Control 4 App

  1. Control 4 App To Work On Windows 10
  2. Control 4 Approved Routers
  3. Control 4 Applications

Automatically grant permissions for popular applications (Tasker, MacroDroid, etc.) App List. Detection and cleaning of unwanted applications (bloatware) Full support for splits (apks) App permission manager; Convenient presets (lists) to manage; Multifunctional adb console with quick commands support. (recommended) I allow my system to be remotely accessed by my Control4 Smart Home Pro/installer or Control4 Technical Support personnel. I wish to receive periodic product and promotional information from Control4 via email.

-->

Applies to

  • Windows 10, version 1703 and later

The App and browser control section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the Windows Defender SmartScreen documentation library.

Control4 app

In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at Exploit protection.

You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.

Prevent users from making changes to the Exploit protection area in the App & browser control section

You can prevent users from modifying settings in the Exploit protection area. The settings will be either greyed out or not appear if you enable this setting. Users will still have access to other settings in the App & browser control section, such as those for Windows Defender SmartScreen, unless those options have been configured separately.

You can only prevent users from modifying Exploit protection settings by using Group Policy.

Important

Requirements

You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. In the Group Policy Management Editor go to Computer configuration and click Administrative templates.

  3. Expand the tree to Windows components > Windows Security > App and browser protection.

  4. Open the Prevent users from modifying settings setting and set it to Enabled. Click OK.

  5. Deploy the updated GPO as you normally do.

Hide the App & browser control section

You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app.

This can only be done in Group Policy.

Control4 apple music

Important

Requirements

You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. In the Group Policy Management Editor go to Computer configuration and click Administrative templates.

  3. Expand the tree to Windows components > Windows Security > App and browser protection.

  4. Open the Hide the App and browser protection area setting and set it to Enabled. Click OK.

  5. Deploy the updated GPO as you normally do.

Note

If you hide all sections then the app will show a restricted interface, as in the following screenshot:

-->

In today's workplace, it's often not enough to know what's happening in your cloud environment after the fact. You want to stop breaches and leaks in real time, before employees intentionally or inadvertently put your data and your organization at risk. It's important to enable users in your organization to make the most of the services and tools available to them in cloud apps and let them bring their own devices to work. At the same time, you need tools to help protect your organization from data leaks, and data theft, in real time. Microsoft Cloud App Security integrates with any identity provider (IdP) to deliver these capabilities with access and session controls. If you are using Azure Active Directory (Azure AD) as your IdP, these controls are integrated and streamlined for a simpler and more tailored deployment built on Azure AD's Conditional Access tool.

Note

  • In addition to a valid Cloud App Security license, to use Cloud App Security Conditional Access App Control, you also need an Azure Active Directory P1 license, or the license required by your IdP solution, as well as a Cloud App Security license.

How it works

Conditional Access App Control uses a reverse proxy architecture and integrates with your IdP. When integrating with Azure AD Conditional Access, you can configure apps to work with Conditional Access App Control with just a few clicks, allowing you to easily and selectively enforce access and session controls on your organization's apps based on any condition in Conditional Access. The conditions define who (user or group of users) and what (which cloud apps) and where (which locations and networks) a Conditional Access policy is applied to. After you've determined the conditions, you can route users to Cloud App Security where you can protect data with Conditional Access App Control by applying access and session controls.

Conditional Access App Control enables user app access and sessions to be monitored and controlled in real time based on access and session policies. Access and session policies are used within the Cloud App Security portal to further refine filters and set actions to be taken on a user. With the access and session policies, you can:

  • Prevent data exfiltration: You can block the download, cut, copy, and print of sensitive documents on, for example, unmanaged devices.

  • Require authentication context: You can reevaluate Azure AD Conditional Access policies when a sensitive action occurs in the session. For example, require multi-factor authentication on download of a highly confidential file.

  • Protect on download: Instead of blocking the download of sensitive documents, you can require documents to be labeled and protected with Azure Information Protection. This action ensures the document is protected and user access is restricted in a potentially risky session.

  • Prevent upload of unlabeled files: Before a sensitive file is uploaded, distributed, and used by others, it's important to make sure that the file has the right label and protection. You can ensure that unlabeled files with sensitive content are blocked from being uploaded until the user classifies the content.

