Create On-Demand Application Rules

You must have an Application Group before you can create an On-Demand Application Rule.

For more information, please see Application Groups.

On-Demand Application Rules are only checked by Privilege Management for Windows if the user launches the application on-demand from the right-click Windows context menu. This is how they can be differentiated from Application Rules.

The On-Demand Application Rules tab of the Workstyle allows you create rules to launch applications with specific privileges (usually admin rights), on-demand from a right-click Windows context menu.

Enable and Configure an On-Demand Application Rule

Click On Demand Application Rules to view, create, or modify the following for each Application Rule:

The first check box applies to all versions of Windows that have the Run as administrator option on the right-click context menu. The second two check boxes apply to the Windows Classic Shell only where it applies.

Check options to apply on-demand Application Rules on Windows systems with or without Windows Classic Shell

The Apply the On-Demand Application Rules to the 'Run as administrator' option box needs to be manually checked whether you select a controlling Workstyle or not, and applies to all versions of Windows. If a user accesses an application using the right-click Windows context menu and this box is checked, Privilege Management for Windows intercepts the Windows Run as administrator functionality where present.

If this box is unchecked and a user launches an application on-demand using the Windows Run as administrator option, Privilege Management for Windows does not intercept the request. Privilege Management for Windows does not continue to process additional Application Rules.

Classic Shell Context Menu Option

Where the Windows Classic Shell is used, if the Add a custom on-demand option to the Classic Shell context menu box is checked and a user accesses an application using the right-click Windows context menu, Privilege Management for Windows adds a new option to the right-click context menu that you have configured in this select. For example, Run with Privilege Management.

If the Hide "Run as" and "Run as administrator" commands in the Classic Shell context menu box is checked, these options, if present, are hidden from the right-click context menu. Privilege Management for Windows does not continue to process additional Application Rules.

Manage On-Demand Languages

The menu option that is displayed can be configured for multiple languages. Privilege Management for Windows detects the regional language of the user, and if a message in that language has been configured, the correct translation is displayed.

To add a new menu option translation:

  1. In the On-Demand Application rules click the Add Language button.
  2. The Add Language dialog box appears. Select the correct language and then click OK.
  3. The language is then added to the Custom Classic Shell Menu Option dropdown. You can select the language from the dropdown and add your translation. The QuickStart policy contains some predefined languages you can select if required.
  4. Click OK in the lef pane to finish configuring your languages for the on-demand messages.

Once you have more than one language, you can select Set As Default. This is the language that is used if the chosen language does not match the region of the end user. You can delete any language, provided it is not the default language, by selecting the language you want to delete and clicking Delete Language.

Create an On-Demand Rule

On-Demand Application Rules are not checked by Privilege Management for Windows unless you have enabled them in the top section.

To add an On-Demand rule, click Actions > Add and configure the following options:

Option Description
Target Application Group

Select from the Application Groups list.

Action Select from Allow Execution or Block Execution. This is what happens if the application in the targeted Application Group is launched by the user.
End User Message Select whether a message is displayed to the user when they launch the application. We recommend using Messages if you block the execution of the application, so the user has some feedback on why the application doesn't launch.
Access Token

Select the type of token to be passed to be user for the target Application Group. You can select from:

Passive (no change): doesn't make any change to the user's token. This is essentially an audit feature.

Enforce User's default rights: removes all rights and uses the user's default token. Windows UAC always tries to add administration rights to the token being used so if the user clicked on a application that triggers UAC, the user would not be able to progress past the UAC prompt.

Drop Admin Rights:  removes administration rights from the user's token.

Add Admin Rights: adds administration rights to the user's token.

Raise an Event Whether or not you want an event to be raised if this Application Rule is triggered. This forwards to the local event log file.
Run a Script You can choose to run a script if an event is raised.  
Run an Audit Script You can choose to run an audit script if required.
Run a Rule Script

This option allows you to assign a rule script that is run before the Application Rule triggers.

You must import a rule script before you can select it here.

Select the rule script you want to use from the dropdown list. If you select a rule script here, the following options change to Default to indicate that these actions are run if the rule script is not.

Privilege Monitoring Raises a privileged monitoring event.
Trellix ePO Reporting Options
ePO Threat Events Select this option to raise an ePO threat event. These are separate from Privilege Management Reporting events.
Privilege Management Reporting Select this option to raise a Privilege Management Reporting event. These are available in BeyondTrust Privilege Management Reporting.

After you change the policy, click Submit and then Save to save the policy. In ePO 5.10 and later, if you have Trellix Approvals workflow enabled, this workflow can be modified to change the Save button to Submit for Review based on user permissions.