control list, apply it to one or two select devices for extended field testing before expanding it to the general deployment. As a general rule, if you don't know what the executable does (e.g. somestrangename.exe), allow it to run instead of blocking it as it might be critical for the device's proper operation.

Note:

If you edit an application control list that is shared among device groups that are not subgroups of the group you are configuring, the changes will not be propagated to the other devices. The modified control list will only affect devices belonging to the group being configured or its subgroups.

Modifying or Deleting a Control List

An application control list can be edited whether it is currently in use or not, but its type (white list or black list) cannot be changed once created.

An application control list can only be deleted if it is currently not selected for any devices or device groups. A control list that is listed in the Selected field is considered in-use, even if the application run control is disabled for the given group or device.

Application Run Control Event Notification

Every time MobiControl's application run control feature blocks or terminates an application that is not allowed to run by the security policy in effect, it can notify the server or the user if the appropriate options are selected.

The following two options are available:

The Notify Server on Application Termination option will generate a log event on the server and display it in the Event Logs for that particular device when an attempt is made to run a blocked operation. Device logs can be viewed in the MobiControl Manager by highlighting the device or the group of devices and enabling the Logs tab. This allows the administrators using MobiControl Manager to track any attempts by the end users to run or install unauthorized applications and ensures a higher level of monitoring.
The Notify User on Application Termination option causes a message box to be displayed on the user's device when an application is blocked.