Purpose: To provide a mechanism for achieving High Enforcement in dynamic environments, which enables normal end-users to install software under certain conditions, by prompting them before executing certain files.

Description: Provides a folder from which normal end-users can approve the execution of unapproved files even when in high enforcement.

Note: For more details on the benefits of this Rapid Config, see: https://community.carbonblack.com/docs/DOC-4162.
Enabled by Default: No
Platform: Windows
Minimum Agent Version Required: 7.2.0

The Edit Rapid Config page for the Self-Service Approvals Rapid Config

Rapid Config Settings

As with most rapid configs, you can:

  • Enable or disable the rapid config.

  • Specify what policies the rapid config applies to.

For each of the following sections, specify what action you require.

Self-Service Approvals

Use this group to specify the location of files that will be either prompted for or allowed to run even if they are unapproved. You can also choose to promote the executions or report the executions to the server.

The settings for the Self-Service Approvals Rapid Config

*Self-Service Approval Location:
Execution of unapproved files from the locations specified here will be prompted for or allowed depending on subsequent parameter settings.
Prompt Or Allow Execution:
Should execution of unapproved files from the specified locations generate a prompt or be allowed without prompting.
Notifier:
Notifier to show when prompting for execution of files from the specified location. Select option from drop-down list. By default, selection is: Enforce custom (file and path) rules.
Promote Executions:
When checked, executions from the specified locations will be promoted.
Report Executions:
When checked, executions from the specified locations will be reported to the server.
*Report Or Block Writes To The Self-Service Approval Location:
Should writing of files to the the self-service approval location be reported or blocked. This allows you to easily monitor or control processes that can write to your Self-Service Approval location.
*Processes Allowed To Write To The Self-Service Approval Location:
Processes specified here will be allowed to write to the Self Service Approval Location. You can add or remove items from the list. By default, the list includes:
  • <Windows>\explorer.exe