Security and privacy for application management in Configuration Manager
Applies to: System Center Configuration Manager (Current Branch)
Security guidance for application management
Use the new Software Center without the Application Catalog
Starting in version 1806, application catalog roles are no longer required to display user-available applications in Software Center. This configuration helps you reduce the server infrastructure required to deliver applications to users. Reducing the server infrastructure also reduces the attack surface.
To deliver a consistent and secure application experience for internet-based clients, use Azure Active Directory and the cloud management gateway.
For more information, see Configure Software Center.
Use HTTPS with the Application Catalog
Configure the Application Catalog website point and the Application Catalog web service point to accept HTTPS connections. With this configuration, the server is authenticated to users. The transmitted data is protected from tampering and viewing.
Help prevent social engineering attacks by educating users to only connect to trusted websites. Educate users about the dangers of malicious websites.
When you don't use HTTPS, don't use the branding configuration options. These settings show the name of your organization in the Application Catalog as proof of identity.
Use role separation
Install the Application Catalog website point and the Application Catalog web service point on separate servers. If the Application Catalog website point is compromised, it's separate from the Application Catalog web service point. This design helps to protect the Configuration Manager clients and infrastructure. This configuration is especially important if the Application Catalog website point accepts client connections from the internet. It makes the server more vulnerable to attack.
Close browser windows
Educate users to close the browser window when they finish using the Application Catalog. If users browse to an external website in the same browser window that they used for the Application Catalog, the browser continues to use the security settings that are suitable for trusted sites in the intranet.
Centrally specify user device affinity
Manually specify the user device affinity instead of letting users identify their primary device. Don't enable usage-based configuration.
Don't consider information that's collected from users or from the device to be authoritative. If you deploy software by using user device affinity that a trusted administrator doesn't specify, the software might be installed on computers and to users who aren't authorized to receive that software.
Don't run deployments from distribution points
Always configure deployments to download content from distribution points rather than run from distribution points. When you configure deployments to download content from a distribution point and run locally, the Configuration Manager client verifies the package hash after it downloads the content. The client discards the package if the hash doesn't match the hash in the policy.
If you configure the deployment to run directly from a distribution point, the Configuration Manager client doesn't verify the package hash. This behavior means that the Configuration Manager client can install software that's been tampered with.
If you must run deployments directly from distribution points, use NTFS least permissions on the packages on the distribution points. Also use internet protocol security (IPsec) to secure the channel between the client and the distribution points, and between the distribution points and the site server.
Don't let users interact with elevated processes
If you enable the options to Run with administrative rights or Install for system, don't let users interact with those applications. When you configure an application, you can set the option to Allow users to view and interact with the program installation. This setting allows users to respond to any required prompts in the user interface. If you also configure the application to Run with administrative rights, or starting in version 1802 Install for system, an attacker at the computer that runs the program could use the user interface to escalate privileges on the client computer.
Use programs that use Windows Installer for setup and per-user elevated privileges for software deployments that require administrative credentials. Setup must be run in the context of a user who doesn't have administrative credentials. Windows Installer per-user elevated privileges provide the most secure way to deploy applications that have this requirement.
Restrict whether users can install software interactively
Configure the Install permissions client setting in the Computer Agent group. This setting restricts the types of users who can install software by using the Application Catalog or Software Center.
For example, create a custom client setting with Install permissions set to Only administrators. Apply this client setting to a collection of servers. This configuration prevents users without administrative permissions from installing software on those servers.
For mobile devices, deploy only applications that are signed
Deploy mobile device applications only if they're code-signed by a certification authority (CA) that the mobile device trusts.
An application from a vendor, which is signed by a well-known CA like VeriSign.
An internal application that you sign independent from Configuration Manager by using your internal CA.
An internal application that you sign by using Configuration Manager when you create the application type and use a signing certificate.
Secure the location of the mobile device application signing certificate
If you sign mobile device applications by using the Create Application Wizard in Configuration Manager, secure the location of the signing certificate file, and secure the communication channel. To help protect against elevation of privileges and against man-in-the-middle attacks, store the signing certificate file in a secured folder.