  • Block potential malware: You can protect your environment from malware by blocking the upload of potentially malicious files. Any file that is uploaded or downloaded can be scanned against Microsoft threat intelligence and blocked instantaneously.

  • Monitor user sessions for compliance: Risky users are monitored when they sign into apps and their actions are logged from within the session. You can investigate and analyze user behavior to understand where, and under what conditions, session policies should be applied in the future.

  • Block access: You can granularly block access for specific apps and users depending on several risk factors. For example, you can block them if they are using client certificates as a form of device management.

  • Block custom activities: Some apps have unique scenarios that carry risk, for example, sending messages with sensitive content in apps like Microsoft Teams or Slack. In these kinds of scenarios, you can scan messages for sensitive content and block them in real time.

Control 4 App

How session control works

Creating a session policy with Conditional Access App Control enables you to control user sessions by redirecting the user through a reverse proxy instead of directly to the app. From then on, user requests and responses go through Cloud App Security rather than directly to the app.

When a session is protected by proxy, all the relevant URLs and cookies are replaced by Cloud App Security. For example, if the app returns a page with links whose domains end with myapp.com, the link's domain is suffixed with something like *.mcas.ms, as follows:

App URLReplaced URL
myapp.commyapp.com.mcas.ms

This method doesn't require you to install anything on the device making it ideal when monitoring or controlling sessions from unmanaged devices or partner users.

Note

  • Our technology uses best-in-class patented heuristics to identify and control activities performed by the user in the target app. Our heuristics are designed to optimize and balance security with usability. In some rare scenarios, when blocking activities on the server-side renders the app unusable, we secure these activities only on the client-side, which makes them potentially susceptible to exploitation by malicious insiders.
  • Cloud App Security leverages Azure Data Centers around the world to provide optimized performance through geolocation. This means that a user's session may be hosted outside of a particular region, depending on traffic patterns and their location. However, to protect your privacy, no session data is stored in these data centers.
  • Our proxy servers do not store data at rest. When caching content, we follow the requirements laid out in RFC 7234 (HTTP caching) and only cache public content.

Managed device identification

Conditional Access App Control enables you to create policies that take into account whether a device is managed or not. To identify the state of a device, you can configure access and session policies to check for:

  • Microsoft Intune Compliant devices [only available with Azure AD]
  • Hybrid Azure AD joined devices [only available with Azure AD]
  • Presence of client certificates in a trusted chain

Intune compliant and Hybrid Azure AD Joined devices

Azure AD Conditional Access enables Intune compliant and Hybrid Azure AD Joined device information to be passed directly to Cloud App Security. From there, an access policy or a session policy can be developed that uses device state as a filter. For more information, see the Introduction to device management in Azure Active Directory.

Note

Some browsers may require additional configuration such as installing an extension. For more information, see Conditional Access browser support.

Control 4 App

Client-certificate authenticated devices

The device identification mechanism can request authentication from relevant devices using client certificates. You can either use existing client certificates already deployed in your organization or roll out new client certificates to managed devices. Make sure that the client certificate is installed in the user store and not the computer store. You then use the presence of those certificates to set access and session policies.

SSL client certificates are verified via a trust chain. You can upload an X.509 root or intermediate certificate authority (CA) formatted in the PEM certificate format. These certificates must contain the public key of the CA, which is then used to sign the client certificates presented during a session.

Once the certificate is uploaded and a relevant policy is configured, when an applicable session traverses Conditional Access App Control, the Cloud App Security endpoint requests the browser to present the SSL client certificates. The browser serves the SSL client certificates that are installed with a private key. This combination of certificate and private key is done by using the PKCS #12 file format, typically .p12 or .pfx.

When a client certificate check is performed, Cloud App Security checks for the following conditions:

  1. The selected client certificate is valid and is under the correct root or intermediate CA.
  2. The certificate is not revoked (if CRL is enabled).

Note

Most major browsers support performing a client certificate check. However, mobile and desktop apps often leverage built-in browsers that may not support this check and therefore affect authentication for these apps.

