Some time ago, I was attending a Microsoft Licensing Boot-camp run by Directions on Microsoft. Whilst covering off the variations of Windows 8 (Enterprise) operating system, the course tutor happened to touch on a sub-component that had previously flown by me – namely, Applocker. In the presentation, the tutor happened to mention that Applocker can prevent applications running without the required permission.
Stop the press!! Is the world of Software Asset Management about to be turned on its head?! If you read the tech-net information that covers implementing Applocker, you might be inclined to think that not only could you do away with your Software Asset Management suite, your anti-virus software might also become redundant. Applocker controls the key component of an application and validates whether it can be allowed to run or not by comparing it to a list of users through a Group Policy Object within Active Directory. This can be done on a local device, or via Windows Server 2008 to apply to an entire range of devices. Indeed, exceptions can even be allowed, so that if a company policy exists to prohibit access to a specific title, then certain users can be given permission to run that software.
A monkey-see, monkey-do guide can be found at the link below:
A more in-depth review of Applocker can be found in the tech-net pages:
I was talking with John Tomeny of Sassafras about this development, as I wondered whether he saw this as a potential threat to this permission setting feature of KeyServer (Sassafras’s Software Asset Management suite) and John raised a very salient point: Applocker might offer a degree of control around who can and cannot run applications, but it will not perform such a check against a license count, nor will it provide application metering data (although Applocker can be configured to provide rule-usage data via the Event Viewer).
Rather like self-service portals, I suspect Applocker will come into its own when the current crop of Software Asset Management suites can interface with Applocker rules and dynamically validate whether or not a license permits the running of a software title or not.
In the meantime, IT staff will have to continue to categorise company employees by job role to assess their suitability to access software titles if Applocker is their sole means of control.
A point too, on such AD/Applocker controls: if concurrency is a requirement of management for certain software titles on your estate, ensure the software vendors for those titles endorse Applocker as a suitable method of control – it could be a very expensive lesson learnt if those vendors state they don’t acknowledge Applocker and attempt to widen licence fees due by the rest of your user base.