Application Metering - Part 2

Right after I got Application Metering up and running I started to check what programs were being run on the computers that I manage. I noticed a few that looked a little fishy. I decided to block them, just to see what would happen. I noticed that every couple of days someone would install the software and try to run it over and over. This week I decided to take a closer look.

I found that the user was making "backup" copies of their DVDs on company computers. Not only that, they were going to great lengths to install software that I was not blocking to do their dirty work. Because of Application Metering we were able to enforce our school policies and stay out of trouble with the law. I have started to block all kinds of programs that would normally put us into a sticky situation.

In the first article we installed Application Metering on our Notification Server. We also configured it to start working in our environment. Finally, we enabled all of the right policies so that it would actually start recording information about the software on our computers. This time we will install the Application Metering Agent on our computers and create and configure a metering policy.

Resources:

Here are some incredible Application Metering resources I found:

• Video: Altiris Application Metering Basics (thanks Screenbert)
• Application Metering Documentation
• Application Metering Release Notes

Installing the Agent:

There are two main ways to install the Application Metering Agent. The first is pretty straight forward. As long as you have the Altiris Agent on computers in your environment you are good to go. Here is what you do:

• Open the Altiris Console 6.5
• Go to View >> Solutions >> Application Metering
• Once you are there, go to Application Metering >> Config >> Application Metering Agent Rollout >> Win32 Application Metering Agent Install
• Click on the "Enable" check box
• Click the "Apply" button

Now this policy is enabled and the agent is going to be installed on all computer that have the Altiris Agent that don't have the Application Metering Agent. For testing I suggest that you install the Application Metering in a test environment. To change the collection, click the link titled "Clients Requiring Application Metering Agent Install/Upgrade". A window will appear that will let you choose a new collection.

I like to do a silent install of all my Altiris Agents. The first thing we need to do is find the install files:

• Go to Application Metering >> Config >> Application Metering Agent Rollout >> Win32 Application Metering Agent Package
• Go to the text box titled "Package location:" and copy all the text
• Now open Windows Explorer and paste in the path we just found
• We have found a file called "AMAgentSetup.msi"

If you throw a /qb! after the file it will silently install (AMAgentSetup.msi /qb!).

Application Metering Policies:

Now that we have the backend all setup, and the agent on the computer we have programs being reported to the Notification Server. That information makes creating policies easy. There are some canned policies. I use them as reference points. Lets jump right in and create some policies.

Before we get started:

We need a piece of software to test with:

• Go to http://notepad-plus.sourceforge.net/uk/site.htm and download Notepad++
• Install it on a computer that has the Application Metering Software installed. We have gather data every day on programs that are installed. That means we can wait a day and it will be in our database.

Creating the Policy:

Let's create a policy to block Notepad++:

• In the Altiris Console 6.5, go to View >> Solutions >> Application Metering
• Now, go to Application Metering >> Policies >> Application Monitors
• Right click on the "Application Monitors" folder
• Go to New >> Folder
• Name the folder "Test". Click the "Apply" button to continue
• Now, right click the "Test" folder
• Go to New >> Notification Policy
  
  

  Click to view.

Configuring the Policy:

Now the policy is created, lets configure it:

• Click the box next to "Enable"
• Change the Name to "Notepad++ Test"
• Change the collection to your test group (make sure to uncheck the current collection)
• Click on the "Add Application Definition" button, and the following window will appear:
  
  

  Click to view.

• If you know all of the information for this app, you can fill out each item individually. I don't, so I press the "Click here to populate fields from a discovered application" link
• You will see the following window:
  
  

  Click to view.

• In the "Product Name" text box type in Notepad++ and press the search button
  
  

  Click to view.

• I installed two different versions of the software, and did some testing so it showed up three times in the search. Choose one of these applications from the list and click the "Apply" button
  
  

  Click to view.

• As you can see, it populated most of the fields:
  
  

  Click to view.

• You will need to title this policy, so type in "Notepad ++ Test" and press the "OK" button to continue
  
  

  Click to view.

• You can now see that this application is being monitored:
  
  

  Click to view.

• Now, because we want to block the program, select the "Deny users the ability to run the applications in this monitor policy", a bunch of more options will appear:
  
  

  Click to view.

• I want it to be denied at all times so I leave that setting alone.
• I would like email alerts sent to me, so I check the "Send e-mail alerts for denial events" check box
• A "Set E-Mail Options..." appears, click on it
• Setup the window like this:
  
  

  Click to view.

  And click the "OK" button to continue

• Everything is configured, you can hit the "Apply" button to continue.

There are a few things to keep in mind at this point. Notepad++ is being blocked all day. You can block something on a schedule, here is how:

• In the "Notepad++ Test" policy, press the "Denial to apply everyday between specified times" or "Denial to apply for different periods on different days" radio buttons.
• Choose your times:
  
  

  Click to view.

• Press the "Apply" button to continue.

Blocking Schedule:

Why would you choose this option? Let's say you want games blocked during the day, but you want a laptop user to be able to play at home. Or, you have a piece of software that you want them to use at work and not at home. Pretty sweet huh?

Or, lets say you have a weekly meeting that you want everyone to actually pay attention in, so you block Firefox and Internet Explorer in this meeting:

Click to view.

Custom Dynamic Emails:

The next thing to keep in mind is the email that is sent. It has been useful to me to see what is being blocked. I accidentally blocked something I shouldn't have and I knew because of how frequently the software was being run. But, other than the notice the email is not very useful, or is it? I found this in the Application Metering Documentation (on page: 17):

You can use the following case-sensitive variables in the e-mail message:
{Command Line}
{Domain}
{File Name}
{File Path}
{File Version}
{Internal Name}
{Known As}
{Language}
{Manufacturer}
{PID}
{Policy Guid}
{Policy Name}
{Product Name}
{Product Version}
{Start Date}
{User}

Here is an example of how to use these variables:

Click to view.

The only variable that is missing is "computer name". I think that this would be a great addition. What do you think?

Better Blocking:

This policy is only blocking "Notepad++ 4.91". The more information that you include in the application definition the more specific it will block, and the opposite is true. The less information that you include the more programs it will block. I have found a balance. Using the steps above I will block a specific program. Then, I do the following:

• Click on "Add Application Definition"
• Press the "Click here to populate fields from a discovered application" link
• Search for Notepad++ and select the same version as above.
• Click the "Apply" button.
• Remove the "File version" and the "Product Version"
  
  

  Click to view.

• Add a definition name in and click the "OK" button

Now, this policy is blocking the specific program that we detected in our policy scan, and older and new versions of that same program. Even if the user goes to the Program Files folder and changes the main executable name the program won't run because of the extra info that we provided.

Custom Messages:

The last thing to keep in mind is the denial message. There is a canned message that works for most things. You can change the message to reflect why the software is being blocked. Check this out:

Click to view.

Conclusion:

Software is the lifeblood of a business. They are why computers are useful. Controlling software can be one big headache. But, Altiris Application Monitoring Solution is like a big dose of pain killer. In this article we learned how to install the Application Monitoring Agent on a target computer. We also talked about how to create a policy that denies the use of a piece of software. When denying software, you can block it all the time or block it on a schedule. We also talked about how to customize the blocked notifications that are received and how to create a custom message to appear when the program is blocked. This solution is worth the time and money if you ask me.