Group Policy rocks. But, out the box, it's missing the biggest piece to get you the true security you need -- application and operating system lockdown.
And that's why we've created PolicyPak.
PolicyPak isn't a set of ADM files. It's a true settings management system which uses Group Policy to deliver settings and lock the machine down. PolicyPak Professional enables you to deliver settings to your applications, lock users out of those settings and guarantee those machines stay configured.
Best part: PolicyPak Professional comes with a collection of pre-created paks for you to manage some difficult applications like:
- Flash Player
- Java Control Panel / JRE
- Acrobat Reader X, Acrobat Pro X, Acrobat Standard X
- Microsoft Lync client
...and over 50 more ! They're all included when you're a PolicyPak Professional customer.
PolicyPak Professional help you ensure compliance, reduce the number of images, immediately increase end-user productivity and deal with end-users' applications settings management. (Read more about the problems that PolicyPak Professional can solve by reading the Solutions items in the Solutions menu.) Watch this short video to get the feel for what PolicyPak Professional does and how it can save your company from some real problems (you have right now).
What is the PolicyPak Design Studio?
The PolicyPak Design Studio enables you to build your own Paks for any downloaded, purchased, proprietary or home-grown applications. It is included as part of PolicyPak Professional.
In short, lock down any application on your users' desktops when you create a Pak using our included PolicyPak Design Studio.
Creating your own Paks for your off-the-shelf or in-house applications is as easy as 1-2-3. Let's see how easy it is to leverage configure an application you already use. In this example, we'll use WinZip to create our first PolicyPak (but you can envision your own desktop application of any kind here):
Results: What You SET Is What They GET
Once your systems have PolicyPak, there's simply no way for a user to work around your set policies.
With PolicyPak-What you SET is what they GET.
PolicyPak was designed by Group Policy MVP Jeremy Moskowitz – who “wrote the book” on Group Policy, runs GPanswers.com, and lives and breathes Group Policy and enterprise software deployments and desktop lockdown.
Get PolicyPak today and see what it can do for you and your team.
Unless you want more help desk calls.
- Prevent the accidental (or intentional) misuse of applications on desktops.
- No infrastructure required -- all settings are configured using Active Directory Group Policy.
- Keeps working -- even when users are working off-line and not on the network.
- Our included preconfigured paks get you started today with many popular applications.
- Use our PolicyPak Design Studio to quickly create your own paks for in-house and home-grown applications.
- Works with desktops, laptops, virtual desktops (XenDesktop and VMware View), and virtual applications (Microsoft App-V).
- Enhance a Least Privilege solution, like BeyondTrust PowerBroker Desktops, Avecto Privilege Guard or Scriptlogic Privilege Authority -- and lock down users so they cannot work around your IT policies.
Transcript for Video 1 - What does PolicyPak Do?
Hi, this is Jeremy Moskowitz, Group Policy MVP and Founder of PolicyPak Software. In this video, we're going to learn what PolicyPak does.
Let's get right to it. Imagine you've got applications that your users use every day, like "WinZip," "Acrobat Reader" which is here and also "Firefox." I'm just picking three applications that you may or may not use right now, but we're going to start with these.
Users every day love to just mess up their settings and try to work around what you configure for them. So the idea is that even if you've put very important key settings in your build image or you've baked them in or you're otherwise getting those settings to them, they love to work around and screw up all these possible settings.
What we're going to do is we're going to deliver key settings using PolicyPak and our PreConfigured PolicyPaks. We'll go ahead and close out these three apps. I just wanted to prove that I had them on this machine, because that's one of the key things about PolicyPak. We don't care how the applications get there. There are a lot of great ways to get your applications out there. That's not what PolicyPak does. PolicyPak's job is to deliver the applications settings and lock them down.
Let's get started with "Lock down key applications." We're using Group Policy and linking it over to all of our "East Sales Users." We're locking down these key applications. We could do this in one Group Policy Object or multiple GPOs. That's fine.
I've already pre-staged this demo by taking some of our "PreConfigured PolicyPaks" and just copying those files into the place that we need to in order to make PolicyPak manage those applications. I cover how to do that in our other quick start videos.