To configure a policy to leverage device management via client certificates:

Control 4 App To Work On Windows 10

  1. In Cloud App Security, in the menu bar, click the settings cog and select Settings.

  2. Select the Device identification tab.

  3. Upload as many root or intermediate certificates as you require.

    Tip

    To test how this works, you can use our sample root CA and client certificate, as follows:

    1. Download the sample root CA and client certificate.
    2. Upload the root CA to Cloud App Security.
    3. Install the client certificate (password=Microsoft) onto the relevant devices.

After the certificates are uploaded, you can create access and session policies based on Device tag and Valid client certificate.

Supported apps and clients

Session and access controls can be applied to any interactive single sign-on, using the SAML 2.0 authentication protocol or, if you are using Azure AD, the Open ID Connect authentication protocol as well. Furthermore, if your apps are configured with Azure AD, you can also apply these controls to apps hosted on-premises configured with the Azure AD App Proxy. In addition, access controls can be applied to native mobile and desktop client apps.

Cloud App Security identifies Apps using information available in its Cloud App Catalog. Some organizations and users customize apps by adding plugins. However, in order for session controls to work correctly with these plugins, the associated custom domains must be added to the respective app in the catalog.

Note

The Authenticator app, among other native client app sign-in flows, uses a non-interactive sign-in flow and cannot be used with access controls.

Access controls

Many organizations that choose to use session controls for cloud apps to control in-session activities, also apply access controls to block the same set of native mobile and desktop client apps, thereby providing comprehensive security for the apps.

You can block access to native mobile and desktop client apps with access policies, by setting the Client app filter to Mobile and desktop. Some native client apps can be individually recognized, whilst others that are part of a suite of apps can only be identified as their top-level app. For example, apps like SharePoint Online can only be recognized by creating an access policy applied to Office 365 apps.

Note

Control 4 Approved Routers

Unless the Client app filter is specifically set to Mobile and desktop, the resulting access policy will only apply to browser sessions. The reason for this is to prevent inadvertently proxying user sessions, which may be a byproduct of using this filter. Whilst most major browsers support performing a client certificate check, some mobile and desktop apps use built-in browsers that may not support this check. Therefore, using this filter can affect authentication for these apps.

Session controls

While session controls are built to work with any browser on any major platform on any operating system, we support Microsoft Edge (latest), Google Chrome (latest), Mozilla Firefox (latest), or Apple Safari (latest). Access to mobile and desktop apps can also be blocked or allowed.

Note

  • Cloud App security leverages Transport Layer Security (TLS) protocols 1.2+ to provide best-in-class encryption. Native client apps and browsers that do not support TLS 1.2+, will not be accessible when configured with session control. However, SaaS apps that use TLS 1.1 or lower will appear in the browser as using TLS 1.2+ when configured with Cloud App Security.
  • To apply session controls to portal.office.com, you must onboard Microsoft 365 admin center. For more information about onboarding apps, see Onboard and deploy Conditional Access App Control for any app.

Any web app configured using the previously mentioned authentication protocols can be onboarded to work with access and session controls. In addition, the following apps are already onboarded with both access and session controls:

  • AWS
  • Azure DevOps (Visual Studio Team Services)
  • Azure portal
  • Box
  • Concur
  • CornerStone on Demand
  • DocuSign
  • Dropbox
  • Dynamics 365 CRM (preview)
  • Egnyte
  • Exchange Online
  • GitHub
  • Google Workspace
  • HighQ
  • JIRA/Confluence
  • OneDrive for Business
  • LinkedIn Learning
  • Power BI
  • Salesforce
  • ServiceNow
  • SharePoint Online
  • Slack
  • Tableau
  • Microsoft Teams (preview)
  • Workday
  • Workiva
  • Workplace by Facebook
  • Yammer (preview)

Office 365 Cloud App Security featured apps

The following is a list of featured apps that are supported in Office 365 Cloud App Security.

  • Exchange Online
  • OneDrive for Business
  • Power BI
  • SharePoint Online
  • Microsoft Teams (preview)
  • Yammer (preview)

If you're interested in a specific app being featured, send us details about the app. Be sure to send the use case you're interested in for onboarding it.

Next steps

Control 4 Applications

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.