04: PolicyPak: Technical Overview (10 minutes)

If you’re technical, this is the best way for you to get a full understanding of PolicyPak’s “core” capabilities. Learn how PolicyPak can deliver settings using Group Policy and lock your applications down. PolicyPak works with Win XP, Win 7, WIn 8. PolicyPak works in conjunction with Microsoft Terminal Services (RDS) and Citrix XenApp. PolicyPak works with virtualized apps like Microsoft App-V, VMware ThinApp, and Citrix XenApp streaming. If you’ve got desktops, laptops or VDI sessions, you need PolicyPak — or you’re missing the last mile — controlling your actual applications!

PolicyPak: Technical Overview video transcript

Hi, everybody. This is Jeremy Moskowitz, former Group Policy MVP and Founder of PolicyPak Software. Let’s set the stage about what we’re about to see and why you should care. A lot of folks now are being told they have to support this idea of bring your own device – or BYOD – to work. I know what a huge pain in the neck that can be. You don’t know if they’re bringing an iPhone or an iPad or a tablet computer. You don’t know what’s around the bend even.

What I’ve got here and I’m about to show you is I don’t have a real iPad. I have a fake iPad. You just have to play pretend with me, and I hope that will be OK. On my fake iPad, you know that if you use a VDI-based solution to remotely give somebody an entire desktop environment, you have to support the applications.

Now getting those applications on those target computers – really those target VDI sessions – is kind of like what actually happens from third-party vendors. Microsoft, Citrix and VMware all have solutions around VDI, but they’re missing the last mile.

Let me go ahead and get started. Here is my fake iPad. As you can see, it’s got the fake little iPad background. You can see here I’ve got my real applications here. I’ve got my “Acrobat Reader X,” I’ve got my “Mozilla Firefox” and I’ve got my “WinZip.” Again, we’re pretending that this is an iPad that actually is using a VDI session with one of those three vendors to remotely give access to our Windows desktop.

In this case, let me go ahead and run “WinZip” as an application. Right away, I don’t know what to do, and that’s what we’re going to talk about. We just want to get rid of all the fuzzy edges around the user’s experience when they get new applications and get a new laptop, desktop or VDI session.

If we go to “Options/Configuration…” here, we’ll see that there are actually a lot of settings for a user to screw up. I happen to be using these three applications as my baseline. I’ve got WinZip, I’ve got Firefox and I’ve got Acrobat Reader, but actually you could think of these as any application you have to deploy.

Now if you have corporate IT settings that you want to make sure that your users can’t work around, as a lot of you know, I’m a former Group Policy MVP and I love Group Policy but it just doesn’t do what it’s supposed to do for the actual applications on your machine. It does a great with the stuff in the box, but it kind of falls apart for that actual applications on your machine, and that’s what we’re going to see.

Here you can see I’ve got this Passwords section, this “Passwords” tab. On the “Passwords” tab, there are some security settings. I’m using WinZip and we might not think of WinZip as a big security app, but you can think of any application that you have as comparable. In other words, some application you have has security, and how are you going to dictate that security to that application?

Here we’ve got WinZip just waiting to be configured, unfortunately. We can see here we’ve got the “Cameras” tab, and we don’t use cameras at our company. Maybe we’ll make sure that the “Cameras” tab is locked out.

Let’s go ahead and get started with this first directive and initiative. The best part is that PolicyPak, like I said, hooks right into your Group Policy engine because I love Group Policy. We’re going to create a new GPO called “Lock Down WinZip” here. I’ll go ahead and “Edit…” this guy here. You’ll see that I’ve got the built in “Policies,” the built in “Preferences” and now “PolicyPak.” “PolicyPak/Applications” is a new node that will snap right into the GPMC. It comes as part of what you get.

PolicyPak actually ships with 35 preconfigured applications that lots and lots of folks really want to get delivered. Like I know a lot of folks are using “PolicyPak for Acrobat Reader X,” which we’re about to cover. “PolicyPak for Java Control Panel” – you want to make the Java pop-ups go away. You’ve got “PolicyPak for Mozilla Firefox.” That’s right. I’ll show you that.

Let’s go right to “PolicyPak for WinZip” right here, and I’ll double click on that. Look at that. It looks exactly like that actual application we want to configure. If we hustle over to “Passwords” here, let’s go ahead and bump up the “Minimum password length” to “11,” thus making this actual application more secure. Again, you can think of this as any application you have that needs increased security.

I’ll click on all these checkboxes, and that’s cool. I’m delivering the setting, but we’re going to go one big step greater and we’re going to actually lock the setting down so a user can’t work around it. Let me go ahead for this third checkbox here and I’m going to “Hide corresponding control in target application.” I’m literally going to remove it so that it’s not available for the user at all to screw up.

I’ll do the same thing for the last checkbox, except I’m going to “Disable corresponding control in target application.” What the heck? I’ll do the same thing for “Minimum password length” as well. I’ll select “Disable corresponding control in target application” and really crank that guy down and really make sure that a user can’t work around it. Remember “Cameras”? We don’t want to use cameras at our company, so I’ll right click and I’ll “Disable whole tab in target application.”

That’s it. It’s as simple as that. We’ve got these preconfigured Paks ready to rock. You just go on to your new VDI session. You can log off and log back on. In this case, I’m running “gpupdate.” That’s going to get me the latest, greatest Group Policy settings. Let’s go ahead and see what happens.

Alright, it only took a second. Now what we’ll do is we’ll go ahead and run “WinZip,” and let’s check it out as this user. Now again, if the user is running as a standard user or as an admin user, you want to make sure that they’re locked down.