What we'll do now is we'll dive down under "PolicyPak/Applications/New/Application." Let's go ahead and configure. Let's start off with "WinZip 14 and 15" right here. Let's just get right to it. For WinZip here, for "Passwords," we'll go ahead and check all these key important bits off. You'll notice that the application settings inside of PolicyPak look just like the actual application itself.
We'll also do something that, well, the old Group Policy stuff in the box can't do. It can't "Hide corresponding control in target application" or "Disable corresponding control in target application." We can. So we're going to "Hide corresponding control in target application" that guy. We'll "Disable corresponding control in target application" this guy.
We'll also jam this up to "11" and also "Disable corresponding control in target application" that. So we're setting the settings and disabling it. We can also, for some key settings, "Disable whole tab in target application." We're going to just deliver those settings just like that. That's it for WinZip.
Let's go ahead and move on to our next application, which is going to be Acrobat Reader, "PolicyPak for Adobe Reader X." In Acrobat Reader, "Adobe Reader X," we'll go ahead and we'll set up some key settings here as well.
We could do that for a lot of other ones as well. Actually, why not? We're here for "Updater" since we're here as well, we can also if we want to "Do not download or install updates automatically." We're going to prevent this application from updating. That's a very common and popular PolicyPak feature that a lot of people like to do is to disable updates.
For the last application, for "PolicyPak for Mozilla Firefox," Firefox doesn't store its stuff in the registry. It happens to store its stuff in a very bizarre file type in a very bizarre location. But that's OK, because PolicyPak can handle it. We're going to make the "Home Page" "www.PolicyPak.com." That's great.
Then while we're here as well, we can go to "Security." We want to guarantee that these checkboxes are checked. So even if a user tries to go ahead and change the homepage, the very next time they rerun the application it will be guaranteed. Let's go ahead and click "OK."
Now that we've set the settings inside of Group Policy, we'll go to our machine. All we need to do is to wait for 90 minutes, that's the normal background Group Policy refresh. We could also type "gpupdate," and Group Policy will refresh in the background. We could also log off or log back on or change machines.
This is important because if a user might use multiple machines – like a desktop, a laptop, terminal server or VDI – well, no matter where they roam, the settings that you set are what they're going to get. That is the important part. It doesn't matter if they get a new machine or you're changing operating systems from, say, XP to Windows 7. The settings that are important enough for your machine are going to be there.
Now that that's updated here, all we're going to do is run each application one by one. Let's go ahead and click on "WinZip" first. We'll go to "Options/Configuration…" here. Go over to "Passwords." You can see that we've set all those settings. Those settings are deployed, and some are locked out. We only decided to lock out some of them. Also the "Cameras" tab is neatly locked out as well.
If we go to "Updater," "Do not download or install updates automatically." We don't even need to gray this out, because a user can't change it without user account control. That's good news for us. So it will stay the state that we decided to set it, which in this case was locked out.
Let's finish up with "Firefox" here. There we go. The default is "www.PolicyPak.com." If they decided to do something that they shouldn't do, like go to "Options" here and they change this to something maybe they shouldn't, which is no problem. We'll go to "www.google.com" here.
We could also go and set these "Security" things and uncheck them. OK, remember what we did in our PolicyPak. We deployed these very important security settings. If they try to unset them, the very next time they go into "Firefox," it gets reset back. We go to "Firefox/Options," and those "Security" settings are delivered again and also the "Home Page."
That is what PolicyPak does in a nutshell. We also are able to keep these settings offline as well. If the user is disconnected from the network and they change their settings, not a problem. We are able to maintain these settings even while the user is offline.
For more information, well, since we're looking at the PolicyPak homepage anyway, you'll find lots of information here under "Products." We have a little video for just about every one of our "PreConfigured PolicyPaks."
Also when you're ready, you can also use our "PolicyPak Design Studio" application, which is here, to design your own PolicyPaks for your homegrown or in-house applications or anything else that you download. That is covered in another video, which you should find, again, right here on "www.PolicyPak.com."
Thank you very much for understanding how PolicyPak works, and we look forward to getting you a trial of it.