Use IPsec between the following computers:
- The computer that runs the Configuration Manager console
- The computer that stores the certificate signing file
- The computer that stores the application source files
Alternatively, sign the application independent of Configuration Manager and before you run the Create Application Wizard.
Implement access controls
To protect reference computers, implement access controls. When you configure the detection method in a deployment type by browsing to a reference computer, make sure that the computer isn't compromised.
Restrict and monitor administrative users
Restrict and monitor the administrative users who you grant the following application management role-based security roles:
- Application Administrator
- Application Author
- Application Deployment Manager
Even when you configure role-based administration, administrative users who create and deploy applications might have more permissions than you realize. For example, administrative users who create or change an application can select dependent applications that aren't in their security scope.
Configure App-V apps in virtual environments with the same trust level
When you configure Microsoft Application Virtualization (App-V) virtual environments, select applications that have the same trust level in the virtual environment. Because applications in an App-V virtual environment can share resources, like the clipboard, configure the virtual environment so that the selected applications have the same trust level.
For more information, see Create App-V virtual environments.
Make sure macOS apps are from a trustworthy source
If you deploy applications for macOS devices, make sure that the source files are from a trustworthy source. The CMAppUtil tool doesn't validate the signature of the source package. Make sure the package comes from a source that you trust. The CMAppUtil tool can't detect whether the files have been tampered with.
Secure the cmmac file for macOS apps
If you deploy applications for macOS computers, secure the location of the .cmmac file. The CMAppUtil tool generates this file, and then you import it to Configuration Manager. This file isn't signed or validated.
Secure the communication channel when you import this file to Configuration Manager. To help prevent tampering with this file, store it in a secured folder. Use IPsec between the following computers:
- The computer that runs the Configuration Manager console
- The computer that stores the .cmmac file
Use HTTPS for web applications
If you configure a web application deployment type, use HTTPS to secure the connection. If you deploy a web application by using an HTTP link rather than an HTTPS link, the device could be redirected to a rogue server. Data that's transferred between the device and server could be tampered with.
Security issues for application management
Low-rights users can copy files from the client cache on the client computer.
Users can read the client cache but can't write to it. With read permissions, a user can copy application installation files from one computer to another.
Low-rights users can change files that record software deployment history on the client computer.
Because the application history information isn't protected, a user can change files that report whether an application is installed.
App-V packages aren't signed.
App-V packages in Configuration Manager don't support signing. Digital signatures verify the content is from a trusted source and wasn't altered in transit. There's no mitigation for this security issue. Follow the security best practice to download the content from a trusted source and from a secure location.
Published App-V applications can be installed by all users on the computer.
When an App-V application is published on a computer, all users who sign in to that computer can install the application. You can't restrict the users who can install the application after it's published.
You can't restrict install permissions for the company portal on mobile devices.
Although you can configure a client setting to restrict installation permissions, this setting doesn't work for the company portal. This issue could result in an elevation of privileges. Users could install an app that they shouldn't be allowed to install.
Certificates for Microsoft Silverlight 5 and elevated trust mode required for the application catalog
Starting in Configuration Manager version 1802, the client doesn't automatically install Silverlight.
Starting in version 1806, the Silverlight user experience for the application catalog website point is no longer supported. Users should use the new Software Center. For more information, see Configure Software Center.
Configuration Manager clients version 1710 and earlier require Microsoft Silverlight 5, which must run in elevated trust mode for users to install software from the Application Catalog. By default, Silverlight applications run in partial trust mode to prevent applications from accessing user data. If it isn't already installed, Configuration Manager automatically installs Microsoft Silverlight 5 on clients. By default, Configuration Manager sets the Computer Agent Allow Silverlight applications to run in elevated trust mode client setting to Yes. This setting lets signed and trusted Silverlight applications request elevated trust mode.
