Providing Last-Mile Desktop and Application Lockdown with PolicyPak

Posted on May 18, 2012 by Petri IT Knowledgebase Team in Active Directory with 0 Comments


In this video, Group Policy MVP Jeremy Moskowitz walks us through his Group Policy add-on, PolicyPak, and shows how you can deliver Group Policy settings over VDI to lock down applications.

Jeremy Moskowitz on PolicyPak

Hi everybody. This is Jeremy Moskowitz, Group Policy MVP and founder of PolicyPak software. My friends at TrainSignal grabbed me by the ear; they said “you got to show this to our friends and viewers and stuff,” and I am happy to bring this to you. So let’s set the stage about what we are about to see and why you should care.

A lot of folks now are being told they have to support this idea of “bring your own device” or BYOD to work, and I know what a huge pain in the neck that can be. You don’t know if they are bringing in an iPhone or iPad or a tablet computer. You don’t know what is around the bend even, or whatever is next basically.

So what I’ve got here, what I am about to show you is I don’t have a real iPad; I have a fake iPad, and so, you just have to play pretend with me. I hope that will be ok. On my fake iPad, you know that if you use a VDI-based solution to remotely give somebody an entire desktop environment, you have to support the applications. Now getting those applications on those target computers, really those target VDI sessions, is kind of like what actually happens from third party vendors. Microsoft, Citrix and VMWare all have solutions around VDI. But this is what I showed my friends at TrainSignal they kind of fell over, which was that they are missing the last mile. And that’s what I wanted to show you.

If you’ve got a Windows 7 rollout planned or if you’ve got VDI around the edges, kind of getting warmed up, if you’ve got desktops and laptops or even terminal server, like I said, when I showed my friends at TrainSignal; they wanted me to show you, too.

Here’s the good news. Everything I am about to show you is actually absolutely free, up to a point. So there is a free edition of PolicyPak Professional and there is a pay edition. But the kind of stuff I am going to show you here is free up to a point, and you can find out more about what’s free and what’s not on our website.

I am going to go ahead and get started here. So here is my fake iPad. As you can see, it’s got the fake-like iPad background and you can see here, I’ve got my real applications here. I’ve got my Adobe Reader. I’ve got my Firefox and I’ve got my WinZip. Again, we are pretending that this is like an iPad that actually is using a VDI session with one of those three vendors to remotely give access to our Windows desktop.

In this case, let me go ahead and run WinZip as an application right away, and the user gets kind of a crappy experience as you can see here. They sort of instantly get a popup asking them a question. They don’t know what to do and that’s what we are going to talk about. We just want to get rid of all the fuzzy edges around the user’s experience when they get new applications and get a new laptop, desktop, or VDI session.

So if we got an options config here, we’ll see if there is well, actually a lot of settings for a user to screw up. I happen to be using these three applications as sort of like my baseline. I’ve got WinZip. I’ve got Firefox and I’ve got Acrobat Reader. But actually you could think of these as any application you have to deploy.

Now if you have corporate IT settings that you want to make sure that your users can’t work around, as a lot of you know, I am a Group Policy MVP and man, I love Group Policy. But it just doesn’t do what it’s supposed to do for the actual applications on your machine. It does a great job for the stuff in the box, but it kind of falls apart for the actual applications on your machine. And that’s what we are going to see.

Here you can see, I’ve got this password section, this passwords tab, and on the passwords tab, there are some security settings. I am using WinZip and you might not think of WinZip as a big security app but you can think of any application that you have as comparable. In other words, some applications have security, and how you’re going to dictate that security to that application.

Here we’ve got WinZip just waiting to be configured. Unfortunately, and we could see here, we’ve got the cameras tab and we don’t use cameras at our company, so maybe we’ll make sure that the cameras tab is locked out. Let’s go ahead and get started with this first directive and initiative.

The best part is that PolicyPak hooks rights into your Group Policy engine, so we are going to create a new GPO called “lock down WinZip” here. And I’ll go ahead and edit this guy here. I’ll just right click there, and here we go. You’ll see that I’ve got the built-in policies, the built-in preferences and now PolicyPak.

PolicyPak applications is a new node that just will snap right into the GPMC; it comes part of what of you get. PolicyPak actually ships with 35 pre-configured applications that lots and lots of folks really want to get delivered. I know a lot of folks are using Acrobat Reader, which we are about to cover. Java, you want to make Java pop-ups go away. You’ve got Firefox; we are going to show how to configure Firefox in this little video, that’s right. When I’ve shown some people that they can actually configure Firefox using Group Policy, their head is popped right off. So I’ll show you that.

Let’s go right to WinZip right here and I’ll double click on that. Look at that, it looks exactly like the actual application we want to configure. If we kind of hustle over to passwords here, let’s go ahead and bump up the minimum password length to 11, thus making this actual application more secure. Again, you can think of this as any application you have that needs increased security. I’ll click on all these check boxes and that’s cool. I am delivering a setting.

