Using the Application Control Configurator

The Application Control Configurator simplifies the creation of an application control policy. You start the wizard from the one of the following:
  • Go to
    page >
    tab >
    Attack Surface Reduction
    .  In the
    Key App Control Flows
      widget, select
    Create an Initial App Control Policy
  • Go to
    Quick Setup
    . Under
    , select
    App Control
    . The wizard is part of the journey line steps.
Step 1: Select device groups that will use the policy.
, select the device groups that will use the new policy. The set of discovered applications that are associated with these device groups is used later to generate rules for the new policy.
You can select device groups that already use an Application Control policy or any groups that are not yet using an Application Control policy.
You can apply the new policy to these same device groups when you finish the wizard.
The term “applications” refers to all the application versions and standalone files.
Step 2: Select the device type and enforcement type.
Choose the type of devices that will use the Application Control policy. The device type determines whether the policy will be configured to let users override some blocked applications.
Later in the wizard you can choose to run the policy in monitor mode so that any type of enforcement is logged but not applied.
  • Fixed Function Devices
    This option locks down fixed-function devices such as point-of-sale devices, ATMs, or printers. This option does not allow user overrides and configures the policy mode as
    Strict Enforcement
    • Enforces a default-deny mode where only an approved list of applications can run.
    • Restricts updates to defined trusted updater mechanisms.
  • User and Dynamic Devices
    These devices include user endpoints such as laptops, desktops, or tablets. This option allows user overrides and configures the policy as
    Enforce with overrides
    • Allows a broad range of approved applications governed by flexible rules
    • Extends users the flexibility to use unapproved applications when assessed to be safe
    • Facilitates regular IT maintenance and upgrades with defined trusted updaters
    • Alerts administrators when newly introduced applications (drift) pose a risk to the environment
Step 3: Review applications and make sure they are classified the way you want them.
By default, the drag-and-drop view uses Symantec recommendations to classify the discovered applications as allowed, blocked, or undetermined. You can drag-and-drop applications into different buckets. The buckets are used at the completion of this step to generate rules for the applications. These rules are included in the new policy.
Buckets show applications and files as one of the following:
  • Allowed
    Policy rules will be generated to always allow items in this bucket.
    Symantec-signed applications are always allowed and cannot be moved out of this bucket.
  • Undetermined
    Policy rules will be generated to block items in this bucket unless users are allowed to override the block.
  • Blocked
    Policy rules will be generated to always block items in this bucket.
You might want to change the view on this page by using the filters in the left panel. This panel also include a sort option and a search option.
You can also use the
Group by
option to sort the lists by
. By default, the view shows every version of an application. Choose
Group by
to collapse all application versions into a single entry for the each application.
  1. To change the default Symantec classification
  2. In the drop-down for
    , select one of the following:
    • Clone and Customize
      This option lets you configure how applications and files are sorted into the respective buckets. When you select this option, you get the
      Custom Recommendation
      page. The default shows Symantec's recommendation. When you make any changes, you can save your changes. The drag-and-drop view reloads to show you how your changes updated any classification.
    • None
      This option moves all the items to the
After you finish choosing whether applications should be allowed or blocked, select
Step 4: Generate policy rules and review a policy rules summary.
Policy rules are generated based on your allow, block, and undetermined selections. You see a summary of the number of rules.
You can choose to close the Configurator while it generates rules. After the rule generation completes in the background, you get an alert to return to the Configurator and finish policy creation.
You can choose to run the policy in monitor mode to log blocked events so you can review these events before you enforce the policy.
If you are satisfied with the new policy, select
Create Policy
. This option creates the new policy and applies the policy to the device groups that you selected in Step 1 of the wizard.