If your organization uses software deployment tools, or to dedicate a computer for software approval, you can use a trusted directory to automatically approve software during regular roll-outs.

Trusted directory approval easily integrates with existing software deployment processes. All software in the specified trusted directory of your deployment server is automatically approved. The level of approval provided by a trusted directory depends upon the platform on which it is located and applicable policies, if any.

Carbon Black App Control has been tested with and fully supports trusted directory approval with common deployment technologies. Contact VMware Carbon Black Support to determine whether your deployment method is supported, and to obtain guidance on any special considerations for integrating it with Carbon Black App Control.

Trusted Directory approvals are not sent to agents immediately upon activation of the directory or addition of files. There are three conditions that cause a trusted directory file approval to be sent to endpoints:

Blocked files
If the Carbon Black App Control Server has a record of a file being blocked on any endpoint and that file is later approved by trusted directory, the server begins sending the approvals of the file to agents immediately.
Execution attempts
If a user attempts to execute an instance of a file approved by using a trusted directory on a computer connected to the Carbon Black App Control Server, the server allows the agent to run the file immediately and sends the approval to other agents.
If a file approved by using a trusted directory is identified as an installer, the Carbon Black App Control Server begins sending the approval of the file to agents immediately.

Even if a file is approved by trusted directory and not blocked by another rule, until its approval is sent to agents, instances of the file can be locally unapproved and can block if the agent computer is disconnected from the server before the approval is distributed.

Caution: Avoid using removable media for trusted directories. If a removable device is disconnected and then reconnected, it is not rescanned and any new content is unprocessed and untrusted. In this case, you must disable and re-enable the trusted directory to trust the new content. Configure trusted directories on permanently attached fixed media so that the agent can monitor modifications and additions and can process any new content.