Configuring Application Resilience policies

Before you activate an Application Resilience policy on a group of Windows devices, you need to configure the policy.

To do so, select the policy configurations that are consistent with the application deployment requirements set by your organization. When the Secure Endpoint Agent checks the status of the application, it validates the application configurations on the device against the Application Resilience policy configurations to determine if the application is compliant.

For some applications, you can configure the Application Resilience policy to attempt to repair the application if it's not functioning, or reinstall it if it's missing or can't be repaired. If the application is not compliant, the RAR component The name assigned to the device in the operating system. For Chromebooks, device name is not applicable and therefore shows as "Chrome" in the Secure Endpoint Console. attempts to repair or reinstall the application a maximum of three times. The count is reset when the device is rebooted.

Depending on the Absolute product licenses associated with your account, Application Resilience policies may not be supported, or the number or type of applications that you can configure may be limited. For example, for policy groups assigned an Absolute Ransomware Response license (base or add-on), you can activate policies for up to two (2) Endpoint Management or Endpoint Protection applications only.

Due to PowerShell restrictions imposed by Microsoft, applications that require PowerShell to run health checks aren't supported on devices running Windows 11 SE unless otherwise noted.

Configuring Application Resilience policies for each application follows the same general steps. Some applications have additional steps required to complete the configuration. To use the existing configuration, activate the policy.

To configure an Application Resilience policy:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Policies and Licenses.

  2. Do one of the following:

    Policy Groups area
    1. On the navigation bar, click Policies > Policy Groups.
    2. On the Policy Groups sidebar, search for and then click the policy group that contains the policy that you want to configure.
    3. If the Devices page of the policy group opens in the work area, click Settings to view the policy configurations for the policy group.

    4. Next to Application Resilience, click Configure.

      The Application Resilience dialog opens with a list of all supported applications, their current policy configuration, version, and activation status.

    5. To show only active policies only, clear the Show inactive checkbox.
    6. Enter the name of the application you want to update in Search, or scroll through the list of applications. When you find the application you want to update, click it.
    Resilience area
    1. On the navigation bar, click Policies > Resilience.
    2. On the Resilience sidebar, search for and then click the application you want to configure.
    3. Review the list of policy groups and their current policy configurations to find the policy group that you want to update and click Configure next to the policy group.

    The application's edit policy configuration dialog opens.

  3. Configure the application version by doing one or both of the following:

    • If a drop-down box shows under Application version, select the version of the application that you expect to be running on your devices. For some applications, only one version is available.

      Use caution when you select the application version. If you select a higher version and save your changes, the lower version is no longer available when you try to edit the policy configuration. This behavior occurs because downgrades aren't supported.

    • If a text field for the version shows under Application configuration, enter the version number that you expect to be running on your devices.

    If both a drop-down box and a text field appear, the version you enter in the text field must be included in the range you select in the drop-down box.

    The Secure Endpoint Agent uses these settings to perform the version check on each device. A status of Not compliant is returned if any other application version is detected.

    The System requirements section for each application specifies which versions are supported. For some applications, a version is listed and followed by the words or higher. For these applications, not all higher versions have been tested. If there are significant software changes in higher versions, the health checks used for the application may no longer be valid. If the version you configure in the policy is a higher version, the application may report as Not compliant, and the repair and reinstall actions may fail to resolve the issue.

    Example

    If a service that's part of the health check is no longer used in a higher version, the health check fails since the service isn't detected. If you selected Report and repair, Report and reinstall, or Report, repair, and reinstall, the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. attempts to repair or reinstall the application. Once the repair or the reinstall is complete, the service is still missing, and the application still reports as Not compliant.

  4. If the Report higher versions as Compliant checkbox is available, and the policy group includes devices that are running a higher version of the application than you selected, you may want to select the checkbox.

    This checkbox causes different behavior depending on the application and version. Make sure to verify the wording below the checkbox to confirm the behavior.

