Configure App Locker Policy on Windows

For a uniform app deployment and with the purpose of security, IT Admins may want to enforce policies to manage applications that users can run on their Windows systems. Scalefusion's App Locker policy allows IT Admins to configure such policies where they can select apps that they want to allow or block for the end users, thereby allowing only supported or approved apps to run on Windows machines. Users would see all applications but will not able to use the disallowed apps.

This document guides you on how to configure App Locker Policy for Scalefusion managed Windows devices.

Pre-requisites

1. Devices should be enrolled with Scalefusion
2. Supported OS - Windows OS 10 Pro, Enterprise, Windows 11

Configuring App Locker Policy

Getting Started

1. Sign In to Scalefusion Dashboard and navigate to Device Profiles & Policies > Device Profiles and either create a new Windows device profile or edit an existing device profile.
2. The first option/tab in Profile creation wizard is to SELECT APPS. Within this you would be shown the following options,
   1. Multi-App Kiosk Mode
   2. App Locker Policy
   3. Skip Application Policy
      The features which work on both modes, that is, Modern Management and Agent based, are identified by iconography where windows icon is for modern management and Scalefusion icon is for Agent enrolled devices. No iconography against a feature tab/setting/option would mean it is supported only on modern management.

      
      

      

3. Choose the radio button App Locker Policy. This offers you the following sub-sections,
   1. Step 1: Select Mode
   2. Step 2: Add User / Group Info
   3. Step 3: Select Apps 

Step 1: Select Mode

You can choose to allow or block the running of selected applications, with one of the following options:

a. Allow selected apps: The apps selected will be allowed and rest of them will remain blocked.

b. Block the selected apps: The apps selected will be blocked and rest of them will remain allowed.

You can allow or block UWP apps, Win32 apps or apps installed from Windows store.

Step 2: Add User / Group Info

Here, you can set the target user(s) or group to which the app locker policy should apply. There are two options to choose from. Select any one:

• All Users & Groups: If you want to apply this policy to all users & groups on the device, select this option.
• Selected Users & Groups:Windows has a pre-defined list of users and groups. You can select one or more groups. Following are the groups you can select:
  • Standard & Admin Users
  • Admin User Group
  • Guest User Group
  • Remote Desktop User Group
  • Custom User / Group SIDs: Enter comma-separated SID values of custom users / groups (other than predefined groups & users). You can also enter custom properties which are applicable on the user(s) for whom SID is defined in custom fields.
    With $device.enrolledUsersid, the policy can be applied only to the user who enrolled the device. This will ensure that the policy is applied only to the user who enrolled the device.
    If you want to apply the policy only on Standard users, you need to create a custom group on the device, add users under the custom group, fetch the group's SID and enter the SID in the text field.

Where do the users and groups exist on device?

On Windows Devices, the users and groups are defined in Computer Management, under System Tools > Local Users & Groups

Step 3: Select Apps

Select the applications from the list by toggling on the button in front of each.

For the Win32 apps that are not available in the app list, you can add them through Add Win32 App button, enter the app name, path there and Save. The application gets added and is available in the list of apps. Now you can allow/block it.