Take care. Bye-bye.
Transcript for Video 2 - How to Create your own PolicyPaks
Hi, there. This is Jeremy Moskowitz from PolicyPak Software. Today you're going to learn how to create your first PolicyPak. Well, first things first, you've got to have the application you want to manage on your machine. You can see here I've got "WinZip" and "Acrobat Reader" and "Firefox." You probably generally want to have the most clean machine possible, but since this is my demo station I have a couple of applications.
So, for instance, if we take a look at an application like "WinZip," you can see if we go to the "Options/Configuration…" that there are a lot of possibilities in here. The good news is it doesn't really take very long to get these started and going. We're only going to do a handful of them today, and we'll leave the rest to you. In fact, actually, I already have a preconfigured WinZip Pak, but it's actually still a good example for us to use to get you started creating our first PolicyPaks.
So the first thing again, have the application you want to manage already on your machine, as you can see right here. The second piece you need, I already have preinstalled. That's this part from Microsoft called the "Microsoft Visual C++ 2008 Express Edition."
The bad news is this is kind of huge and takes a while to download and install. Let me show you what the webpage looks like when you find it. It changes every so often, so if by the time you're watching this video it doesn't quite look like what you expect, that's fine. But you do need to have the "Visual Studio 2008 Express Edition," the C++ one specifically, so "Microsoft Visual C++ 2008 Express Edition with SP1." You can click on "FREE DOWNLOAD" for "English." It takes a while to do its thing.
There is also a way to download the "All-Offline Install ISO image file" as well. I've had it work perfectly where the C++ Express Edition will install fine on my Creation Station. But sometimes I've had to download the entire ISO file. When you do get it, be sure to install just the C++ 2008 Express Edition. We don't need anything else, like C# or anything else. It should also be noted that PolicyPak is not compatible with Visual Studio 2010, only compatible with Visual Studio 2008, and the Express Edition is what we're after, the C++.
Now I've already got that installed on here. I've already preinstalled my application that I want to manage, and I've also preinstalled my C++ Express Edition, as you can see here. What's next for me though is I want to show you where the PolicyPak Creation Station utilities are.
Those live here on the download that you have. It's called the "PolicyPak Design Studio." I'm not going to bore you with the install. It's quite simple and painless. You just double click it. The idea is that utility will be found here, called the "PolicyPak Design Studio 3.0," so "PolicyPak/PolicyPak Design Studio 3.0."
Now that we've got the Design Studio launched, it does take a minute to initialize. Then it will ask you what application we want to manage. While that's going, we'll go ahead and also double click "WinZip" again, get that guy going. I happen to be using WinZip 14. I do suggest that if you're going to start a new PolicyPak just for your first time, I do recommend that you use WinZip 14 or 15 as opposed to other applications which could be harder. This is a really good first one.
Again, the page that we want is the "Options/Configuration…" page here. We're not going to worry too much about all of them, but I'm going to walk you through a couple of examples here. You'll also find examples that are similar to these. I don't know if I'll be using the exact same examples that we have in the Quick Start Guide, but it should give you a feel for how it works.
What I want you to do first is, we've got the Design Studio up here, so we're going to "Start a new project." The way the Design Studio works is that you click on the application and you see the windows that are up. If the window happens to be closed, well then, we can't get to it. So we'll go back to "Options/Configuration…" and we'll see that the configuration window is there.
We'll click "Next" and it's going to capture that window. This is a registry-based application. Now if you're wondering how do I know it's a registry-based application, well, I looked in the registry and I found everything I needed right there. It was kind of obvious, but we'll talk in other demonstrations about how to find and track down where your applications keep their data. But WinZip is a well-behaved app, and it keeps its stuff in the registry.
Notice how there are other project types. We'll go over other project types in other videos, but for now WinZip "Project type: Registry" is what we're after. Actually, I'm also going to give this a different name. I'll call this "Project name: WinZip Live Demo." The reason why is that because we also ship with a preconfigured WinZip, I don't want to get confused in case there's another WinZip PolicyPak on my machine, like there could be on yours if you followed my other videos.
