Hi. Couple of questions.
If I create a list of trusted users, this allows those accounts to be UPDATERS, right? Regardless if there is a rule or not for that particular application, right?
If I enable self-justification, this will prompt for EVERYONE unless there is an express rule to block it (then nothing will show). If the user is not an UPDATER, then they will not be able to install, right?
Is there any way to marry these two together -- specifically, if a trusted user tries to install something that they (and they alone) are prompted to for justification and then allowed to install.
Otherwise, the best bet is use trusted users with no self-justification and roll up the data using the associated updater label, right?
Please advise if there is a better way to track what trusted users are installing or if some amalgamation of the above is the way to go.
If users are defined as UPDATER, they have full rights to make changes on a System.
Using Self-Justification, users can request admins to either approve or deny the blocked binary.
Users with UPDATER rights do not follow Self-Justification. Its only meant for normal users.
If changes are desired, then you may use Solidcore's Updater Mode or Specify the binary as an updater and later remove it.
I hope this helps.
If you are looking for some report to tell you what is being installed by this user in order for you to track it like you do in Control Panel, unfortunately that may not be possible with MACC.
That may be good product enhancement idea, but at the moment I am unable to find any configuration to achieve that.
One thing, that can be done, as workaround, is to filter SolidCore events based on user name of trusted user to see what changed under his Workflow ID, considering that the user will be Updater, however, there is couple things that may be problematic here.
First, you have to make sure that events are not filtered or at least that they are not filtered when they come from your trusted users. For example, if you trusted user uses MSI installed for let say Firefox, the event you may expect to see, if nothing is filtered, is "Installation Allowed" and for user name and Workflow ID you will have your user listed there.
The problem is that during the upgrade of OS for example, it can be countless numbers of those events and they may cause lot of troubles for your ePO so they are filtered by default, for example in "McAfee Default" policy you have rule group "McAfee" where event "Installation Allowed" if file begins with "%systemroot%\Installer\".
If you have that in place unmodified, you will not have event from your users, but if you don't have anything your ePO may be overwhelmed with every installation and update event that uses PKG_MODIFICATION.
Also please note that I mentioned MSI packages for installation and reason for that is because some software will use EXE instead and they may not use conventional way of installation, like Notepad++, and "Installation Allowed" event will not be generated, however, if filters are not in place, you will see registry modification done by it where this installation is writing uninstall registry key so you may see what is being installed indirectly.
The problem here also is that those events are filtered by default and reason for it is because they come in overwhelming number that can significantly affect your ePO.
Last example of installation I tried is the one where we have EXE installer that doesn't use MSI and doesn't make any modification that are regularly tracked like FileZilla install files. That installation performs PROCESS_CREATED, FILE_CREATED, FILE_MODIFIED and FILE_DELETED actions that are logged in MACC s3dialog logs, but none of them is sent to ePO.
Reason is really simple, if all of those actions were reported back to ePO, there is no conventional machine who would be able to handle it due to share amount of data there and because of the way how FileZilla install itself, your admin will be able to install software, but there is no event for you to query in ePO in order to know about it.
I hope this answers your question.