On-Demand Application Rules

The On-Demand Application Rules tab of the Workstyle allows you create rules to launch applications with specific privileges (usually admin rights), on demand from a right-click Windows context menu.

Enable and Configure On-Demand Integration

On-Demand Application Rules

To enable On-Demand Application Rules, select the On-Demand Application Rules Workstyle tab. The first check box applies to all versions of Windows that have the Run as administrator option. The second two check boxes apply to the Classic Windows Shell only. They do not apply to the Windows Modern UI that is available in Windows 8 and Windows 10.

 

Windows Modern UI

If an On-Demand Application Rule is triggered, Privilege Management for Windows references the check box labeled Apply the On-Demand Application Rules to the "Run as administrator". If the box is checked, Privilege Management for Windows intercepts the Run as administrator option in the right-click context menu and overrides it. The labeling of the option doesn’t change in this instance. If the box is unchecked, Privilege Management for Windows does not intercept the option to Run as Administrator.

Privilege Management for Windows also references the check box labeled Hide "Run as" and "Run as administrator" commands in the Classic Shell context menu. If it is checked, these options, where present, are hidden from the right-click context menu. Privilege Management for Windows does not continue process additional Application Rules.

Windows Classic Shell

If an On-Demand Application Rule is triggered, Privilege Management for Windows references the check box in the Classic Shell Context Menu Options section labeled Apply custom on-demand option to the Classic Shell context menu (this won’t affect the "Run as administrator" option). If the box is checked, Privilege Management for Windows adds a new option to the right-click context menu that you configured in the Classic Shell Context Menu Option section, for example, Run with Privilege Management.

Privilege Management for Windows also references the check box labeled Hide "Run as" and "Run as administrator" commands in the Classic Shell context menu. If it is selected, these options, where present, are hidden from the right-click context menu. Privilege Management for Windows does not continue to process additional Application Rules.

Unlike Application Rules, the On-Demand Rules list only receives the assigned privileges if the user launches a relevant application using the context menu.

Application Groups for On Demand Application Rules are added and managed in the same way as Application Groups for Application Rules. Right-click anywhere on the lower section of the page and select Insert Application Rule.

For more information, please see Application Rules.

Manage Languages

The menu option that is displayed can be configured for multiple languages. Privilege Management for Windows detects the regional language of the end user, and if a message in that language is configured, the correct translation is displayed.

To add a new menu option translation:

  1. In the On-Demand Application rules, click the Add Language button.
  2. The Add Language dialog box appears. Select the correct language, and then click OK.
  3. A new text box for the selected language appears.
  4. Enter your own translation for the selected language and click Save in the left pane.

If a language cannot be matched for the region of the end user, then the default language is displayed. To change the default language, select the language and click Set As Default.

Create an On-Demand Rule

On-Demand Application Rules are not checked by Privilege Management for Windows unless you enabled them in the top section.

  1. Right-click and select Insert Application Rule to view, create, or modify the following for each On-Demand Application Rule:
Option Description
Target Application Group

Select from the Application Groups list.

Run a Rule Script

This option allows you to assign a rule script that is run before the Application Rule triggers.

You need to use Manage Scripts from the dropdown to import the rule script before you can select it.

Select the rule script you want to use from the dropdown list.

Action Select from Allow Execution or Block Execution. This is what happens if the application in the targeted Application Group is launched by the end user.
End User Message Select whether a message will be displayed to the user when they launch the application. We recommend using messages if you're blocking the execution of the application, so the end user has some feedback on why the application doesn't launch.
Access Token

Select the type of token to be passed to be used for the target Application Group. You can select from:

  • Passive (no change): Doesn't make any change to the user's token. This is essentially an audit feature.
  • Enforce User's default rights: Removes all rights and uses the user's default token. Windows UAC always tries to add administration rights to the token being used so if the user clicks on a application that triggers UAC, the user cannot progress past the UAC prompt.
  • Drop Admin Rights: Removes administration rights from the user's token.
  • Add Admin Rights: Adds administration rights to the user's token.
Auditing
Raise an Event Whether or not you want an event to be raised if this Application Rule is triggered. This forwards to the local event log file.
Run an Audit Script

This option allows you to select an audit script to run after the Application Rule.

You must use Manage Scripts from the dropdown to import your Audit Script before you can select it.

Select the audit script you want to use from the dropdown list.

Privilege Monitoring Raises a privileged monitoring event.

McAfee ePO Reporting Options

This option is only available if you checked the McAfee integration box when you installed the Privilege Management Policy Editor.

ePO Queries and Reports Select this option to raise an ePO threat event. These are separate from Privilege Management reporting events.
BeyondTrust Reporting (in ePO) Select this option to raise a Privilege Management reporting event. These are available in BeyondTrust Reporting.