Enterprise Console allows you to set an application control policy for groups of computers so you can block or authorize programs. This article explains how to authorize (from the Enterprise Console policy) an application that has been previously blocked using a central policy and applied to an endpoint computer.
Note: You can only block/unblock an application from the central policy. Locally you can only enable or disable the feature - if you are a 'Sophos Administrator'. See the 'Technical Note' section below for more information.
Applies to the following Sophos product(s)
What To Do
- Open Enterprise Console and ensure you are on the 'Endpoints' view (use the drop-down 'View' menu to toggle views).
- From the Policies pane (located at the bottom left side of the Window) expand the 'Application control' policy section.
- Double-click the policy you want to change. The Application Control policy dialog box is displayed. Use the 'View Groups Using Policy' option on the right-click sub menu if you are unsure which policy applies to the group of computers you need to affect. See article 118111 for more information.
- Click the 'Authorization' tab.
- Locate the category of application that you want to remove the blocking from in the 'Application Type' list.
Tip: If you do not know the parent category of the particular application you want to unblock: scroll through the list and note when the 'Current Status' column changes from 'Authorized' to 'Blocked' or 'Some Blocked'. 'Blocked' means the entire category is blocked and 'Some Blocked' means one or more, but not all, applications in that category are blocked. Example:
With the application type selected, and where one or more applications are blocked, the low sections titled 'Authorized' and 'Blocked' will be populated.
- When you locate the desired application name in the 'Blocked' list (on the lower right), select that name and use the arrow button (<) to move it to the 'Authorized' list on the left. Example:
- Click 'OK' to save the change.
Once the policy is received by the endpoint computer the previously blocked application will be allowed.
The only place where you can customize/change which applications are blocked and which are unblocked is from the central console, under the 'Application control' policy section. Locally on an endpoint computer you can only switch the feature off or on - but you must be a 'Sophos Administrator' to do this. You cannot customize the policy nor allow an application locally as the policy is set as per your IT administrator.
If you need to check which applications are blocked for a particular endpoint computer you should move to the Enterprise Console and review the policy. If this cannot be done you can open the machine.xml file in a text editor on the endpoint and search for either an application name which you believe is being blocked by Application Control or the phrase 'blockedAppCList' to find the beginning of the list of blocked applications as received from the central console.
Note: If you want to add an application that is not listed in the policy section you must request SophosLabs add the application.