On-Demand Application Rules
The On-Demand Application Rules tab of the Workstyle allows you create rules to launch applications with specific privileges (usually admin rights), on demand from a right-click Windows context menu.
Enable and Configure On-Demand Integration
To enable On-Demand Application Rules, select the On-Demand Application Rules Workstyle tab. The first check box applies to all versions of Windows that have the Run as administrator option. The second two check boxes apply to the Classic Windows Shell only. They do not apply to the Windows Modern UI that is available in Windows 8 and Windows 10.
Windows Modern UI
If an On-Demand Application Rule is triggered, Endpoint Privilege Management for Windows references the check box labeled Apply the On-Demand Application Rules to the "Run as administrator". If the box is checked, Endpoint Privilege Management for Windows intercepts the Run as administrator option in the right-click context menu and overrides it. The labeling of the option doesn’t change in this instance. If the box is unchecked, Endpoint Privilege Management for Windows does not intercept the option to Run as Administrator.
Endpoint Privilege Management for Windows also references the check box labeled Hide "Run as" and "Run as administrator" commands in the Classic Shell context menu. If it is checked, these options, where present, are hidden from the right-click context menu. Endpoint Privilege Management for Windows does not continue process additional Application Rules.
Windows Classic Shell
If an On-Demand Application Rule is triggered, Endpoint Privilege Management for Windows references the check box in the Classic Shell Context Menu Options section labeled Apply custom on-demand option to the Classic Shell context menu (this won’t affect the "Run as administrator" option). If the box is checked, Endpoint Privilege Management for Windows adds a new option to the right-click context menu that you configured in the Classic Shell Context Menu Option section, for example, Run with Endpoint Privilege Management.
Endpoint Privilege Management for Windows also references the check box labeled Hide "Run as" and "Run as administrator" commands in the Classic Shell context menu. If it is selected, these options, where present, are hidden from the right-click context menu. Endpoint Privilege Management for Windows does not continue to process additional Application Rules.
Unlike Application Rules, the On-Demand Rules list only receives the assigned privileges if the user launches a relevant application using the context menu.
Application Groups for On Demand Application Rules are added and managed in the same way as Application Groups for Application Rules. Right-click anywhere on the lower section of the page and select Insert Application Rule.
For more information, see
- Application Rules.
- If you are using the EPM Policy Editor, see "Create On-Demand Application Rules" in Workstyles at https://www.beyondtrust.com/docs/privilege-management/console/pm-cloud/use-the-policy-editor/policy-editor-workstyles.htm
Manage Languages
The menu option that is displayed can be configured for multiple languages. Endpoint Privilege Management for Windows detects the regional language of the end user, and if a message in that language is configured, the correct translation is displayed.
To add a new menu option translation:
- In the On-Demand Application rules, click the Add Language button.
- The Add Language dialog box appears. Select the correct language, and then click OK.
- A new text box for the selected language appears.
- Enter your own translation for the selected language and click Save in the left pane.
If a language cannot be matched for the region of the end user, then the default language is displayed. To change the default language, select the language and click Set As Default.
Create an On-Demand Rule
On-Demand Application Rules are not checked by Endpoint Privilege Management for Windows unless you enabled them in the top section.
Right-click and select Insert Application Rule to view, create, or modify the following for each On-Demand Application Rule:
| Option | Description |
|---|---|
| Target Application Group |
Select from the Application Groups list. |
| Run a Rule Script |
This option allows you to assign a rule script that is run before the Application Rule triggers. You need to use Manage Scripts from the dropdown to import the rule script before you can select it. Select the rule script you want to use from the dropdown list. |
| Action | Select from Allow Execution or Block Execution. This is what happens if the application in the targeted Application Group is launched by the end user. |
| End User Message | Select whether a message will be displayed to the user when they launch the application. We recommend using messages if you're blocking the execution of the application, so the end user has some feedback on why the application doesn't launch. |
| Access Token |
Select the type of token to be passed to be used for the target Application Group. You can select from:
|
| Auditing | |
| Raise an Event | Whether or not you want an event to be raised if this Application Rule is triggered. This forwards to the local event log file. |
| Run an Audit Script |
This option allows you to select an audit script to run after the Application Rule. You must use Manage Scripts from the dropdown to import your Audit Script before you can select it. Select the audit script you want to use from the dropdown list. |
| Privilege Monitoring | Raises a privileged monitoring event. |
|
McAfee ePO Reporting Options This option is only available if you checked the McAfee integration box when you installed the Endpoint Privilege Management Policy Editor. |
|
| ePO Queries and Reports | Select this option to raise an ePO threat event. These are separate from Endpoint Privilege Management reporting events. |
| BeyondTrust Reporting (in ePO) | Select this option to raise an Endpoint Privilege Management reporting event. These are available in BeyondTrust Reporting. |
For more information, see the following:
