05: How to run WebEx Meeting as regular user when SecureRun is enabled

Create a new Least Privilege Manager policy on either the Computer or User side then create the following elevate and allow policies.

1. Executable policy for Webex.exe Elevated by Signature and File Info.
2. Executable policy for ATMGR.exe Elevated by Signature and File Info.
3. Windows Installer policy for WebEx Desktop App (WebExApp.msi) Elevated by Signature and Product Info.
4. Executable policy for WebexAppLauncher.exe Elevated by Signature and File Info.
5. Executable policy for CiscoWebExStart.exe Allowed by Signature and File Info.

WebEx.exe and WebExApp.msi are files downloaded when joining or creating a meeting and are normally downloaded to %UserProfile%\Downloads.

Atmgr.exe can be found after successfully installing WebEx under %LocalAppData%\WebEx\WebEx\Meetings

WebexAppLauncher.exe, and CiscoWebExStart.exe can both be found after successfully installing WebEx under %LocalAppData%\WebEx

Alternatively, download the Guidance XMLs from https://portal.policypak.com/downloads/guidance then browse to the …\Production-Guidance\PolicyPak Least Privilege Manager XMLs folder after extracting the contents of the downloaded zip and import the "WebEx Elevated by Signature and File Info.xml" for use in your environment.

Troubleshooting:

Method 1:

If WebEx is blocked after using these policy settings please check in the PolicyPak Event log to see if WebEx.exe is being blocked by SecureRun due to Publisher being unknown. If it is you can edit the policy item for WebEx.exe and uncheck the signature requirement to workaround this issue.

Uncheck "Signature Condition" box to workaround this issue.

Method 2:

Export the intermediate certificate from the Webex.exe file.

1. Right-click at Webex.exe file and open Properties

2. Select the Digital Signature tab and click on the Details button.

3. Click on the View Certificate button,

4. Click the Certification Path tab and select the second certificate from the chain and click the View Certificate button.

5. Click on the Details tab and select the Copy to File... button.

6. Click Next on Export Certificate Wizard and select DER encoded binary X.509 (.CER) format.

7. Finish the export and save the cert file somewhere easily accessible for the next steps.

TIP: You can also use PolicyPak Remote Work Delivery Manager to deliver the certificate file at the desired location of the remote computer. More information on this link: https://kb.policypak.com/kb/section/332/

Use PolicyPak Scripts Manager to deliver the Certificate in Intermediate Certification Authorities for a Computer.

NOTE: This script must be set up at the Computer Configuration level to work.

1. Create a new PolicyPak Scripts Manager GPO and use the following PowerShell command.

#Path variable can be any location that you want. 
$pathIntermediateCertificate = 'C:\Temp\Intermediate.cer'
$certificateStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList CA, LocalMachine
$certificateStore.Open('ReadWrite')
$certificateStore.Add($pathIntermediateCertificate)
$certificateStore.Close()

2. Wait for the policy refresh and you should see the certificate at Intermediate Certification Authorities.