When you install the Application Catalog website point site system role, the client also installs a Microsoft signing certificate in the Trusted Publishers computer certificate store on each Configuration Manager client computer. Silverlight applications signed by this certificate run in the elevated trust mode, which computers require to install software from the Application Catalog. Configuration Manager automatically manages this signing certificate. To increase service continuity, don't manually delete or move this Microsoft signing certificate.
When enabled, the Allow Silverlight applications to run in elevated trust mode client setting lets all Silverlight applications, which are signed by certificates in the Trusted Publishers certificate store in either the computer store or the user store, run in elevated trust mode. The client setting can't enable elevated trust mode specifically for the Configuration Manager Application Catalog or for the Trusted Publishers certificate store in the computer store. If malware adds a rogue certificate in the Trusted Publishers store, malware that uses its own Silverlight application can now also run in elevated trust mode.
If you set the Allow Silverlight applications to run in elevated trust mode setting to No, clients don't remove the Microsoft signing certificate.
For more about trusted applications in Silverlight, see Trusted Applications.
Privacy information for application management
Application management lets you run any application, program, or script on any client in the hierarchy. Configuration Manager has no control over the types of applications, programs, or scripts that you run or the type of information that they transmit. During the application deployment process, Configuration Manager might transmit information that identifies the device and sign-in accounts between clients and servers.
Configuration Manager maintains status information about the software deployment process. Software deployment status information isn't encrypted during transmission unless the client communicates by using HTTPS. The status information isn't stored in encrypted form in the database.
The use of Configuration Manager application installation to remotely, interactively, or silently install software on clients might be subject to software license terms for that software. This use is separate from the Software License Terms for System Center Configuration Manager. Always review and agree to the Software Licensing Terms before you deploy software by using Configuration Manager.
Configuration Manager collects diagnostics and usage data about applications, which is used by Microsoft to improve future releases. For more information, see Diagnostics and usage data.
Application deployment doesn't happen by default and requires several configuration steps.
The following features help efficient software deployment:
User device affinity maps a user to devices. A Configuration Manager administrator deploys software to a user. The client automatically installs the software on one or more computers that the user uses most often.
The Application Catalog is a website that lets users request software to install.
Starting in Configuration Manager 1802, the primary functionality of the Application Catalog is now included in Software Center. For more information, see Configure Software Center.
Software Center is installed automatically on a device when you install the Configuration Manager client. Users change settings, browse for applications, and install applications from Software Center.
Before you configure application management, consider your privacy requirements.
User device affinity
Configuration Manager might transmit information between clients and management point site systems. The information might identify the computer and sign-in account and the summarized usage for sign-in accounts.
The information that's transmitted between the client and server isn't encrypted, unless the management point is configured to require clients to communicate by using HTTPS.
The computer and sign-in account usage information, which is used to map a user to a device, is stored on client computers, sent to management points, and then stored in the Configuration Manager database. The old information is deleted from the database by default after 90 days. The deletion behavior is configurable by setting the Delete Aged User Device Affinity Data site maintenance task.
Configuration Manager maintains status information about user device affinity. Status information isn't encrypted during transmission, unless clients are configured to communicate with management points by using HTTPS. Status information isn't stored in encrypted form in the database.
Computer and sign-in usage information that's used to establish user and device affinity is always enabled. Users and administrative users can supply user device affinity information.
Software Center and Application Catalog
Software Center and the Application Catalog let the Configuration Manager admin publish any application or program or script for users to run. Configuration Manager has no control over the types of programs or scripts that are published in the catalog or the type of information that they transmit.
Configuration Manager might transmit information between clients and the Application Catalog site system roles. The information might identify the computer and sign-in accounts. The information that's transmitted between the client and servers isn't encrypted, unless these site system roles are configured to require clients connect by using HTTPS.
The information about the application approval request is stored in the Configuration Manager database. Requests that are canceled or denied and the corresponding request history entries are deleted by default after 30 days. The deletion behavior is configurable by setting the Delete Aged Application Request Data site maintenance task. Application approval requests that are in approved and pending states are never deleted.
Software Center is installed automatically when you install the Configuration Manager client on a device.
The Application Catalog isn't installed by default. This installation requires several configuration steps.