Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

SEP 12.x: Want to restrict people installing applications

Created: 20 Nov 2013 | 8 comments
MIXIT's picture

Hi all.  I haven't gotten into the App & Device control aspects of SEP all that much yet.  Once in the past I enabled the checkmark in Device Control that prevents apps from launching from USB devices, but that caused all BlackBerry users to be unable to use their Desktop Manager software so I decided to not use this feature any further until more itme couldc be spent testing, which hasn't occured yet. 

Anyway, lately there has been a rash of adware/junkware getting installed on the systems at more than one of my customers.  Center to this seems to be this cursed Conduit Search Protect.  Freakin' bstards whoever makes that software.  Systems end up getting that on there, then a bunch of toolbars, "computer optimizers" and all that crapware that the idiots of the world make get on there.  Sortry to rant, I'm just tired of trying to remove such stupid adware as otshot and what not (yes, that rhymes cuz I rhymes all the times).  A lot of that stuff never uninstalls cleanly so we end up with "run DLL" errors on login and so forth. 

Ok all bad jokes aside, I want to restrict all users on a network from being able to install software, but i need to leave them as local admins on their own machine thus AD or local security policy gpediting is not an option I think.  Some customers are not using AD anyway so a universal solution is more ideal.  I was wondering if App control in SEP can get this done? 

Thank you. 

Operating Systems:

Comments 8 CommentsJump to latest comment

Brɨan's picture

If you know what software and install location, its pretty simple to do. I'm assuming this is more for malware?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

MIXIT's picture

Well, this would be more like I want to prevent all users from installing any software.  I don'tthink the Conduit and related asware is really malware, rather it's probably something that gets on there as an add-on to an Adobe or Java update probably. 

But since I won't know what's coming, I'd rather just prevent user accounts logged on from being able to install anything, or at least to generate reports perhap son what does get installed. 

greg12's picture

There is the custom ADC rule set "Stop software installers [AC8]". That should fulfill your wishes. Don't forget to test it extensively.

MIXIT's picture

Ok I"ll check that out.  Admittedly I could have opened SEPM and investigated but asking on here generally prompts the extra "do this but don't do that" kind of talk which is also very helpful.  I'll check out that rule and yes, extensively test.  I know this will probably stop various forms of updates from occuring too which would be a real pain. 

Just a side question but might there be a Java management platform of some kind where I can update Java on all systems at once, rather than having to go to each PC to do this? Which in reality means I don't have time so don't get it done....

SameerU's picture


Please use the Application Device policy to do the same


Brɨan's picture

Hey SameerU, this whole discussion is regarding ADC. Please read before posting unhelpful info.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

AjinBabu's picture


We can use Application and Device control policy to accomplish this, please test the policy before applying it on production.



MIXIT's picture

Hi all.  I have this stuff queued up to take action on soon but can't until I get time to proceed.  I'll definitely want to pursue this though so please don't take my lack of response as having moved on from this thread, it'll just be some days or short weeks before I start to work on this.  Thank you for your patience.