Application Allowlisting

Application Allowlisting

Warning
App allow listing not supported on Terminal / RDP servers as of 12.0.0

Info
This KB is still a work-in-progress! Should be finished up shortly. If you have any additional questions reach out to Support@currentware.com

Overview

Application Allowlisting for Windows enables administrators to control which applications users are permitted to run on their computers. Instead of attempting to block individual unwanted programs, allowlisting ensures that only approved applications can execute, significantly reducing the risk of malware, ransomware, and unauthorized software.

This feature adds a strong layer of endpoint security while helping organizations maintain compliance, improve productivity, and gain better visibility into application usage.

Availability

Release Version: 12.0.0
Platform: Windows
Access Level: Administrator / Operator users only
Location: BrowseControl → App Control

Notes
Note: Existing BrowseControl application blocking settings are now located under BrowseControl → Manage → App Blocker. Application Allowlisting is managed exclusively through the App Control menu.

App Control Dashboard

The new Dashboard provides a high-level overview of application activity and policy enforcement across your organization.

Application Summary

Displays a categorized view of:
  1. Allowed Applications
  2. Blocked Applications
  3. All Applications
This helps administrators quickly understand which applications are permitted or restricted.

User Summary

Shows aggregated user data, highlighting how many applications have been allowed versus blocked. This provides insight into user behavior and policy compliance.

Activity Log

Lists all application-related events and actions, allowing administrators to review historical activity and make informed allowlisting decisions.

Manage by Groups

Managing Application Policies by Group

The Manage by Groups view allows administrators to define application policies at the group level. Policies can be applied selectively to specific groups or computers for flexible control.

Administrators can:

  1. Enable or disable App Control
  2. Choose the level of application tracking
  3. Configure allowlisting behavior
  4. Manage allowed and blocked application lists
Notes
Note: The Blocked List view is shared with BrowseControl → Manage → App Blocker.

Enable Application Tracking

Once the App Control feature is enabled, it also turns on application tracking for selected groups. Settings can optionally be applied to all groups.

Tracking Modes

  1. Application Summary Tracking
    Collects a list of unique applications used without recording every execution event. This provides a high-level overview of application usage.
  2. Application Details Tracking
    Records each time an application is launched. Data is summarized hourly and can be used for reporting or to build an allowlist.
Once enabled, administrators can switch between tracking modes using the Configure Tracking menu.

Enabling Application Allowlisting

Application Allowlisting is disabled by default.

When enabled, users can only run applications that have been explicitly allowed. All other applications will be blocked automatically.

Applications can be allowed based on:

  • Application Name

  • Publisher

  • Application Path

  • Digital Certificate

AlertInfoImportant: Any application listed in the Blocked List will always take priority over allowed applications. Ensure all required business applications are added to the Allowed List before enabling allowlisting to avoid user disruption.

Application Configuration Options

These configuration options help balance security with usability:

Trusted Applications

  • Disabled by default

  • Allows all digitally signed user applications to run

  • Any application with a valid digital signature is automatically trusted

System Account Applications

  • Enabled by default

  • Allows applications created or run by system accounts

  • Ensures essential system-level processes can operate normally

NotesNote: Some trusted user applications (such as antivirus software) may spawn system-level processes that require this option to remain enabled.

Child Applications

  • Enabled by default

  • Allows secondary or child processes launched by already allowed applications

  • Prevents dependent processes from being blocked unintentionally

InfoImportant: Application allowlisting applies only to User Account applications. System, Network, and Local Service accounts are excluded to prevent misconfiguration and accidental lockouts.

Allowlisting Configuration Methods

Administrators can add applications using several methods.

By Application Name

Applications can be added:

  • From the Available Applications list (automatically collected from client endpoint activity)

  • Manually by entering the executable name or browsing for it

Multiple Versions: If multiple versions of an application are installed (for example, camtasia.exe), allowlisting is enforced by executable name, not version. To control specific versions, use the Application Path method.

By Publisher

Allows all applications digitally signed by a specified publisher to run. This is useful for organizations that rely on trusted vendors.

To locate the publisher in Windows:

  1. Right-click the application executable or shortcut

  2. Select Properties

  3. Open the Digital Signatures tab

  4. View the signer details

By Application Path

Allows applications based on their file location.

Examples:

  • Specific file: C:\Program Files\ExampleApp\app.exe

  • Entire folder: C:\Program Files\ExampleApp\

This method provides precise control and supports trusted folders using wildcards.

By Certificate

Allows any application signed with a specific digital certificate, regardless of name or path.

To locate a certificate:

  1. Right-click the application executable

  2. Select Properties

  3. Open the Digital Signatures tab

  4. View the certificate details and copy the Issued by value

NotesNote: Only digitally signed applications support certificate-based allowlisting.

Applications Showing as "N/A"

Some applications may display N/A for Publisher or Certificate. This typically indicates:

  • Unsigned applications

  • Self-signed or untrusted certificates

  • Missing or corrupted certificate data

  • Certain Microsoft Store or packaged apps

  • Permission or access limitations

These applications can still be allowed, but administrators will see a warning advising caution.

End User Experience

When a blocked application is launched, users will see a customizable warning message.

Users can:

  • View previously blocked applications

  • Copy application details to the clipboard for IT review

  • Suppress repeat notifications for the remainder of the day

This helps reduce disruption while providing transparency and a clear path for application approval.

Managing Applications

Manage by Application

Provides a complete list of all discovered applications across the environment.

Administrators can:

  • Allow or block applications

  • Review last accessed timestamps

  • Filter and manage custom applications

This view is ideal for ongoing maintenance and auditing of application policies.

Important Considerations

  1. Ensure all required business applications are allowlisted before enabling enforcement
  2. Maintain allowlists regularly to avoid user disruption
  3. Test policies with limited groups before broad deployment

    • Related Articles

    • What is BrowseControl?

      BrowseControl is an internet restriction software that prevents access to unlawful, distracting, inappropriate, or unsafe sites on any internet browser (Google Chrome, Firefox, Edge, etc). BrowseControl can also block applications from running on ...

    • BrowseControl Filter Configuration – Best Practices

      Here are some quick tips that are best practices when dealing with your BrowseControl filtering setup: URL Filtering List (Allow & Block Lists) When adding URLs there are automatically wildcards(*) before and after the entries. Entering “site.com” ...

    • BrowseControl is not blocking Internet

      If you are having issues with websites not being blocked accordingly by BrowseControl you can conduct the following troubleshooting steps below: Using Domain Name in the Blocked List URL Category Lookup Tool Change the Web Filtering Technology Using ...

    • Does BrowseControl work with proxy servers?

      Yes, BrowseControl is compatible with other proxy servers on your network. Make sure your proxy port is added to BrowseControl’s Port Filter and set the permission to “HTTPS Filter“. From the left-hand menu select BrowseControl. Choose the More ...

    • Add BrowseControl blocks directly from BrowseReporter Dashboard

      As of V10.0.0, we have made it easier than ever to take information found in BrowseReporter and quickly action blocks based on URLs or Categories that you find end users accessing, that are unproductive, should be on the allowed list or timewasting. ...