Whitelisting Apps in Windows

While creating their device profile in Windows, users can now whitelist even Windows 32 applications in addition to the UWP apps. With Whitelisting you can select the list of applications that should be allowed. This gives the admin more control over what users can see, what they cannot see on Windows devices as they get more flexibility on choosing both UWP as well as Win32 apps.

The document explains how whitelisting can be done.

Before You Begin

  1. Make sure to Sign In to ScaleFusion Dashboard.
  2. Windows 10 Pro or Enterprise edition should be installed on the system

How to Whitelist Apps

  1. For a Windows Device Profile, in the Profile Creator wizard, when you visit Select Apps section, you will see three main sections

- Whitelist Selected Apps

- Blacklist Selected Apps

- Skip Application Policy

  1. Choose the radio button Whitelist Selected Apps. This has two separate sections:

Step 1: Add User Info

Step 2: Select Apps

Step 1: Add User Info

Select the user account, define display settings and folder restrictions from here.

a. User Account Selection

Select one of the following:

Enter Primary Username (Non Admin User) - Enter the username for the Windows PC on which kiosk setting is applied. Please note it should be a user other than administrator.

If you are using an Azure AD joined PC, then the username is of the format, azuread\email. For example if you had used john@onplex.com to Azure join the device then the username will be azuread\john@onplex.com.

Autocreate kiosk user account - If no user account is configured on your PC, a kiosk user will get autocreated if you choose this option

It is mandatory to choose one of the above options
b. Display Settings

Allow Taskbar: This is a toggle button. Enable this if you want task bar to be visible on your Windows PC

c. Folder Restrictions

When Whitelisted apps open File Explorer, you can control the access to other folders by choosing any of the following settings:

  • Allow All - Allows access to all folders
  • Block All - Blocks access to all folders
  • Allow following - Allows access to only Downloads folder and Removable drives. You can choose both or one
Folder restrictions require Windows 10 Enterprise/Pro Version 1903 & above
Users will not have access to File Explorer App

After making appropriate selections, click Next. This opens the Select Apps page

Step 2: Select Apps

At this step select the apps for whitelisting. Following are the main items on this page:

Apps: Displays the overall list of UWP* & Win32* applications.

*UWP - Universal Windows Platform applications that run on all Windows platforms

*Win32 - the legacy applications that are installed based on architectures

Win32 apps will appear once you enroll your Windows device

Type: Shows the type of application UWP/Win32

Enable Toggle: Allows user to toggle the enable state of the app. There is a checkbox Enable All on the heading and if you check it, all the apps get enabled.

Edit App Details: The link Edit App Details appears next to each app that is enabled, which opens a dialog box. As a part of the process, for whitelisting the apps, you need to enter few details related to the app that is enabled. The next section explains this in detail.

Editing App Details

UWP Apps - For the default (inbuilt) apps, the details will be auto-filled whereas the ones that are installed from store, the Edit App details dialog box will show up as soon as you enable the app. Here you will need to enter the App id. The App Id can be fetched by downloading and running the script on one of the Windows devices.

The App-id is common and once extracted can be used for all the Windows devices where this app is installed. Following is an example of the Edit App Details dialog box of a UWP app.

How to get App Id

  1. In the App Details dialog box, click on Download Script
  2. Now Logon to the Windows device where this application is installed and transfer the batch script.
  3. Double click on the file to Run the batch file.
  4. A Windows SmartScreen popup will appear. Click on More info and click on Run anyway
  1. A batch shell will open. Enter the name of your third-party app in the batch script.
  2. Copy the App-Id and paste it and navigate back to Scalefusion Dashboard. This needs to be pasted in the App Id field
  3. Paste the App-Id that you copied on your Windows device, to the Scalefusion Dashboard in App Id field and click Save

You can change the Application Name and upload an Application icon, if required.

Win32 apps - The Edit App details dialog box will show up as soon as you enable the toggle for the app. Here, enter the path of the file in the Application path field. Following is an example of the Edit App Details dialog box of a Win32 app.

How to get Application Path

  1. Logon to the Windows device where this application is installed
  2. Right click on the Application and click Properties
  3. Copy the file path in front of Target field (excluding double quotes)
  4. Paste this path on Scalefusion Dashboard, in Application Path field and click Save

Set this as default path for all profiles: If you check this option, then this path is stored at account level and becomes the default for all the new device profiles you create whenever you enable this particular app.

This is how applications for Windows can be whitelisted.

Any changes done on whitelisting websites, will be reflected on the device after you sign out and again sign in on the device

A typical Windows machine which is enrolled and has apps whitelisted, looks as shown below

Known Issues

As this is our first release of Whitelisting feature, there are certain known issues which we are trying to fix and release in our next updated version:

1. If Microsoft EDGE is Whitelisted, Image, Audio, video etc files will not open irrespective of Apps being Whitelisted. This is a known issue for Windows MDM.

2. If refresh Policy is sent from dashboard, in same session, App restriction gets removed from device.

3. Due to language (Eng US,GB etc) or version differences in devices, it might happen there are two similar apps. In this case, path should be provided for only one app. Giving path for both apps will cause a conflict and Whitelisting will be removed from device if it is already applied.

4. If apps which are whitelisted in profile, but not present in device, sometimes it throws error.

How did we do?

Powered by HelpDocs (opens in a new tab)