We are going to go one big step greater and we are going to actually lock the setting down so a user can’t work around it. Let me go ahead for this middle check box here, this third check box here. And I am going to hide the corresponding setting in the target application. I am literally going to remove it so that it’s not available for the user at all to screw up. I’ll do the same thing for the last check, except I am going to disable the corresponding control in the target application, and what the heck, I’ll do the same thing for minimum password length as well. I’ll really crank that guy down and really make sure that user can’t work around it.

Remember cameras; we don’t want to use cameras at our company, so I’ll right click and I’ll disable the whole tab in the target application. So that’s it. It’s as simple as that.

We’ve got this preconfigured packs ready to rock; just go on to your new VDI session. You can log off or log back on. In this case, I am running GP update. That’s going to get me the latest greatest group policy settings and let’s go ahead and see what happens.

All right. Only took a second. So now what we do is we’ll go ahead and run Winzip and let’s check it out as this user. Now again, if the user is running as a standard user or as an admin user, we want to make sure that they are locked down. So let’s go to options config, take a look at passwords and look at that. You can see right there that all four check boxes are checked. One of them is completely missing, which is what we said and one is grayed out. And that 11 guy or that minimum password length is jammed up to 11. That’s pretty cool because now there is no way for user to work around our settings for the things that we set. And cameras, you can’t click on cameras at all. What I want to show next is what happens if you go offline.

So if you’ve got a standard desktop or a standard laptop, or you are running one of those VDI sessions that you can take offline with you, what happens if the user works around your setting?

Well, if you just run GP update and you don’t have the access to the domain controller, the GP update is just going to fall over and die. Now you just saw me uncheck those two checkboxes, but it turns out PolicyPak has a secret weapon.

And this again is all in the box in both the free version and the paid version. You can just run PP update and boom, it took zero seconds, and it will redeliver those settings just like that. I want to go to options config, head on over there, and boom.

Those checkboxes that were unchecked are now checked. So you can keep your corporate and IT settings delivered and maintained even when you are offline. Let’s go through another example real quick here.

Let me show you another one that is like constantly in people’s minds, which is the security of the actual applications like Acrobat Reader.

I am sure you got the same kind of memo I did, which is that this Java Script thing, this is enable Acrobat Java Script. If it’s checked on, which is the default by the way, if some secretary double clicks a PDF that’s infected, what’s going to happen? They are going to blast infection to the rest of their team. You don’t want that.

So what you are going to do is make 500 phone calls asking the secretaries or the other members of your world to uncheck the checkbox. No way. You are going to use the power Group Policy to deliver that setting and then also lock it down so users can’t work around it.

That’s what we are going to do right now. We are going to make your world more secure, just like that.

Let’s go ahead. We’ll go back over to the Group Policy editor. We’ll right click, new, application, and we’ll go ahead and we’ll pick Acrobat Reader. Again you can see we’ve got a whole lot of application preconfigured packs ready to go. We are going to pick Acrobat Reader or Adobe Reader X.

We’ll go over right to the Java Script guy, uncheck that enable Adobe Java Script, right click over it and disable that guy. We’ll go ahead and click OK, locking and loading that directive right in the group policy land.

Again, the very next time a user runs GP update or logs off or logs back on, they magically get the settings. Let’s run GP update and see what happens.

All right. Let’s go head over to Adobe Reader, go right to edit preferences. Remember that check box was checked, and we don’t want that. If we go look at that, we can see right there it’s unchecked, and it’s grayed out.

The best part is this stuff doesn’t just work for your desktops and laptops, which you have a lot of them. It also works for those kinds of things we were just talking about – having iPads and tablets and actually, it also works for environments like this.

This environment, which is another PC here, is actually using Citrix terminal service dial stuff. If you just click on that and we’ve got Winzip, published. This is coming from my Citrix server. All I got to do is log on, run it, and the Citrix server would get the same signal that the desktop does to restrict that application, and lock it down exactly the way you expect.

So you can see, the application is starting up right here, and as soon as it’s done, the application will be presented from that server over to the workstation. The best part is the workstation, or if it’s a Thinbox or if it’s a terminal or if it’s a tablet or anything like that, as soon as that application is started, it’s going to have the actual application locked down and ready to rock.

Alright. There is the Winzip started from our Citrix machine. If you go to options config, go over to passwords, boom, there it is. So you can see, this application doesn’t actually live on our machine at all. It’s actually installed over there on the terminal server.

PolicyPak can do the exact same thing for your virtualized application, so if you’ve got thin app from VMware, if you’ve got a Citrix streaming, or if you have Microsoft App V, we can deliver the settings inside your virtual applications and lock it down.


I think that’s all we have time for today. I know I chewed your ear off. We got a lot of stuff in the website. I’d love to see you come to one of my hour long weekly webinars on PolicyPak and if you do, we’ll hand over the bits and you can play with it yourself and see if it’s right for you. We have a lot of folks who think it’s great.

My friends at TrainSignal saw this and they fell over and said we have to show this to our friends. I am really glad they did. So thank you very much for having me here. Appreciate it.