Local Approval mode allows you to install new files that become locally approved without affecting the local state of any files already on the computer before the mode change, or installed after the computer is returned to its normal policy. Local Approval mode is most useful if you have not yet introduced the new files you want to install on a computer.
You can use the console to move an online computer into the predefined Local Approval policy for as long as it takes to complete software installation. During the time that the computer is in the local approval policy, computer users are permitted to install and run unapproved applications that were previously blocked because of High or Medium Enforcement Level. Banned files remain banned and are blocked from running.
After the installation is complete, you can restore the computer to its original policy, at which point it continues to be able to run all files that were installed and locally approved while it was at the relaxed Enforcement Level.
- Unapproved software can be installed on computers in a Low Enforcement Level policy. However, you still might want to move the computer into Local Approval to approve known-good files, especially if you might move the computer to a higher Enforcement Level at a later time.
- In Local Approval, the only active Device Control settings are Block writes to banned removable devices and Block executes from banned removable devices. All others are set to Off.
You can move computers into Local Approval mode in several different ways, each of which also allows you to restore the computer to its previous policy:
- You can move one or more computers at a time to Local Approval mode through the Computers page.
- You can move a single computer from High or Medium Enforcement into Local Approval using the Action menu on its Computer Details page.
- You can move a single computer into Local Approval mode by using the Change Policy portlet on the console Home Page.
Local Approval mode has special features for monitoring and control:
- You can track which machines are in Local Approval mode by selecting Saved View Computers in Local Approval on the Computers page.
- You can set an alert to trigger if a computer is in Local Approval longer than a time interval you specify. See Using App Control Alerts.
- Computers manually moved to Local Approval mode can be returned to their normal Enforcement Level using the Restore to Normal Enforcement Level command on the Computers page Action menu.
Move Online Computers to Local Approval Mode
To move online computers to Local Approval mode, perform the following procedure.
- In the console menu, click Assets > Computers.
- In the Computers table, locate the computers to be placed in local approval mode. To reduce the number of computers displayed, you can use the Show Filters button and filter on policy or some other relevant field. You can also enter all or part of the computer name in the Search text box.
- Select the names of computers to move to Local Approval mode.
- On the Action menu, select Move to Local Approval.
The computers move into the Local Approval policy. Unapproved files can be executed and device control is disabled except for writing to banned devices, which is blocked. If computers in Low Enforcement are included in your selection, the operation fails and shows an error message.
- On the Computers Page, select Computers in Local Approval on the Saved Views menu. Verify that the computer displays in the table as part of the Local Approval policy. The computer user may now install software on that system and have it locally approved (if not globally banned or approved). The only active Device Control setting is Block writes to banned removable devices.