Carbon Black App Control supports installation privileges for users to install software on their own or others’ computers when the computers are under High Enforcement protection. You can trust individual users or specify trusted groups whose members become trusted users.

Trusted users and users in trusted groups have full permission to install software (unless banned) on any accessible computer that allows them to log in with their credentials. Applications installed by a trusted user are locally approved where they are installed.

Trusted users can also execute unapproved files; however, the file state remains unapproved.


When you designate a trusted user or group, you grant a broad privilege to install and approve software on all of your endpoints. This privilege should be granted only if absolutely necessary, and should be disabled when not needed.

If the installations you need to perform are limited in scope, consider creating Custom rules that match those limits instead of granting global trusted user status. For example, you can create an Allow and Promote Custom rule that promotes processes initiated by a specified user or group, and allows execution of unapproved files by that user, but only when executed from a specified location.