We have just released Workspace Control 2022.1 (10.8.0.0), which contains three major new features and several bug fixes.

We’ve also included several workflow improvements based on User Voice requests which were submitted via the Product Ideas page on the Ivanti Community.

New Features

Windows 11 Start Menu

Microsoft has, yet again, introduced a new Start layout. As a result, our customers have requested that we re-introduce the Workspace Control Start Menu. For those not familiar with it, Windows 8.x Workspace Control already includes a Start menu that looks quite similar to the Windows 7 Start menu. We wanted to accommodate our customers in this regard and have decided to introduce this Start Menu in Windows 11 too.

The Start Menu will show Legacy applications, Folders, UWP applications and even MSIX shortcuts. A left-click on the Start-button, using the Windows Key or CTRL+ESC will all trigger the Start Menu to pop up.

start menu

Security - Authorized Owners

The application security portfolio of Ivanti Workspace Control has been extended with the Authorized Owners security feature. Authorized Owners adds an additional layer of security while significantly reducing the maintenance burden for Application Security. Executables are allowed or denied based on NTFS file ownership, such that, only executable files having an Authorized Owner are allowed to execute. In a managed session, Workspace Control checks the NTFS ownership of executables that are being started in the user context. The NTFS owner is then quickly compared with the configured list of Authorized Owners. If it doesn’t match with one of the entries on the list, the application will be blocked.

The rules to be processed will be much smaller than the rules needed for other security rules (e.g. File Hash Security). The reason for this is that the NTFS file owners of a Vanilla Windows deployment are limited to the list below.

  • SYSTEM
  • BUILTIN\Administrators
  • %ComputerName%\Administrator
  • NT Service\TrustedInstaller

Only if the NTFS file owner matches one of the entries on this list, or any authorized owner added by the administrator, will the executable be allowed to start.

Diagnostics - Logon Performance

An overview of User Logon Performance has been added to the Diagnostics section of the Ivanti Workspace Control Console. Every managed session will now report the following information to the database.

  • Boot time — machine boot date and time.
  • Windows logon time — the date and time when the user logged onto the Windows operating system and the Windows session started.
  • Session start time — the date and time when the Workspace Control managed session started.
  • Computer — the machine name where the Workspace Control managed session started.
  • User name — the user that started the Workspace Control managed session.
  • Logon duration — the duration of the Workspace Control logon process.
  • Desktop session — whether or not the Workspace Control managed session was started as a desktop session or as a published application.

workspace control console - logon performance

This information can be helpful when the Administrator is investigating logon delays. In Q1 2022, this feature will be extended with export functionality, and we will also review customer feedback for additional enhancements.

User Voice

We are continuing to review and respond to your feature enhancement requests. Thank you for continuing to submit these requests and for voting on the requests that others have submitted previously!

These ideas and votes act as input to our roadmap. In addition to including requests that have received a lot of votes, we also try to include some ‘quick wins’ (those requests that don’t take that much effort to implement but provide benefit to our customers). 

Please refer to the Release Notes for details on all of the User Voice feature requests and other feature enhancements that are included in this service update. The following are a couple of the more noteworthy additions:

Diagnostics - Refresh user event logs for Workspace Analysis

This is a small but very welcome workflow improvement. While reviewing the user event logs, it was never possible to refresh information presented to the Administrator. Starting with the 2022.1 release, the Administrator can now easily refresh the presented information by pressing the F5 key like in any other Windows product.

Diagnostics - Export user event logs from Workspace Analysis

For reference data, customers raised and voted on a User Voice request to be able to save User Event logs. This has been added to the GUI.

Diagnostics – Search in user event logs from Workspace Analysis

To complete the User Voice request on the “User Event Log” topic, a logical next step was to add a search capability to the user event log. From now on, Administrators can easily search in the user event log data.

Prohibit access to Windows Control Panel and PC Settings

The Lockdown and behavior feature in Workspace Control already provided a solution to block access to the Control Panel. In more recent versions of Windows, Microsoft has moved away from using the Control Panel to using the Settings Application. For Ivanti Workspace Control it is, therefore, a logical evolution that we can now also prohibit access to the Settings Application in Windows 10 and later.

Export Application list overview to CSV files from the console

Starting with the 2022.1 release, the Administrator can now easily export the list of managed applications to a CSV file.

Export Security logs as CSV files from console and command-line

In previous versions, the Administrator could only export three types of security logs. We received several votes on User Voice requests to expand the export functionality. With this release, the following logs can be exported to CSV using the Ivanti Workspace Control console.

  • Security > Applications > Managed Applications
  • Security > Applications > User Installed Applications
  • Security > Applications > Websites
  • Security > Data > Removable Disks
  • Security > Data > Files and Folders
  • Security > Data > Read-Only Blanketing
  • Security > Authorized Certificates
  • Security > Network Connections

Additionally, a change has been implemented in the pwrtech.exe command-line to allow the export of the above items to XML and CSV.

Exclude processes from preventing session logoff

Over the coming year, we plan to productize the most-used engineering registry-hook features.  These are features that have already been implemented in the product but are configured via a registry setting rather than via the UI. As such many customers don’t know that these features exist.  Our first implementation is “ExcludeProcesses”. The Administrator can now configure a list of processes to be ignored during logoff via Setup > Advanced Settings > Exclude processes from blocking the logoff sequence.

workspace control console - advanced settings

Enhancements and Improvements

Improved proxy settings detection

The ability of Workspace Control to detect proxy settings has been improved. The improvement applies to activating Workspace Control licenses through a proxy server.

Block client IP address from being sent to the Datastore

In situations where machines have more than just one IP address, like when using VPN solutions, unexpected, but technically correct IP Address information could be presented in the Ivanti Workspace Control console. In these situations, the Administrator can now configure an IP Range to be ignored. This implementation is using an Engineering Registry hook called “IgnoreClientIPAddress”, the configured IP Range will then not be uploaded to the database.

Key

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\RES\Workspace Manager

Value

IgnoreClientIPAddress

Type

REG_SZ

Data

<XXX.XXX.XXX.XXX> (digit groups of the IP address or range to ignore)

Improved IP Zone Rules creation

When configuring Zones in the Workspace Control Console, under User Context > Locations and Devices, an IP address check is now implemented for Rules to prevent incorrect IP configurations that can result in undesired behavior, such as mapping the wrong network drives or printers. The check verifies if the entered IP address is composed of four-digit groups and that each digit group is between 0 and 255

Blacklisting and Whitelisting changed to Deny and Allow

In order to increase clarity and understanding, the terms Blacklisting and Whitelisting have been replaced in the Ivanti Workspace Control console by the terms Deny and Allow, respectively.