Lockdown items are one of the most powerful parts of the AppSense Environment Manager suite. We’ve already had a brief look at Keyboard Lockdown items in a previous post, now we’ll move on to the General Lockdown item, which allows you to lock down just about every part of the visible user interface.
In simple and probably vaguely inaccurate terms, the AppSense Environment Manager agent sits just above the kernel and intercepts all requests. So it can filter out requests to click on parts of the user interface that you don’t want to allow. And this means anything – menu items, buttons, combo box buttons, radio buttons, just about anything the user can interact with on the desktop or in applications, the General Lockdown tool can disable.
General Lockdown actions are best applied in the Logon section (for items that apply to Windows Explorer) and at Process Start (for items that apply to specific applications). They are easy enough to find – simply right-click in the relevant node and choose Lockdown | General Wizard.
The Spy Tool is the click-and-drag gadget that you’ll use to select the part of the user interface that you want to lock out. We’ll choose something simple to demonstrate this. We are going to remove the = button from the Calculator application – if you ever really need to do this in practice, you must have some seriously weird requirements! 🙂
Before you click on the Spy Tool and drag it to your application, you need to have the selected application open, unminimized, and at the screen where you want to apply the Lockdown item from. When you click and hold the Spy Tool, the Environment Manager window automatically minimizes, so I find it prudent to have your target application or screen directly behind the EM console window so that it appears straight away. The reason for this is that, for obvious reasons, while you are holding down the left mouse button and dragging the Spy Tool around the screen, you can’t
change window focus or maximize any minimized apps! (Actually, as pointed out in the Comments, you can use Alt-Tab to switch window focus when dragging the Spy Tool – I can’t believe I didn’t fathom that one out myself!)
We will drag the Spy Tool to our instance of calc.exe and release it when we are over the = button.
When we release the Spy Tool, you will be returned to the Environment Manager console and be presented with a summary window that looks something like this
Note – as I mentioned a while ago in my (probably least popular) post, adding a Description (by going to the General tab) is very important – not just for Lockdown items, but they’re probably the most important, because the technical details don’t tell you very intuitively precisely what it is you are trying to lock out. As you can see from the example above, there’s nothing in the Lockdown tab that tells you it’s the = button we are trying to lock out, so we’ll add a Description now.
Now that we’ve added the Description, we can click OK and we’ll see our Lockdown item displayed in the console
Once we save and deploy the configuration, we can now see the effects of the Lockdown item when our users launch the Calculator application
So, that’s how to go about locking out the parts of the user interface. When you click and drag the Spy Tool, a box shows you which parts of the user interface you can lock out. Some of the controls you can work with will give you options as to what to do with them, like this
Notwithstanding the hideous spelling error, which has been duly reported to AppSense! (and now fixed)
You can also lock out menus with the Spy Tool. For instance, if you drag the Spy Tool to the Edit menu in Notepad, you’ll see a list of available menu lockout options like so
Really, there’s no better way of exploring Lockdown items than experimenting. The best way to find out what is available to lock out is by dragging the Spy Tool onto things and seeing what is available. If you want to work with context menus, a neat trick to make these available is to use the context menu key on the keyboard – this allows you to activate context menus whilst dragging the Spy Tool around.
One thing to bear in mind is that Lockdown items work in the context of the process they relate to. So if you lock out an item on the desktop or in Windows Explorer, you will lock that item out for everything under explorer.exe! I saw one client who wanted to stop users from editing a batch file they had on their desktop, so they removed the Edit command from the right-click context menu. Of course, because this then removed it for explorer.exe globally, the unforeseen knock-on effect was that users couldn’t right-click on other text documents and choose the Edit option. Changes to menus and buttons in broad-scope applications such as explorer.exe and iexplore.exe should be done with great care, and should always involve proper change control and testing processes.
Which leads me nicely on to the next important point about using General Lockdown items. They should really be used sparingly. Where possible, use GPOs to control modifications to the user environment and applications (but by all means, deploy the GPOs using AppSense Environment Manager – it gives you a much wider scope of control). Unlike Lockdown items, you can be fairly sure that deploying GPOs will not have unforeseen consequences, and will generally still work even after the target software has been updated. If you are using General Lockdown items on an application, then a good practice would be to remove the Lockdown items from your configuration prior to updating the software and then re-adding them afterwards. The reason for this is that during a software update the various controls and menu items may change and your Lockdown items may not function the same way afterwards.
The reason I make the point about being quite reserved in the use of Lockdown items is that they should be about managing and enabling your users, rather than just restricting them. It’s all too easy to get gung-ho about stopping users from getting to parts of the interface you don’t want them to and creating more problems than you avoid. I saw a client once who had decided to lock out the Search box in Internet Explorer. Because he used the Address Bar religiously for integrated search, he didn’t realise that users actually made use of the Search box, and unwittingly caused his user base no end of issues until he removed the Lockdown item. It’s all very well using Lockdown to help you with compliance and regulation in high-security environments, but when you start to get carried away with it unnecessarily, you are probably going to cause yourself a major PITA. But they do come in very useful if used correctly. I worked in an environment once where users occasionally accidentally used a “Quick Print” function on sensitive documents which then printed them out on the (very public) default printer. To prevent confidential information being inadvertently printed out on the wrong printer, and possibly being seen by other users, we used the Lockdown functionality to remove the “Quick Print” option for a certain AD group.
Also, when dealing with Microsoft Office, if you can’t control the aspects of the application you want using GPOs, you should always use the Office Lockdown function rather than the General Lockdown one. The Office Lockdown tool was designed specifically for MS Office apps and offers a greater degree of control than the slightly blunter General Lockdown wizard.
One final thought is that you shouldn’t think of the Lockdown functionality as a way to subjugate your users and prevent them from wasting time. A famous quote I like to use (which I believe should be attributed to Ed Crowley) when faced with clients who are getting over-excited about locking the interface down is “there are seldom technological solutions to behavioural problems”. By all means, use these tools to reduce support calls and prevent users from unnecessary downtime, but if you try and use them as a way to force your user base to work harder, you’ve clearly got issues that AppSense EM can’t fix. After all, even if you nail the interface down so that they can’t do anything but work, there are a million other ways to waste time. They could browse the internet on their phone, read the paper, stare blankly out of the window – anything. Don’t forget that if you’ve recruited the right sort of people, showing them a bit of trust from time to time will make them happier – and happier staff work harder!