Major New Features and Enhancements Now Available for Ivanti Workspace Control
We have just released Workspace Control 2022.1 (10.8.0.0), which contains three major new features and several bug fixes.
We’ve also included several workflow improvements based on User Voice requests which were submitted via the Product Ideas page on the Ivanti Community.
New Features
Windows 11 Start Menu
Microsoft has, yet again, introduced a new Start layout. As a result, our customers have requested that we re-introduce the Workspace Control Start Menu. For those not familiar with it, Windows 8.x Workspace Control already includes a Start menu that looks quite similar to the Windows 7 Start menu. We wanted to accommodate our customers in this regard and have decided to introduce this Start Menu in Windows 11 too.
The Start Menu will show Legacy applications, Folders, UWP applications and even MSIX shortcuts. A left-click on the Start-button, using the Windows Key or CTRL+ESC will all trigger the Start Menu to pop up.
Security - Authorized Owners
The application security portfolio of Ivanti Workspace Control has been extended with the Authorized Owners security feature. Authorized Owners adds an additional layer of security while significantly reducing the maintenance burden for Application Security. Executables are allowed or denied based on NTFS file ownership, such that, only executable files having an Authorized Owner are allowed to execute. In a managed session, Workspace Control checks the NTFS ownership of executables that are being started in the user context. The NTFS owner is then quickly compared with the configured list of Authorized Owners. If it doesn’t match with one of the entries on the list, the application will be blocked.
The rules to be processed will be much smaller than the rules needed for other security rules (e.g. File Hash Security). The reason for this is that the NTFS file owners of a Vanilla Windows deployment are limited to the list below.
- SYSTEM
- BUILTIN\Administrators
- %ComputerName%\Administrator
- NT Service\TrustedInstaller
Only if the NTFS file owner matches one of the entries on this list, or any authorized owner added by the administrator, will the executable be allowed to start.
Diagnostics - Logon Performance
An overview of User Logon Performance has been added to the Diagnostics section of the Ivanti Workspace Control Console. Every managed session will now report the following information to the database.
- Boot time — machine boot date and time.
- Windows logon time — the date and time when the user logged onto the Windows operating system and the Windows session started.
- Session start time — the date and time when the Workspace Control managed session started.
- Computer — the machine name where the Workspace Control managed session started.
- User name — the user that started the Workspace Control managed session.
- Logon duration — the duration of the Workspace Control logon process.
- Desktop session — whether or not the Workspace Control managed session was started as a desktop session or as a published application.
This information can be helpful when the Administrator is investigating logon delays. In Q1 2022, this feature will be extended with export functionality, and we will also review customer feedback for additional enhancements.
User Voice
We are continuing to review and respond to your feature enhancement requests. Thank you for continuing to submit these requests and for voting on the requests that others have submitted previously!
These ideas and votes act as input to our roadmap. In addition to including requests that have received a lot of votes, we also try to include some ‘quick wins’ (those requests that don’t take that much effort to implement but provide benefit to our customers).
Please refer to the Release Notes for details on all of the User Voice feature requests and other feature enhancements that are included in this service update. The following are a couple of the more noteworthy additions:
Diagnostics - Refresh user event logs for Workspace Analysis
This is a small but very welcome workflow improvement. While reviewing the user event logs, it was never possible to refresh information presented to the Administrator. Starting with the 2022.1 release, the Administrator can now easily refresh the presented information by pressing the F5 key like in any other Windows product.
Diagnostics - Export user event logs from Workspace Analysis
For reference data, customers raised and voted on a User Voice request to be able to save User Event logs. This has been added to the GUI.
Diagnostics – Search in user event logs from Workspace Analysis
To complete the User Voice request on the “User Event Log” topic, a logical next step was to add a search capability to the user event log. From now on, Administrators can easily search in the user event log data.
Prohibit access to Windows Control Panel and PC Settings
The Lockdown and behavior feature in Workspace Control already provided a solution to block access to the Control Panel. In more recent versions of Windows, Microsoft has moved away from using the Control Panel to using the Settings Application. For Ivanti Workspace Control it is, therefore, a logical evolution that we can now also prohibit access to the Settings Application in Windows 10 and later.
Export Application list overview to CSV files from the console
Starting with the 2022.1 release, the Administrator can now easily export the list of managed applications to a CSV file.
Export Security logs as CSV files from console and command-line
In previous versions, the Administrator could only export three types of security logs. We received several votes on User Voice requests to expand the export functionality. With this release, the following logs can be exported to CSV using the Ivanti Workspace Control console.
- Security > Applications > Managed Applications
- Security > Applications > User Installed Applications
- Security > Applications > Websites
- Security > Data > Removable Disks
- Security > Data > Files and Folders
- Security > Data > Read-Only Blanketing
- Security > Authorized Certificates
- Security > Network Connections
Additionally, a change has been implemented in the pwrtech.exe command-line to allow the export of the above items to XML and CSV.
Exclude processes from preventing session logoff
Over the coming year, we plan to productize the most-used engineering registry-hook features. These are features that have already been implemented in the product but are configured via a registry setting rather than via the UI. As such many customers don’t know that these features exist. Our first implementation is “ExcludeProcesses”. The Administrator can now configure a list of processes to be ignored during logoff via Setup > Advanced Settings > Exclude processes from blocking the logoff sequence.
Enhancements and Improvements
Improved proxy settings detection
The ability of Workspace Control to detect proxy settings has been improved. The improvement applies to activating Workspace Control licenses through a proxy server.
Block client IP address from being sent to the Datastore
In situations where machines have more than just one IP address, like when using VPN solutions, unexpected, but technically correct IP Address information could be presented in the Ivanti Workspace Control console. In these situations, the Administrator can now configure an IP Range to be ignored. This implementation is using an Engineering Registry hook called “IgnoreClientIPAddress”, the configured IP Range will then not be uploaded to the database.
Key |
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\RES\Workspace Manager |
Value |
IgnoreClientIPAddress |
Type |
REG_SZ |
Data |
<XXX.XXX.XXX.XXX> (digit groups of the IP address or range to ignore) |
Improved IP Zone Rules creation
When configuring Zones in the Workspace Control Console, under User Context > Locations and Devices, an IP address check is now implemented for Rules to prevent incorrect IP configurations that can result in undesired behavior, such as mapping the wrong network drives or printers. The check verifies if the entered IP address is composed of four-digit groups and that each digit group is between 0 and 255
Blacklisting and Whitelisting changed to Deny and Allow
In order to increase clarity and understanding, the terms Blacklisting and Whitelisting have been replaced in the Ivanti Workspace Control console by the terms Deny and Allow, respectively.