Getting the Kace Agent to deny Program Installations
Is there a way to get the Kace Agent to Deny Program Installations unless given permission by an administrator?
We want to allow program setups to be downloaded but denied when attempting to install it w/o IT permission.
I already checked under "Security Policy" under "Scripting" but it will only deny a specific program from being run.
Answers (3)
The K1000/agent do not have that functionality. You can probably do it through a GPO assuming you are talking about Windows: http://technet.microsoft.com/en-us/library/cc786941%28v=ws.10%29.aspx
Comments:
-
Thanks! have been working with KACE for almost a year now and STILL trying to learn all its functionalities!
Nice hearing from a Dell Kace Representative so fast - SW.WPI 10 years ago-
In that case, these videos should be helpful: http://www.kace.com/support/resources/kb/article/kace-kontinuing-education-k1000-and-k2000-recordings
If you would like to see that functionality added to the K1000, you can submit it as a feature request here: http://kace.uservoice.com/forums/82699-k1000 - jknox 10 years ago
zip the installs with a password, you can then do something like run a unzip script using k1000 script or pstools - psexec to that machine when they contact you.
Comments:
-
We'd like to eventually move towards that direction when running program installations.
As for now, we're looking for a preventative maintenance solution to stop coworkers from installing freeware on company PC's where we can run into all sorts of complications such as Licensing and Malware - SW.WPI 10 years ago -
but thanks for the input... really appreciate it! - SW.WPI 10 years ago
-
I have a custom software inventory that monitors for software running in the users appdata area, this helps looking for malware and freeware. they are "users" on the machines so it is one of the few spots they can write to.
Running Processes from appdata: Custom rule
ShellCommandTextReturn(c:\windows\system32\wbem\WMIC.exe PROCESS where (commandline like "%%AppDat%%") get commandline)
I have thinking of expanding it to cover the profile since i watched one user run an app from the desktop and another from documents. - SMal.tmcc 10 years ago-
The other thing one of the techs is doing when possible, when he sees a unlicensed program, he creates a smartlabel for this software and ties it to an uninstall MI. - SMal.tmcc 10 years ago
As mentioned before, Group Policy will probably be your best friend. If your end users are still local admins, remove them from the administrators group. Turn your UAC on and that will force them to enter admin credentials to make any changes including software installs. In Windows 7 you can get pretty granular about what UAC will prompt for. You can also get very granular with Group Policy as well. If these don't work for you there's a couple of programs you should look at.
Bit 9
https://www.bit9.com/
Faronics
http://www.faronics.com/products/anti-executable/
Both of these are anti-executables that you have to whitelist the applications that you want to be able to run. Faronics also has a deep-freeze program that prevents changes from being permanent on a machine unless the admin places it into a "thawed" state. I hope this helps.
