Manage Software Restrictions Using Policies

To protect a device from potential threats, you can control access to it by identifying which applications should be allowed access or which should be blocked. In the JumpCloud Admin Portal, you use a policy to create this list.

JumpCloud's policy framework lets you remotely apply configuration settings to one managed device or the entire fleet in your organization. These policy settings let you customize your managed devices and make them more secure.

You can create the following policies to specify locations where applications can run or can’t run:

• Software Restrictions (Windows devices)

Allow vs. Deny 

JumpCloud provides two primary approaches for managing which applications get access to a device — allowing access or denying it. Both methods have their pros and cons. The right choice depends on your organization’s needs and goals.

Denying Access

Creating a list to restrict access is the traditional approach to access control and has long been used by anti-virus tools, spam filters, and other security software programs. This approach is threat-centric. Any application or directory not on the deny list is granted access, but anything that’s known or expected to be a threat is blocked.

• The denial of access approach works on a simple principle—identify the known and suspected threats, deny them access, and let everything else go.
• A deny list can never be comprehensive since new threats emerge constantly.

Allowing Access

Instead of creating a list of threats, you create a list of permitted applications and directories and block everything else. This approach is based on trust, and the default is to deny anything new unless it’s proven to be acceptable, resulting in a much stricter, more secure approach to access control.

• Use an allow list reduces risks of someone maliciously gaining access to your device more than a deny list.
• While using an allow list offers stronger security, it can also be more complex to implement. If you regularly change the tools you use, you also need to update your list.
• Using a list of allowed applications also restricts what users can do with their devices. They can’t install something they might need if an administrator doesn’t know about it and allow it, which limits their creativity and the tasks they can perform.

Creating a deny list is normally used when administrators want to make it easy for users to access devices, and to minimize administrative effort. For example, an IT admin in charge of the devices for a school may want to block specific applications such as games or streaming, but generally allow various apps for students to do their work.

Considerations:

• Even if you add an application to a deny list or leave it off the allowed list, the JumpCloud policy doesn’t perform the following actions:
  • Prevent a user from downloading an application restricted by your policy.
  • Forcibly remove any applications already downloaded.
• If you log on to a device where a deny list or allow list policy is applied, and you use an account with administrator privileges, you can bypass the policy restrictions if necessary. If you select the option to Exclude Administrator from the policy, when you right-click on an app and select run as administrator, you’ll see the following behavior:
  • If you’re in the Administrators group, the app starts normally.
  • If you aren’t in the Administrators group, you’ll have to select a username in the administrators group and enter that user’s credentials before the app starts.
• Users can move application files from a folder on the deny list to the desktop. If they do, the denial of access policy no longer applies since the files are in a different folder. This means the user can run these files and your policy restrictions won’t apply.