The Enterprise Eightfold Path

AppSense Environment Manager General Lockdown items

The Enterprise Eightfold Path

AppSense Environment Manager General Lockdown items

By James Rankin   |     Friday 6 July 2012


Lockdown items are one of the most powerful parts of the AppSense Environment Manager suite. We’ve already had a brief look at Keyboard Lockdown items in a previous post, now we’ll move on to the General Lockdown item, which allows you to lock down just about every part of the visible user interface.

In simple and probably vaguely inaccurate terms, the AppSense Environment Manager agent sits just above the kernel and intercepts all requests. So it can filter out requests to click on parts of the user interface that you don’t want to allow. And this means anything – menu items, buttons, combo box buttons, radio buttons, just about anything the user can interact with on the desktop or in applications, the General Lockdown tool can disable.

General Lockdown actions are best applied in the Logon section (for items that apply to Windows Explorer) and at Process Start (for items that apply to specific applications). They are easy enough to find – simply right-click in the relevant node and choose Lockdown | General Wizard.

The Spy Tool is the click-and-drag gadget that you’ll use to select the part of the user interface that you want to lock out. We’ll choose something simple to demonstrate this. We are going to remove the = button from the Calculator application – if you ever really need to do this in practice, you must have some seriously weird requirements! 🙂

Before you click on the Spy Tool and drag it to your application, you need to have the selected application open, unminimized, and at the screen where you want to apply the Lockdown item from. When you click and hold the Spy Tool, the Environment Manager window automatically minimizes, so I find it prudent to have your target application or screen directly behind the EM console window so that it appears straight away. The reason for this is that, for obvious reasons, while you are holding down the left mouse button and dragging the Spy Tool around the screen, you can’t change window focus or maximize any minimized apps! (Actually, as pointed out in the Comments, you can use Alt-Tab to switch window focus when dragging the Spy Tool – I can’t believe I didn’t fathom that one out myself!)

We will drag the Spy Tool to our instance of calc.exe and release it when we are over the = button.

When we release the Spy Tool, you will be returned to the Environment Manager console and be presented with a summary window that looks something like this

Note – as I mentioned a while ago in my (probably least popular) post, adding a Description (by going to the General tab) is very important – not just for Lockdown items, but they’re probably the most important, because the technical details don’t tell you very intuitively precisely what it is you are trying to lock out. As you can see from the example above, there’s nothing in the Lockdown tab that tells you it’s the = button we are trying to lock out, so we’ll add a Description now.

Now that we’ve added the Description, we can click OK and we’ll see our Lockdown item displayed in the console

Once we save and deploy the configuration, we can now see the effects of the Lockdown item when our users launch the Calculator application

So, that’s how to go about locking out the parts of the user interface. When you click and drag the Spy Tool, a box shows you which parts of the user interface you can lock out. Some of the controls you can work with will give you options as to what to do with them, like this

Notwithstanding the hideous spelling error, which has been duly reported to AppSense! (and now fixed)

You can also lock out menus with the Spy Tool. For instance, if you drag the Spy Tool to the Edit menu in Notepad, you’ll see a list of available menu lockout options like so

Really, there’s no better way of exploring Lockdown items than experimenting. The best way to find out what is available to lock out is by dragging the Spy Tool onto things and seeing what is available. If you want to work with context menus, a neat trick to make these available is to use the context menu key on the keyboard – this allows you to activate context menus whilst dragging the Spy Tool around.

One thing to bear in mind is that Lockdown items work in the context of the process they relate to. So if you lock out an item on the desktop or in Windows Explorer, you will lock that item out for everything under explorer.exe! I saw one client who wanted to stop users from editing a batch file they had on their desktop, so they removed the Edit command from the right-click context menu. Of course, because this then removed it for explorer.exe globally, the unforeseen knock-on effect was that users couldn’t right-click on other text documents and choose the Edit option. Changes to menus and buttons in broad-scope applications such as explorer.exe and iexplore.exe should be done with great care, and should always involve proper change control and testing processes.

Which leads me nicely on to the next important point about using General Lockdown items. They should really be used sparingly. Where possible, use GPOs to control modifications to the user environment and applications (but by all means, deploy the GPOs using AppSense Environment Manager – it gives you a much wider scope of control). Unlike Lockdown items, you can be fairly sure that deploying GPOs will not have unforeseen consequences, and will generally still work even after the target software has been updated. If you are using General Lockdown items on an application, then a good practice would be to remove the Lockdown items from your configuration prior to updating the software and then re-adding them afterwards. The reason for this is that during a software update the various controls and menu items may change and your Lockdown items may not function the same way afterwards.

