Follow

Configuring ProfileUnity with Windows 7/10 and AppLocker

Product: ProfileUnity-FlexApp

Product Version:  6.5.5+

Updated: September 30, 2016

 

Problem

Windows 10’s AppLocker prevents ProfileUnity from running.

 

Symptoms

User cannot logon to ProfileUnity client and/or certain features do not run or do not run properly.

 

Resolution

Create AppLocker exception rules for the ProfileUnity netlogon directory as well as other paths used by ProfileUnity executables.

 

Rule 1  - ProfileUnity Netlogon Directory

  • Create rule in: Executable Rules and Script Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: Path
  • Path: \\<DomainName>\netlogon\ProfileUnity\*
  • Exceptions: None
  • Name (Example): ProfileUnity – Network Share

Note: This is the current deployment path. If unsure, check the ProfileUnity console under Administration (top right)->ProfileUnity Tools->Deployment Path.

 Rule 2 – ProfileUnity User Temp Directory

  • Create rule in: Executable Rules and Script Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: Path
  • Path: C:\Users\*\AppData\Local\Temp\prou*
  • Exceptions: None
  • Name (Example): ProfileUnity – Users Temp Folder

 

Note: This directory and these files only exist during ProfileUnity execution and will not appear within a user session. You can make them appear temporarily by re-running C:\Program Files\ProfileUnity\userinit.exe, which re-runs the login process but leaves the temporary files for troubleshooting purposes.

 

Note: This directory can be redirected to a fixed location like C:\Temp using ProfileUnity ADM GPO template. In this case, use the redirected location for the rule.

 

Rule 3 – ProfileUnity Client.NET Directory

  • Create rule in: Executable Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: Publisher
  • Publisher: Import Publisher information using the following:
  1. Browse to the ProfileUnity Install folder (Default: ‘C:\Program Files\ProfileUnity’).
  2. Browse into the ‘Client.NET’ sub-folder.
  3. Select one of the executables (Ex: LwL.ProfileUnity.Client.exe).
  4. Move the slider up to pint to ‘Publisher’ (all other fields will be ‘*’).
  5. Click Next.
  • Exceptions: None
  • Name (Example): ProfileUnity – Publishers Signature

Rule 4 – ProfileUnity Client Install Directory

  • Create rule in: Executable Rules and Script Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: Path
  • Path: %PROGRAMFILES%\ProfileUnity\*
  • Exceptions: None
  • Name (Example): ProfileUnity – Install Folder

Note: This rule uses the Default Installation Path using the AppLocker path variable. If the install uses a Non-Default Path, use the correct full Installation Path.

 

Applocker Rules for FlexApp DIA/UIA Packages

If using FlexApp DIA (or UIA) apps, all executables in the DIA must have the same Signature for the DIA to work correctly. Using a rule with Custom Values with Wildcards for the Publisher string may also be used to make the rule more inclusive if the signatures do not match exactly, otherwise multiple signature rules must be used.

Rule 5 – DIA Publisher Rule:

  • Create rule in: Executable Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: Publisher
  • Publisher: Import Publisher information using the following:
  1. Browse to the Install folder of the App.
  2. Select one of the Apps executables.
  3. Move the slider up to pint to ‘Publisher’ (all other fields will be ‘*’).
  4. Click Next.
  • Exceptions: None
  • Name (Example): ProfileUnity DIA – Publishers Signature <App Name>

 

For .exe files that are not signed, a Path or File Hash rule may be used:

 

 

Path Rule:

  • Create rule in: Executable Rules and Script Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: Path
  • Path: \DEVICE\*\VOLUMES\C\<APP FOLDER PATH>\*

Example: \DEVICE\*\VOLUMES\C\PROGRAM FILES\<APP SUB-FOLDER>\*

  • Exceptions: None
  • Name (Example): ProfileUnity – Users Temp Folder

File Hash Rule (for unsigned executables):

  • Create rule in: Executable Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: File Hash
  • Select the executable to generate the rule from:
  1. Click ‘Browse Files’ (or ‘Browse Folders’ if that can be used).
  2. Browse to the Install folder of the Executable.
  3. Select the executable and click ‘Open’.
  4. Click Next.
  • Name (Example): ProfileUnity DIA – File Hash <EXE Name>

Note: The File Hash rule must be updated whenever the executable is changed/updated.

Note: If there are any issues running ProfileUnity during logoff please add:

\\domain\netlogon\ProfileUnity\lwl.profileunity.client.logoff.exe 

as File Hash Rule to the "Allow" list same as for .exe files which are not signed.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.