    • If you see Select this option to report higher versions as Compliant without running health checks, all higher versions are reported as Compliant without running additional health checks.

    • If you see Select this option to report higher versions of the application as Compliant if all health checks pass, all higher versions are reported as Compliant only if the application's health checks pass.

      For higher versions to be reported as Compliant, all health checks—other than the version check—must pass successfully. Note that these health checks are validated for the selected version only, so if there are significant software changes in the higher version, the health checks may not adequately test the application’s overall health.

  5. If you see Signers, enter the name of the signers for the file used in the health checks. Separate multiple signers with a ; (semicolon). For example:

    Copy 
    NetMotion Software, Inc;NetMotion Software, Inc.;Absolute Software Corp.;Microsoft Windows Hardware Compatibility Publisher

    Signers contains a list of health check signers by default. However, if a newer version of an application is released and the signers are updated, you can add the updated signers here. Visit the page for each application to view the application's health checks.

    1. In File Explorer, navigate to the location of the file.
    2. Right-click on the file and select Properties.
    3. Click the Digital Signatures tab. Make a note of the signers listed in Name of signer.

    This field doesn't apply to all versions of all applications.

  6. Select one of the following options:

    Option Description
    Report only
    • Collect status information about the application and show it in the Application Resilience report
    Report and repair
    • Collect status information about the application and show it in the Application Resilience report
    • Attempt to repair the application if the Secure Endpoint Agent detects that the application is non-functional
    Report and reinstall
    • Collect status information about the application and show it in the Application Resilience report

    • Download and reinstall the application if the Secure Endpoint Agent detects that the application is non-functional, or it was uninstalled

      If the application was never installed on a device, the Secure Endpoint Agent installs it. Therefore, before you proceed, make sure you have enough licenses available for the application to accommodate any new installations.
    Report, repair, and reinstall
    • Collect status information about the application and show it in the Application Resilience report
    • Attempt to repair the application if the Secure Endpoint Agent detects that the application is non-functional

    • Download and reinstall the application if the application can't be repaired, or it was uninstalled

      If the application was never installed on a device, the Secure Endpoint Agent installs it. Therefore, before you proceed, make sure you have enough licenses available for the application to accommodate any new installations.

    Depending on the Absolute product associated with the policy group and depending on the application selected, the Report and repair, Report and reinstall, and Report, repair, and reinstall options may not be available.

  7. If you selected Report and reinstall or Report, repair, and reinstall in the previous step, additional configurations show on the page. Do one of the following to configure the location of the installation files:

    1. Select Upload installer.
    2. Click Upload or Manage, depending on which button appears.

    3. If the application supports both 64-bit and 32-bit installers, select 64-bit installer, 32-bit installer, or both. If the policy group contains both 64-bit and 32-bit Windows devices, select both. Devices automatically download the appropriate installer for their operating system. To remove a selection, clear its checkbox.

    4. Do one of the following:

      • Click browse. Navigate to and select the file you want to upload.
      • Navigate to and select the file that you want to upload and drag it to the work area.

      The file must be a file type supported by the application.

      If the policy supports both 64-bit and 32-bit installers, you can upload one 64-bit installer and one 32-bit installer at the same time.

      If a file has already been uploaded, it is moved to the Other versions drop-down when a new file is uploaded.

    5. Wait for the file to upload.
    6. [Optional] Click Add description (optional) and enter a description, if desired.
    7. Repeat the previous steps for each file you want to add.

    8. When you have finished uploading the files, click Save.

    The names of the selected files appear under Upload installer.

    This option isn't available for all applications.

    For more information on managing your files and for supported applications, see Hosting Application Resilience files.

    1. Select Upload installer.

    2. Click Upload or Manage, depending on which button appears.

      Currently selected files show in the work area. The file name, size, description (optional), upload date, and SHA-256 hash appear.

    3. Click Other versions.

    4. Select one of the previously uploaded files from the drop-down menu.

    5. Click Save.

    The names of the selected files appear under Upload installer.