Here we'll pick "WinZip Live Demo," and we'll click "Next." The next thing we need to do is to describe where in the registry this application lives. We default to the most likely place for you to get started, which is "HKEY_CURRENT_USER\\Software." But it turns out we can actually get closer to the source.
All of WinZip's stuff happens to live under "Nico Mak Computing." You notice how there's also a "WinZip Computing" one here? It turns out it doesn't store hardly any settings there. So what we're going to do is we're going to focus in on the place that most of the settings are stored, which is "Nico Mak Computing," and we'll click "Finish" here.
Now it's going to go ahead and, like I said, capture that first window, and there it is. Let's go ahead and also capture some more windows here. We'll go ahead and capture the "Cameras" tab and also the "Passwords" tab. You can see here this is the actual application. This is our package inside the Design Studio. What you're looking for is this button right here that says "Capture another tab."
So we'll "Capture another tab." We'll click "OK" here. We'll go over to "Passwords." Then we'll click back in the window, and we recognize that we've pushed back. We'll press "OK," and we've brought it in. Let me show you another one. I'll go ahead and click on the "Capture another tab" button here. "Configuration will become active." We'll go ahead and click on "Cameras." We'll click back in, and we'll click "OK" and that's it. Like I said, you could click through all those tabs if you wanted to, but we're just going to focus in on some items right here for fun.
Now that we've got everything here that we need, the first thing we want to do is we actually want to trick WinZip a little bit. In fact, just by clicking any of these items and clicking "OK," we've tricked WinZip to actually flush a lot of possible items that it might write on first run. Therefore, we're not going to be fighting lots of values being written by the application.
So I've clicked. I've said "OK" to one value, and I'm unclicking it and clicking "OK" and we're back. The point of the story is WinZip has now written a bunch of default settings to the registry, and that gives us a good baseline to get started.
What we're going to do is right click over, say, "at least one symbol character" here in our Design Studio and click on "Configuration Wizard," and we just do what the wizard asks us to do. The first screen asks us is it still a "Registry" project. Yep, so we just click "Next" to confirm that. Is everything we want to grab under "Nico Mak Computing?" Yep.
Now "Indicating the Current Checkbox State," is it checked or unchecked? Well, let's go ahead and take a look. We know that all four of these guys are unchecked, so we'll leave it unchecked. If it was checked, we could check it. But it's not, so we'll leave it unchecked.
"Now go to the Application again and change the setting to be 'checked' as indicated below and then save changes using the 'Apply' or 'OK' button." So we'll click there. There is no "Apply" button but there is "OK," so we'll go ahead and click that. That under most circumstances is all you need to do for that checkbox.
We'll click "Next," and we just learned something. We've learned that when you click that checkbox "On," it sets "passwordreqsymbol" to the value of "1." Now we're pretty sure when you click it "Off," it's going to "<delete>" it, but we're not positive. We actually don't know that until we literally check it off. You could if you want to bypass that and save a little bit of time, but the default behavior is to continue onward and actually double check that.
In other words, "Now go to the Application again and change the setting to be 'unchecked' as indicated below and then save changes using the 'Apply' or 'OK' button." So we'll go to "Options/Configuration…," we'll uncheck the checkbox, click "OK" and let's see what we learned. We just learned that for sure when it's "On" it's "1" and when it's "Off" it's "<delete>." Some applications will set things to 0, others will delete, others will do other weird things, but this one is pretty simple. We'll go ahead and click "Next."
"Choosing the Default State," we learned already that's unchecked. "Choosing the Revert State," you may want to change this, but by default we suggest that you leave it in the state that we found it, which is also unchecked. So when you get the policy, it'll be checked; when you lose the policy, it'll be unchecked. Then that's it.
Let's just do another one. Let's see how easy this is. We'll go to another right click, "Configuration Wizard…" "Registry" "Nico Mak Computing," yep, sounds good. We'll go ahead and go back to the application, check it out, "Options/Configuration…" It says "at least one numeric character (0-9)." Is it checked or unchecked? We can see it's unchecked. We'll go ahead and click "Next." Now we'll go ahead and check it, click "OK," click "Next."
