> Monitor > ApplicationCompliance > Application Compliance Overview

Application Compliance

MSP N-central manages application compliance through two features: Application Compliance Rules and application compliance settings. The difference is that Application Compliance Rules are applied for applications when they are first discovered while application compliance settings are applied when a discovered application is found on another device.

MSP N-central manages application compliance through two features: application compliance Rules and application compliance settings. The difference is that application compliance Rules are applied for applications when they are first discovered while application compliance settings are applied when a discovered application is found on another device.

To illustrate the difference between how MSP N-central uses Rules and settings for application compliance, the following example demonstrates how they are applied to applications and devices.

  1. ExampleSoft 1.0 is discovered on Device A.
  2. No matching Rule exists for ExampleSoft. By default, MSP N-central creates a new application compliance setting for ExampleSoft 1.0 with Status = Pending.
  3. ExampleSoft 1.0 on Device A is configured as Pending.
  4. ExampleSoft 1.0 is then discovered on Device B.
  5. MSP N-central finds that there is already an application compliance setting for ExampleSoft 1.0 (set to Pending) and so it configures the application as Pending for Device B.
  6. An MSP N-central user creates a new Rule which indicates that any applications matching ExampleSoft must be configured as Not Allowed. No version identifiers are configured for the Rule.

    At this point, MSP N-central does not attempt to apply this Rule to any existing application compliance settings and it does not verify if those settings need to be changed.

  7. ExampleSoft 1.0 is discovered on Device C.
  8. MSP N-central finds that there is already an application compliance setting for ExampleSoft 1.0 and so it configures the application as Pending for Device C.
  9. ExampleSoft 2.0 is discovered on Device D.
  10. As MSP N-central does not have an application compliance setting for ExampleSoft 2.0, it refers to existing Rules.
  11. MSP N-central finds a Rule that matches by the application name which indicates that the application should not be allowed. It creates a new application compliance setting for ExampleSoft 2.0 and configures it as Not Allowed.
  12. MSP N-central configures the ExampleSoft 2.0 application on Device D to Not Allowed.
  13. An MSP N-central user revises the application compliance setting for ExampleSoft 1.0 to Not Allowed.
  14. ExampleSoft 1.0 is discovered on Device E.
  15. MSP N-central finds that there is already an application compliance setting for ExampleSoft 1.0 (set to Not Allowed) and so it configures the application as Not Allowed for Device E.

As the example above demonstrates, application compliance Rules and settings must be coordinated in order to manage application compliance effectively.

In order for the Application Compliance Service to administer software policies, a list of applications that have been approved must be maintained within MSP N-central. When the Application Compliance Service detects an application name that is not on the list of approved applications, the service indicates the presence of an unapproved application.

How The Application Compliance Service Works

A list of all applications discovered within the monitored network (or networks) is generated by MSP N-central based on the devices found by discovery jobs and also on those devices that were manually created (where local Agents are installed and discovery jobs are carried out). The list of discovered applications is not affected by the Application Compliance Service as applications will be discovered even if devices have not had the service added to them.

A discovered application for a device can only be updated after another discovery job has been performed. For example, if an application is discovered on a device two weeks ago, but the device has been turned off since that time, the name of the discovered application will be kept in the Discovered Applications list until the discovery job is performed again. The Agent will update the asset information of a device every 24 hours but you can force the update to take place immediately by clicking Update Now on the Asset tab of the device.

An application that has been approved will be kept on the Allowed Applications list even if the original device where the application was discovered has been deleted from the system.

Using Application Compliance Settings

The following procedures can only be performed at the Service Organization or Customer-level. Select the appropriate Service Organization or Customer in the View Selection Menu to continue.

Display the lists of managed applications

  1. In the navigation pane, click Configuration > Security Manager > ProfilesMonitoring > Application Compliance Settings.
  2. Click the list titles to expand and display the lists of applications:
    • Discovered Applications
    • Allowed Applications
    • Disallowed Applications
    • Ignored Applications

Search for specific applications

  1. In the navigation pane, click Configuration > Security Manager > ProfilesMonitoring > Application Compliance Settings.
  2. In the Filter by field, type the names (or parts of the names) by which to filter the application lists.

    More than one list of applications can be filtered simultaneously.

    The lists of applications currently being displayed will be filtered based on the criteria that you define.

Configure managed applications for application compliance

  1. In the navigation pane, click Configuration > Security Manager > ProfilesMonitoring > Application Compliance Settings.
  2. Click the appropriate list titles to expand and display the lists of applications.
  3. Select the check box beside the names of those applications that you want to manage.
  4. Click Move to.
  5. Select the list where you want the applications moved:
    • Allowed
    • Disallowed
    • Ignored
  6. Click Save.
  7. In the Propagate Changes dialog box, select Propagate changes to Settings to Customer/Device if you want your new settings to be applied to both new and existing devices.
  8. In the Propagate Changes dialog box, select Propagate changes to Settings to Customer/Device if you want your new settings to be applied to both new and existing customers and devices.
  9. Click OK.

Export the list of managed applications

  1. In the navigation pane, click Configuration > Security Manager > ProfilesMonitoring > Application Compliance Settings.
  2. In the Settings tab, click Export.
  3. Select the format in which the list will be exported: CSV or PDF.
  4. Follow the procedure to save or open the file.

Propagate application compliance settings

If you do not propagate application compliance settings, they will only be applied to new devices and not to existing ones. You can propagate application compliance settings but you cannot propagate Application Compliance Rules.

If you do not propagate application compliance settings, they will only be applied to new customers and devices and not to existing ones. You can propagate application compliance settings but you cannot propagate Application Compliance Rules.

  1. In the navigation pane, click Configuration > Security Manager > ProfilesMonitoring > Application Compliance Settings.
  2. Modify your settings if necessary (see Configure managed applications for application compliance ).
  3. To distribute these settings, click Propagate.