Page History
In case If you use AppLocker in your environment, please make sure you have a rule for TrueDEM in place
Configuration
Before you begin, ensure your environment trusts TrueDEM.
If a rule exists where a PublisherCondition is set and configured for the end user allowing all signed applications, no further action is needed (see box).
| Code Block |
|---|
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> |
If you have individual policies in place, ensure that one is created for TrueDEM based on description below.
Configuration
As an AppLocker Administrator, make sure you have the TrueDEM OfficeExpert Application Agent installed on the Device in which you configure the AppLocker Rule.
- Open GPO EditorGroup Policy Editor (gpedit.exe)
- Open Windows Settings / Security Settings / Application Control Policies / AppLocker / Packaged app Rules
- Right click - Create New Rule
- Adjust the settings based on your internal policies
- Define any Exceptions you like
- Adjust the Name if necessary
...
- Click on Select and search for OfficeExpert. Afterwards Select the Application and move the Slider to Publisher Level (trusting any Package Name and any Package Version from panagenda)
- If necessary, define Exceptions
- Give the rule a propoer name and click on Create
- The new App Rule appears now in the list Packaged apps
...
- .
| Info |
|---|
Note: The Rule will not work because the Publisher String gets truncated by the MMC UI. Microsoft confirmed that this is currently a known issue if an app has a PublisherString of more than 260 characters. |
- Export the Applocker Policy/Policies
Right click on "AppLocker" and Select Export Policy. Enter a name for the XML file.
- The Export contains all Policies you have configured. Look for the TrueDEM rule you created.
If you take a closer look, the PublisherName is truncated and that it ends with "Pr"
- Exchange the String with the following one and save the file.
| Code Block |
|---|
E=office@panagenda.com, CN=panagenda GmbH, O=panagenda GmbH, STREET=Sonnenfelsgasse 13/9, L=Vienna, S=Vienna, C=AT, OID.1.3.6.1.4.1.311.60.2.1.1=Vienna, OID.1.3.6.1.4.1.311.60.2.1.2=Vienna, OID.1.3.6.1.4.1.311.60.2.1.3=AT, SERIALNUMBER=293516T, OID.2.5.4.15=Private Organization |
- Depending on how you test the configuration you can either Import this file (the same way you did with the Export) on your local Computer or you put the XML into your OMA-URI Settings configuration in Endpointmanager (former Intune)
How you verify if the Rule is active on a Computer ?
- Open Powershell and issue the following command
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections
Check if you see the correct and complete PublisherCondition String
How you verify if the TrueDEM Application is Allowed ?
- Open Powershell and issue the following command
(Note: Extract the msixbundle file so that you have the msix file of application available)
| Code Block |
|---|
Test-AppLockerPolicy -PolicyObject (Get-AppLockerPolicy -Effective) -Path "C:\<path>\Panagenda.OfficeExpertProd.Package_1.25.2.0_x64\Panagenda.OfficeExpertProd.Package_1.25.2.0_x64.msix" -User Everyone |
- Verifiy if you see Allowed in the output
