Carbon Black App Control supports special treatment of notifiers for hosted session virtualization environments, such as those provided by Citrix XenApp, Windows Server Remote Desktop Services, and Windows Server Terminal Services. In these environments, you can add special notifier tags that instruct your Carbon Black App Control Server to route notifiers.
- If multiple users are logged in to one session each, and if one of them attempts an action that triggers a notifier, the notifier is displayed only to the user that triggered the block.
- If an action that triggers a notifier is initiated by the system and not a specific user, you can choose to display the notifier to a specified user or group, all users, or no users. No matter which option you configure, Carbon Black App Control logs a block event on the Events page.
- Even when you enable the special notifier behavior, users of agent-managed computers not using session virtualization see notifiers according to the normal rules.
Special treatment of notifiers applies only to hosted sessions on a terminal or application server (session virtualization). That is, they apply to a single system and users and applications on that system. Application virtualization that runs applications locally is not compatible with the feature.
Notifications are always directed to the session of the user taking the action that blocks, not necessarily the originating session. For example, if user A has access to user B’s command prompt, and User A executes runas /user:A cmd.exe
and then executes an unapproved file, the notifier is displayed in user A’s remote session, not in the session where user A appeared to have executed the unapproved file.
There are two tags that activate session virtualization notifier behavior:
- <NotifierBroadcastMessage> is required to enable special notifier routing. If present, notifiers are displayed on all sessions for the user that initiated an action, or for System actions, as specified by NotifierBroadcastSystem.
- <NotifierBroadcastSystem:user|group|blank > is used to determine what is done when a system-initiated action is blocked by an Carbon Black App Control rule. The default is <NotifierBroadcastSystem> with no other arguments. If you leave this tag out but have <NotifierBroadcastMessage> in the notifier, notifiers are displayed to all logged in session users.
The following procedure assumes you want to modify notifier behavior for all settings in a policy. You can add the tags to individual notifiers through the Notifier page if you prefer.
Procedure
- On the console menu, navigate to the page.
- Click View Details next to the policy whose notifiers you want to edit.
- Select a setting whose notifier you want to change and click on the Edit button to the right of the Notifier field.
- On the Edit Notifier page, enter <NotifierBroadcastMessage> in the Notifier Text field.
- In the Notifier Text field, enter the <NotifierBroadcastSystem:> with either of the options:
- To route notifiers for blocks of system-initiated actions to a single user, enter a user name after the colon. For example, <NotifierBroadcastSystem:MYCORP\jsmith>. To route notifiers for blocks of system-initiated actions to members of a group, enter a specified or built-in group name after the colon. For example, <NotifierBroadcastSystem:MYCORP\itgroup>.
- To suppress notifiers for blocks of system-initiated actions, do not enter anything after the colon (the colon is optional in this case). For example, <NotifierBroadcastSystem>
Note: If you suppress the notifier in this case, users in Medium Enforcement Level policies do not have the option of allowing unapproved software – it is always be blocked.
- If you leave the <NotifierBroadcastSystem> tag out of the notifier text area but include <NotifierBroadcastMessage>, notifiers are displayed to all logged in session users.
- To keep your changes to the notifier, click Save.
- Repeat for each notifier in the policy (and any others you want to modify).