10: How To Deploy PolicyPak Settings Using The Cloud

If you wondered how to create and export PolicyPak magic to be deployed using our Cloud Suite, watch this video! We go over creating, exporting, and deploying policies Application Settings Manager, Browser Router, and Least Privilege Manager!

Download this video

How To Deploy PolicyPak Settings Using The Cloud

Hi, this is Whitney with PolicyPak Software. In this video, we’re going to learn how to export some of the PolicyPak settings for use over the cloud to be able to be delivered to non-domain joined machines. Today, we’re going to look at the Application Settings Manager, the Least Privilege Manager and the Browser Router.

Let’s go ahead and get started. We’ll create a Group Policy Object in the “Group Policy Objects” node. It doesn’t need to be in any particular OU because all we’re going to do with this is export the directives as XML. We’ll just call it “PP Cloud Demo.” We’ll say “OK.”

We’ll go ahead and “Edit.” Now these can all be done on either the computer side or the user side. I am just going to go ahead and go on the user side. We’ll start with the “Application Settings Manager.” We’ll use it to send some directives over for Firefox.

All right, now let’s widen this out. We’re going to right click. When we do, we’re going to have “New Application.” Now there are other videos explaining how these Paks get to where they are. They are located in your Central Store. What you’ll need to do is drop your Paks into your Central Store so that they can be accessed here by the Application Settings Manager, but that’s not for this video.

I’m going to go and choose “PolicyPak for Mozilla Firefox 23.0.” I’m going to double click on it, and then the settings manager opens up here. These are the same settings that you would find if you were on the endpoint playing around with Firefox. We’re just going to deliver a couple of settings for the sake of this demo here.

Let’s go and set a “Home Page.” We’ll just make it be “https://www.policypak.com.” Seeing that this is underlined indicates that when you right click you’ll see “Always reapply this setting” right here, and that’s what we want. The underline indicates that we’re delivering that setting. Now let’s go over to the “Extras” and let’s take away incognito browsing (“Turn off private browsing”).

All right, we’re just going to add those two settings. Now that we’ve gotten this done, how are we going to get this delivered over to the cloud? Well, let’s right click on here, and we’re going to “Export settings to XML Data File.” I’m just going to save this right on the “Desktop,” and it’s going to pop up right here. There we go. There’s that XML.

Now let’s go look at “Browser Router.” We’re going to use the Browser Router to make sure that GPAnswers.com always opens in Chrome and we’ll use it to block Facebook. So let’s start with “ADD NEW COLLECTION.” We can just call this “Collection 1.”

Let’s get inside there, and let’s “ADD NEW POLICY.” I’m going to say “GPanswers.com to Chrome.” I’m going to say a “Wildcard.” Let’s do “*gpanswers*.” We’ll choose “Google Chrome,” and we’ll tell it “OK.” So that means any time somebody tries to go to GPAnswers.com, then it will open in Chrome regardless of what browser we started in.

Let’s use this to also create a policy that’s going to block Facebook. Again, I’m going to go with a “Wildcard” situation. Then I’m going to say “Block,” and here we can put some custom text. So let’s say, “No FB for you!” When the message pops up, it’s going to say just that. So we’ll say “OK.”

Once again, let’s go to our “Collection 1.” We’re going to right click on this and we’re going to “Export Collection as XML” so we’ll get those settings over to our non-domain joined machine. We’ll just call it “PPBR Settings.”

Finally, let’s go to “Least Privilege Manager” and let’s select “ADD NEW COLLECTION” here. That can also be called “Collection 1.” I’m going to select “ADD NEW SECURE RUN POLICY” to block anything that’s not owned by an admin or someone on the SecureRun list. We’ll “Enable” that. Anything that’s not installed or owned by someone on this list won’t run, so it’s a good security measure. We’ll start by create that “SecureRun policy.”

Then I also know that when I am on my endpoint as a standard user, I can’t run Process Monitor. So I’m going to select “ADD NEW EXE POLICY” to allow me to run Process Monitor as an admin even though I will be on my endpoint as a standard user. I will click “Next.” I’m going to go with “Hash,” “Next” again. I’m going to “Select reference file.” I’m going to find “Procmon” right here. I’ll click “Next.” I want it to “Run with elevated privileges.” I’m going to “Let ProcMon” Run” and “Finish” out.

Then let’s go back to that “Collection 1.” As we did before, we’ll right click and we’ll choose “Export Collection as XML.” We are going to drop that right on the “Desktop” once again. There we go. “PPLPM Settings,” and there we have it.