Cool. Well, we just learned a similar thing, "passwordreqnumber," when it's "On" it's "1," when it's "Off," well, we're not quite sure. So let's go ahead and uncheck it, click "OK" and we'll click "Next." Excellent. We've definitely learned that, in fact, "On" is "1," "Off" is "<delete>." We'll leave the "Default" as unchecked, the "Revert" as unchecked, and we're done with that one.
Let's do this little spinner guy. We have a wizard for every type. For instance, we can see here that we can just right click over this guy, go to the "Configuration Wizard…" and actually we get asked a couple of different questions now. So "Registry" "Nico Mak Computing."
Now it asks us what is the "Minimum Value"? Let's go to the application and click "1" and click "OK" and we'll click "Next." It discovered that we made the change, so it says, "Finding the Step Value." In other words, go up by one. Not every application goes up necessarily by one, this one happens to go up by one, so we'll click "OK."
Now "Finding the Max Value," maybe this application's maximum value was 10. Maybe it's 15. But this application, if you go to "Options/Configuration…" and here's what I like to do. Type "99999." Oh, just two 9s, great. Click "OK," and that was what our guess would be.
We'll click "Next" here. Sure enough, the "Min" value, the "Max" value and the "Min + Step" value are all discovered, and that's it. The "Default," well, we just saw that was "8." We suggest that. The "Revert" value, what happens when the policy doesn't apply anymore, again also "8" is a good idea.
Then we get to this idea called the "Linked Label Selection." This helps with Group Policy reporting and the GPMC reports. Basically we're asking what thing are we really working on? What text is closest to that? The text that's closest to that is "Minimum password length." So when the GPMC reports, if you set the minimum password length to 12, you'll see "Minimum password length: 12" in the reports, which is nice. So you pick on the label link that makes the most sense. That's it; you're finished.
Let's do another one, hanging out in "Cameras" just for fun. Let's do "AutoPlay options." This is very similar. You right click over the group, click on "Configuration Wizard…" and you do whatever the wizard asks. Go to the "Registry" "Nico Mak Computing," and it's saying "Indicating the Currently Selected Radio Button." Let's go take a look. If we go over to "Cameras," well, that first one is in fact selected. Fantastic.
Now go to the next value and click "OK," click "Next." Go to that last value, click "OK" and great. Look what we learned. We learned that this one is "1," that one is "2" and that middle one is "0." Interesting. OK, cool.
Then the "Default" is this top one. We can choose to make that our default value. If we just select it and enable it on, it'll set that as the default value. We could also choose the "Revert" value if we're so inclined to something totally different. You get the policy, you get this, whatever we set it to. When we don't get the policy anymore, we can have it revert back to a particular setting as you wish. Again, the "Linked Label," what's closest? Well, "AutoPlay options" makes the most sense here. Now we'll go ahead and click "Finish."
Now when you're done playing and configuring your PolicyPak, just for fun I'm going to go to "File/Save As" here. I'll go ahead and call this "WinZip-Live-Demo." There are a couple ways to continue on here. What we're going to do is we're going to click on the "Compilation" tab, and we're going to "Show test PolicyPak when complete." You can see what the PolicyPak name is going to be right there. We'll go ahead and do this.
At this point, the Pak is actually actively "Compiling…" Then when it's done, you'll get to see a representation of what that Pak would look like in the Group Policy Editor. "Compilation was successful!" We'll go ahead and click "OK" here. Now we get to play with it in real time.
Again, this isn't active. It's not actively doing anything, but I do want to point out something real quick. Notice we only configured two of those checkboxes. So if we were to click on the other guys, they're not going to do anything, but we did click this guy. So underline means we can configure it, and if it doesn't underline that means we didn't do anything to it. Same thing here with "AutoPlay options." We did, in fact, configure that guy.
The last piece of the puzzle is you now need to get the Pak, which is now in "C:\Program Files\PolicyPak\Extensions," over to your Management Station. From you Management Station, you can manage that PolicyPak. We've talked about that in other videos.
So with that in mind, I hope you've enjoyed "How to Create Your First PolicyPak." Thanks so much. I'll talk to you soon.