KACE Product Support

we have done this for a couple users but then we constantly get calls from them wanting to download stuff that is needed material but then since they are remote users we have to try and do this over the phone and through team viewer which can be very time consuming. Is there a way to just block out certain applications or software on KACE?

I do not know of a specific setting in the kbox to do this, however, I would think that it would use a script to perform such a task via GPO settings. I could be wrong though.

The next best thing would be to use your firewall to block the applications if it has the ability, a GPO (not sure how in depth you can get with it), a web/proxy appliance, and I believe certain enterprise AV solutions will allow you to do so as well.

I found a way to disallow programs in scripting under security policy. Enforce Disallowed Programs - I can set it to start but how would I set it to run for Monday 6:00AM to 6:00 PM. I would like to set this to run Monday through Friday from 6 to 6.

That script looks to be modifying the following registry settings or whatever program you add to the list:

Verify:

1: Verify that “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!disallowrun” is equal to “0”.
2: Verify that “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun” has exactly “2” values.
3: Verify that “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun!1” is equal to “pinball.exe”.
4: Verify that “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun!2” is equal to “sol.exe”.

Remediation:

1: Set “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!disallowrun” to “0”.
2: Delete “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun” from the registry.
3: Set “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun!1” to “pinball.exe”.
4: Set “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun!2” to “sol.exe”.

This would essentially be the same as creating a GPO and pushing it out. Basically, this script is going to check to make sure that the program is not allowed to run on each computer that the script is pushed out to and if it is not setup, then it will change the settings to disallow it. In my opinion, I think it would probably be better to do this through a GPO as it is updated domain wide or however you have it setup and it would be associated with all of the other GPOs. However, the Kbox script should work.

In order to set a date and time, you will need to edit the scheduling section of the script. If you are not able to create a schedule based off of what is listed, you can create a "Custom Schedule" using the standard cron format. The Kace support website has a PDF of how to set the cron format at www.kace.com/support/konference/2009/files/KBOX-Power-Management.pdf - 2009-12-11. You will need to scroll though it to find the location of it. You can also find information all over the Internet explaining how to do so.



The scheduling section in the script:

You can block processes from running, or automatically uninstall software, but if you want to block apps from installing or being downloaded you should be looking into a good endpoint security and perimiter security solution. Kace does not sell such products, even though some customers use our products to perform some similar tasks.

We use a product called Privilage Manager from Beyond Trust. It inserts admin rights for approved installs (or any process).

http://www.quest.com/desktop-authority-management-suite/

https://support.quest.com/productinformation.aspx?pr=268447870

 

Privilege Manager for Windows (Dell/Quest) is also a viable option for a 3rd of the cost with significant free features.

This would be done best by removing the users from the administrator permissions on their computers. If you drop them down to a user, they will not be able to download anything without an admin username and password.