Mode and Type

Application control mode and type

Application control mode

Application Control has 3 different modes op operation:

The default mode is “No Application Control”. Every remote user always sees a complete, default Windows desktop.

The second and third option turns on the Application Control. The difference between the second and third option is what a user sees in case no applications are available for the user. The second option will give the user a complete desktop without any restriction. The third option will show the remote user a message that the Administrator has not made any application available for the user. The remote user is not able to continue to work:

Application control type: Strict or Relaxed

Strict Application control implies that the user is not allowed to start any other application then those which are assigned to him by AADS Application Control.
Default this is the best, most secure choice.

However, it might happen that some applications do need to start other (sub-) applications. For example, an Office suite that starts the Write-program, or the Spreadsheet program.
The Administrator might not always be able to figure out how many other (sub-) applications are needed to be started by the user. And if the Administrator does not know exactly what the user will be starting, then the Administrator can also not assign those (sub-)applications to the user.
This might be a circumstance where "Relaxed Application control" can be considered.

Please note: when Relaxed Application Control is applied, assigned applications can / are allowed to start other, not-assigned applications. Examples:

The Office program can start the separate Help-program when the user presses F1.
- This is an OK situation.
The Browser can start its own separate Updater-program. It will do this when it detects that an update is available for download.
- This can be OK. However, the Administrator might not want that users or programs do decide for themselves when to install updates.

Administrator and Application Control

Application Control does not apply to the user Administrator. It is important that the user Administrator can not be restricted using Application Control, because if he gets restricted, he can not start the Maintenance program any more in order to fix his restrictions......

Failing Domain or Failing Authorization

Which Applications are available to an user can depend on the Group-membership of the user. In the event of problems related to a Failing Authorization, for example because Windows is failing, or some third party Credential Provider is failing, the AADServer is not able to determine what the Group-membership of the user is. In such an event, it is possible to block all users, except the Administrator, such to prevent that the users do access "the wrong applications". The Administrator must fix the problems related to the Failing Authorization, and after this is fixed, the users can access their assigned applications again.

Local Console and Application Control

If the Application Control settings are not mandatory for all users; if some users can still have the default Windows Start Menu,
then a session on the local console of the AADServer will always show the default Windows Start Menu.

The reason behind this, is that the local console of the AADServer is commonly used, not by end-users, but by an Administrator, and in such a case, when working on the local console, presumable the Administrator wants the default Windows Start Menu.