First of all, before we upload these to our cloud instance, let’s go over and look at our cloud machine and see the settings before they get governed by the XML. Now we’re over here at the endpoint that we’re working with, and is “NOT DOMAIN JOIN” as it says very clearly right here just to put a fine point on it.

What we’re going to do is look at the settings before they’re being governed. We were going to do some “Mozilla Firefox” settings, so let’s go look at that. It certainly won’t be PolicyPak.com, and we will be able to access the private browsing. Here we are. This is the homepage that’s currently happening (“www.mozilla.org”). If we click right here, we see that we have a “New Private Window” as an option. We took that away with the directive that we created earlier, so these are the ungoverned settings.

Now if we go look at Process Monitor (“Procmon”), it’s not going to run because it needs the admin credentials so it gives us that UAC prompt. But as a standard user, I can run this “RansomwareSimulator” which means that in theory I would be getting my computer eaten up by this Ransomware. So that’s something we’re smacking down with the SecureRun part of the Least Privilege Manager component.

Finally, let’s actually go back to our browser here. We directed it so that GPAnswers.com would go to Chrome and you wouldn’t be able to access Facebook anywhere. If we go from Firefox to “gpanswers.com,” then it’s going to stay in Firefox just as we anticipate. It will sit there and it will just show up right there in Firefox, which is understandable because we don’t have any policies on there. If we try to go to “facebook.com,” it’s going to load just fine, which is what we’re trying to block with the Browser Router policy that we used. So these are the ungoverned settings.

Now, let’s go back over to our management station and let’s upload the directives and see them take effect in real time. Let’s hop over here. We’ll go to the “XML Data Files” area, and I’m going to “Upload XML Data File.” We’ll “Choose File,” and we want the “PPLPM Settings.” This says “PolicyPak Least Privilege Manager.” We’re going to say “Let Procmon Run.” We can “Add” that.

Then we’ll do the same thing with the other two. So let’s go ahead and “Choose File” again. We’ll do the “PPBR Settings.” I’m just going to say “GP answers to Chrome, no Facebook.” We’ll “Add” that one. We’ll finally add that last one, the Firefox settings. Let’s “Choose File,” “FF Settings.” That’s the “Description.” That feels good to me, so I’ll go ahead and “Add” that as it is.

Now these are just in this “XML Data Files” swimming pool right now, so I need to go and link them over to one of the “Computer Groups” that has my machine in it. “East Sales” is where I have the machine. It’s actually in “East Marketing” as well, but I’m going to add it to the “East Sales” company group right here.

I’m going to “Link XML here.” I want to do the “PolicyPak Least Privilege Manager,” and I want the “PolicyPak Browser Router” and I want “Mozilla Firefox 23.0.” So let’s “Add” those. Now those settings are now being directed to the endpoint.

All right, so we’re back at our endpoint. We’re going to go and do a manual refresh so we can connect with the cloud. Now normally this would happen every 60 minutes, but we’re going to do this manually for the sake of this video. It’s just “ppcloud /sync.”

This will both tell us that we are synced the cloud manually, immediately. It also lets us know what policies are being linked to this computer. So we can see that our “Browser Router” policy is there, our “Least Privilege Manager” policy is there and there’s our “Mozilla” policy. So we’ll close this down.

Now let’s go to “Mozilla Firefox,” and we should see PolicyPak.com being the homepage and we should see that the private browsing option is missing. So let’s see how this shakes out. There we go. We have “https://www.policypak.com” loading right now. Let’s go over and look at our options and see private browsing is missing just like we told it to.

Now let’s try to go to GPAnswers.com because, if you’ll remember, we created that Browser Router option that told us that we were routing GPAnswers.com to Chrome. So since we’re in Firefox, let’s do “gpanswers.com,” and there we go. It shut down Firefox, or at least that particular tab, and now we are here in Chrome. Now let’s see if we can get to “facebook.com.” There we go. “No FB for you!” just like we told it to.

Let’s close this down and let’s go look at Process Monitor (“Procmon”) and see if we can run it. Sure enough. Least Privilege Manager gave us the ability to elevate this as an admin, so we’re running it without seeing a UAC. Let’s go see if we can run “RansomwareSimulator.” We sure can’t. It got locked down by those directives.

So we used the PolicyPak components to direct settings to Firefox, to elevate the Process Monitor and smack down ransomware and to make sure that people can’t get to Facebook and that if we go to GPAnswers.com, it opens in Chrome regardless of what browser you’re in. So that’s how we got some of the PolicyPak magic delivered through the cloud to our non-domain joined endpoint.

If this is interesting to you and you want to get started, give us a call and we’ll be happy to get you started with a free trial right away.

Thanks.

  • 474
  • 09-Apr-2019
  • 118 Views