The Enforcement Level in a security policy controls whether unapproved files (applications that may be unidentified and that have not been approved or banned) are allowed to execute. The availability of different Enforcement Levels enables you to choose a setting for each policy that suits the security and user requirements for the group of computers associated with that policy.

Carbon Black App Control offers three different modes of operation: Agent Disabled, Visibility, and Control. Disabled agents neither enforce rules on nor report information from their computers. Agents in Visibility mode collect and report information but do not enforce rules.

Control mode offers the full range of features, including tracking of files and device activities, and enforcement of bans and other rules that protect your computers. If a file has been banned, it is blocked at all Enforcement Levels in Control mode. Control mode Enforcement Levels differ primarily in how they treat unapproved files:

• High (Block Unapproved) – Only approved files are allowed to execute.
• Medium (Prompt Unapproved) – Approved files are allowed to execute. Attempts to execute Unapproved files cause a notifier dialog to display, in which the user can decide whether to Allow or Block them.
• Low (Monitor Unapproved) – Approved and Unapproved files are allowed to execute without prompting. The activity of these files is still monitored by Carbon Black App Control.

In some cases, a computer can have different Enforcement Levels when it is connected vs. when it is disconnected.