Is there a way to get the Kace Agent to Deny Program Installations unless given permission by an administrator?

We want to allow program setups to be downloaded but denied when attempting to install it w/o IT permission.

I already checked under "Security Policy" under "Scripting" but it will only deny a specific program from being run.

Answer Summary:
Cancel
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Community Chosen Answer

3

The K1000/agent do not have that functionality.  You can probably do it through a GPO assuming you are talking about Windows: http://technet.microsoft.com/en-us/library/cc786941%28v=ws.10%29.aspx

Answered 05/10/2013 by: jknox
Red Belt

  • Thanks! have been working with KACE for almost a year now and STILL trying to learn all its functionalities!

    Nice hearing from a Dell Kace Representative so fast
    • In that case, these videos should be helpful: http://www.kace.com/support/resources/kb/article/kace-kontinuing-education-k1000-and-k2000-recordings

      If you would like to see that functionality added to the K1000, you can submit it as a feature request here: http://kace.uservoice.com/forums/82699-k1000
Please log in to comment

Answers

2

zip the installs with a password, you can then do something like run a unzip script using k1000 script or pstools - psexec to that machine when they contact you.

Answered 05/10/2013 by: SMal.tmcc
Red Belt

  • We'd like to eventually move towards that direction when running program installations.

    As for now, we're looking for a preventative maintenance solution to stop coworkers from installing freeware on company PC's where we can run into all sorts of complications such as Licensing and Malware
  • but thanks for the input... really appreciate it!
  • I have a custom software inventory that monitors for software running in the users appdata area, this helps looking for malware and freeware. they are "users" on the machines so it is one of the few spots they can write to.

    Running Processes from appdata: Custom rule
    ShellCommandTextReturn(c:\windows\system32\wbem\WMIC.exe PROCESS where (commandline like "%%AppDat%%") get commandline)

    I have thinking of expanding it to cover the profile since i watched one user run an app from the desktop and another from documents.
    • The other thing one of the techs is doing when possible, when he sees a unlicensed program, he creates a smartlabel for this software and ties it to an uninstall MI.
Please log in to comment
2

As mentioned before, Group Policy will probably be your best friend. If your end users are still local admins, remove them from the administrators group. Turn your UAC on and that will force them to enter admin credentials to make any changes including software installs. In Windows 7 you can get pretty granular about what UAC will prompt for. You can also get very granular with Group Policy as well. If these don't work for you there's a couple of programs you should look at.

Bit 9

https://www.bit9.com/

Faronics

http://www.faronics.com/products/anti-executable/

Both of these are anti-executables that you have to whitelist the applications that you want to be able to run. Faronics also has a deep-freeze program that prevents changes from being permanent on a machine unless the admin places it into a "thawed" state. I hope this helps.

 

Answered 05/10/2013 by: GeekSoldier
Red Belt

Please log in to comment
Answer this question or Comment on this question for clarity