The reason I make the point about being quite reserved in the use of Lockdown items is that they should be about managing and enabling your users, rather than just restricting them. It’s all too easy to get gung-ho about stopping users from getting to parts of the interface you don’t want them to and creating more problems than you avoid. I saw a client once who had decided to lock out the Search box in Internet Explorer. Because he used the Address Bar religiously for integrated search, he didn’t realise that users actually made use of the Search box, and unwittingly caused his user base no end of issues until he removed the Lockdown item. It’s all very well using Lockdown to help you with compliance and regulation in high-security environments, but when you start to get carried away with it unnecessarily, you are probably going to cause yourself a major PITA. But they do come in very useful if used correctly. I worked in an environment once where users occasionally accidentally used a “Quick Print” function on sensitive documents which then printed them out on the (very public) default printer. To prevent confidential information being inadvertently printed out on the wrong printer, and possibly being seen by other users, we used the Lockdown functionality to remove the “Quick Print” option for a certain AD group.

Also, when dealing with Microsoft Office, if you can’t control the aspects of the application you want using GPOs, you should always use the Office Lockdown function rather than the General Lockdown one. The Office Lockdown tool was designed specifically for MS Office apps and offers a greater degree of control than the slightly blunter General Lockdown wizard.

One final thought is that you shouldn’t think of the Lockdown functionality as a way to subjugate your users and prevent them from wasting time. A famous quote I like to use (which I believe should be attributed to Ed Crowley) when faced with clients who are getting over-excited about locking the interface down is “there are seldom technological solutions to behavioural problems”. By all means, use these tools to reduce support calls and prevent users from unnecessary downtime, but if you try and use them as a way to force your user base to work harder, you’ve clearly got issues that AppSense EM can’t fix. After all, even if you nail the interface down so that they can’t do anything but work, there are a million other ways to waste time. They could browse the internet on their phone, read the paper, stare blankly out of the window – anything. Don’t forget that if you’ve recruited the right sort of people, showing them a bit of trust from time to time will make them happier – and happier staff work harder!


9 responses to “AppSense Environment Manager General Lockdown items”

  1. Vanilla Bean Vanilla Bean says:

    "The reason for this is that, for obvious reasons, while you are holding down the left mouse button and dragging the Spy Tool around the screen, you can't change window focus or maximize any minimized apps!"

    Great post, James! You can change focus by keeping the mouse button pressed and then use ALT+TAB to switch window focus.

    Here is a YouTube video demonstrating

    -Brian Kelly SE AppSense

  2. Vanilla Bean Vanilla Bean says:

    Thanks for pointing that out Brian, I can't believe I hadn't fathomed that one out over the last four years or so 🙁 I've updated the post!

  3. Vanilla Bean Vanilla Bean says:

    Great post. I'm currently getting more into lockdown features but one which has me stumped is blocking the users tab on Task Manager on Windows 2008 SP2

  4. Vanilla Bean Vanilla Bean says:

    You're not the first person to have issues locking down the Task Manager, it appears to be a lot harder than it would first seem. I will see what info I can gather about this and I will put a post together about it (if it's possible)



  5. Vanilla Bean Vanilla Bean says:

    Unfortunately it turns out that this cannot be done in Win7 or 2008 R2. It worked in XP/2003, but according to AppSense the API has changed and it now does not function.

    This can be logged as a feature request at should you feel it is necessary, in the meantime I will continue looking for a workaround.



  6. Vanilla Bean Vanilla Bean says:

    Interestingly I logged an incident with AppSense and we have managed to lockdown the task manager. AppSense sent me this which has worked:
    Process name: taskmgr.exe
    Control text: Users
    Parent text: Windows Task Manager
    Control ID: 0
    Class Name: #32770
    MSAA type: Property Page (38)
    Window style: 1375732812

  7. Vanilla Bean Vanilla Bean says:

    Unfortunately this doesn't seem to work for me.



  8. Vanilla Bean Vanilla Bean says:

    Is Appsense capable of re-evaluating the lockdown for an already running application based on a trigger…for example session re-connection.

    Seems a logical thing to want to do – users internally get all functionality, then the go home and remote in and its locked down. Seems to work if the process is re-started…but that's kind of defeating the point.

    Is that possible?


  9. Vanilla Bean Vanilla Bean says:

    Not sure I understand exactly what you mean. Do you mean users have an app (i.e. Word) open with no lockdown, they disconnect their session and leave the app open, then reconnect to their session from home and now the application has a lockdown item put in place?

    If that's what you're after, does applying Lockdown items in the Session Reconnected trigger (maybe with an extra parameter such as client IP address or hostname to identify a remote session), do what you want?



Leave a Reply

Your email address will not be published. Required fields are marked *

Join our mailing list

Sign up for our newsletter today and we'll send you exclusive content including free guides and articles. We promise not to send you spam and we don't share your details with anybody else.

Contact us

Howell Technology Group
One Trinity Green
Eldon Street
South Shields
NE33 1SA

T. 0191 4813446

Email us

Cookies policy

The HTG website uses cookies to store information on your computer. By continuing to browse this website you are agreeing to our use of cookies. Learn more


Thank you - you've accepted our cookies policy.