Let’s go to “Options/Configuration….” Let’s take a look at “Passwords” and look at that. You can see right there that all four checkboxes are checked. One of them is completely missing – which is what we said – and one is grayed out. That “Minimum password length” is jammed up to “11.” That’s pretty cool, because now there’s no way for a user to work around our settings for the things that we set. You can’t click on “Cameras” at all.

What I want to show next is what happens if you go offline. If you’ve got a standard desktop or a standard laptop or you’re running one of those VDI sessions that you can take offline with you, what happens if the user works around your setting? Well, if you just run GPUpdate and you don’t have access to the domain controller, the GPUpdate is just going to fall over and die.

Now you just saw me uncheck those two checkboxes. It turns out PolicyPak has a secret weapon. You can just run “ppupdate” – it took zero seconds – and it will redeliver those settings just like that. Let me go over to “Options/Configuration….” Those checkboxes that were unchecked are now checked. You can keep your corporate and IT settings delivered and maintained, even when you’re offline.

Let’s go through another example real quick here. Let me show you another one that is constantly on people’s minds, which is the security of the actual applications like “Acrobat Reader X.” I’m sure you got the same kind of memo I did, which is that this “JavaScript” thing that says “Enable Acrobat JavaScript” if it’s checked on – which is the default, by the way – if some secretary double clicks a PDF that’s infected, what’s going to happen? They’re going to blast infection to the rest of their team.

You don’t want that. What are you going to do? Make 500 phone calls asking the secretaries or the other members of your world to uncheck the checkbox? No way! You’re going to use the power of Group Policy to deliver that setting and then also lock it down so users can’t work around it. That’s what we’re going to do right now. We’re going to make your world more secure, just like that.

Let’s go ahead. We’ll go back over to the Group Policy editor. We’ll right click “PolicyPak/Applications/New/Application” and we’ll go ahead and we’ll pick “PolicyPak for Acrobat Reader X.” Again, you can see we’ve got a whole lot of application preconfigured Paks ready to go, but we’re going to pick “PolicyPak for Acrobat Reader X.”

We’ll go over right to the “JavaScript” guy, uncheck that “Enable Acrobat JavaScript,” right click over it and “Disable corresponding control in target application.” We’ll go ahead click “OK,” locking and loading that directive right into Group Policy land. Again, the very next time the user runs “gpupdate” or logs off or logs back on, they magically get the settings. Let’s run GPUpdate and see what happens.

Let’s go ahead and head over to “Acrobat Reader X” and go right to “Edit/Preferences….” Remember, that checkbox was checked, and we don’t want that. Look at that. You can see right there, it’s unchecked and it’s grayed out.

The best part is this stuff doesn’t just work for your desktops and laptops – which you have a lot of them. It also works for those kinds of things we were just talking about having – iPads and tablets. Actually, it also works for environments like this. This environment, which is another PC here, is actually using Citrix Terminal Server style stuff.

We’ll go ahead and run “WinZip Xenapp Published” on our Citrix or Terminal Server environment, and we’ll see that the exact settings that we delivered to our desktops and laptops and VDI sessions are also going to be delivered to our Citrix and Terminal Server sessions.

If we go over to “Options/Configuration…,” head over to “Passwords,” we can see that the settings we’ve delivered are all delivered and the ones that we said to lock out are all locked out just the way we expect.

If we were to close this application and go over to “Acrobat X XenApp,” we also manipulated Acrobat using PolicyPak a little earlier. If we just go ahead and run this, we’ll also see it starts up again from the Citrix XenApp server. It’s delivered over here for presentation. Then when we go to run this, we go to “Edit/Preferences….” Our important security settings just like this, like “JavaScript,” we’ve now disabled “Enable Acrobat JavaScript,” and we’ve locked it down so our users can’t work around it. I’ll go ahead and close these out.

You can see this application doesn’t actually live on our machine at all. It’s actually installed over there on the terminal server, and PolicyPak can do the exact same thing for your virtualized applications. If you’ve got ThinApp from VMware, if you’ve got Citrix Streaming or if you have Microsoft App-V, we can deliver the settings inside your virtual applications and lock it down.

In this demonstration, we’ll see how PolicyPak can deliver settings to your virtualized apps, such as “Microsoft App-V,” “Citrix XenApp Streaming” or “VMware Thinapp” virtualized apps.

To get started, I’ll run “WinZip” here. You can see that App-V launches on the bottom right from the App-V server. Let’s just go to “Options/Configuration…” and you can see that PolicyPak has delivered the settings directly into the virtualized bubble. In this case, again, it’s Microsoft App-V.

You might be using another technology like Citrix XenApp Streaming. If you run the application “Acrobat 10x Stream” from the Citrix XenApp Streaming server and go to “Edit/Preferences…,” you can see we’ve delivered the setting and locked it down so the user can’t work around it.

For the third technology that is supported if we go to “c:thinapps,” you can see here I’ve got applications that have been repackaged using VMware ThinApp. If I just double click “Acrobat Reader X” here, “ThinApp” starts and PolicyPak can once again get into the virtualized sandbox of VMware ThinApp. You can see we’ve delivered the setting perfectly right there.

It doesn’t matter if your application is delivered because it’s hard installed, it doesn’t matter if it’s running from a Citrix or a Terminal Server environment, and we also support the virtualized technologies that you might be using, such as Microsoft App-V, Citrix XenApp Streaming, or VMware ThinApp virtualized apps.

We’ve got a lot of stuff on the website. I’d love to see you come to one of my hour-long weekly webinars on PolicyPak. If you do, we’ll hand over the bits and you can play with it yourself and see if it’s right for you. We have a lot of folks who think it’s great.

Thank you very much. I appreciate it.

  • 517
  • 26-Jun-2019