    This option isn't available for all applications.

    For more information on managing your files and for supported applications, see Hosting Application Resilience files.

    1. Select Host my own installer file.

    2. Under Installer type, indicate whether you want to configure a 32-bit installer, a 64-bit installer, or both. By default, both types are selected. You'll want to leave the configuration as is if the policy group contains both 32-bit and 64-bit Windows devices. Devices automatically download the appropriate installer for their operating system. To remove a selection, clear its checkbox. At least one installer type must remain selected.

      Installer type doesn't apply for every application.

    3. Under Location of the <application> installer, enter the location of the installer or installers in URI format. You can host the installers on any web server. Both HTTP and HTTPS protocols are supported. If necessary, you can restrict access to the installers by enabling HTTP basic authentication on the server.
    4. For each installer, click Go to URI to test that you entered the location correctly.

    5. Under Username and password (if required), enter the Username and Password of the user who is authorized to access the location where the installer resides.

      To verify that you've entered the password correctly, select the icon. To hide the password again, click the icon.

      If you are configuring multiple installers, ensure that you enter the correct information in each field.

      You can skip this step if authentication isn't required to access the specified location.

    6. Assign a SHA-256 hash to each application installer file by doing the following:

      1. Use a hash generator tool of your choice to generate a SHA-256 hash. For example, you can use the CertUtil.exe command-line utility, which is included with most Windows operating systems.

      2. Do one of the following:

        • If the application doesn't support both 32-bit and 64-bit installers, enter the hash in the SHA-256 Hash field. Ensure that you haven't inadvertently inserted any whitespace characters in the field along with the hash.
        • If the application does support both 32-bit and 64-bit installers, enter the appropriate hash in the Hash for 32-bit installer and Hash for 64-bit installer fields.

    See Hosting Application Resilience installers on third-party platforms for information on creating a shareable link on a third-party platform.

    If you are configuring multiple installers, ensure that you enter the correct information in each field.

    The installer version must match the version selected under Application version.

  8. Complete any application specific configuration. Visit the page for each application for details on completing specific configuration details.

  9. If you selected Report and reinstall or Report, repair, and reinstall, do the following with the statement near the bottom of the page:

    1. Review the terms and conditions.
    2. Select the checkbox to agree to the terms and conditions.
  10. Click Save.

The Application Resilience policy is configured and an App resilience policy changed event is logged to Event History.

To turn on the Application Resilience policy, activate the policy.

You can change the activation state from the Policy Groups area or the Resilience area.

To change activation state from the Policy Groups area:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Policies and Licenses.

  2. Do one of the following:

    1. On the navigation bar, click Policies > Policy Groups.
    2. On the Policy Groups sidebar, search for and then click the policy group that contains the policy that you want to configure.
    3. If the Devices tab for the policy group opens in the work area, click Settings to view the policy configurations for the policy group.

    4. Next to Application Resilience, click Configure.

      The Application Resilience dialog opens with a list of all supported applications, their current policy configuration, version, and activation status.

    5. To show only active policies only, clear the Show inactive checkbox.
    6. Enter the name of the application you want to update in Search, or scroll through the list of applications to find the application you want to update.

    7. On the Application Resilience dialog, do one of the following:

      • If the policy isn't activated and you want to activate it now, click the slider to set it to On (green).

        If the policy configuration uses uploaded files, the files are validated. If a previously uploaded file has been removed, the application's policy configuration dialog opens. Either upload the required files or provide the information to host the installer yourself.

        If an Absolute Ransomware Response license (base or add-on) is assigned to the policy group, you can activate up to two (2) policies. After two policies are activated, all other Activation sliders are disabled.

      • If the policy is activated and you want to deactivate it now, click the slider to set it to Off (gray).
    1. On the navigation bar, click Policies > Resilience.
    2. On the Resilience sidebar, search for and then click the application you want to configure.

    3. Locate the policy group you want to update and do one of the following:

      • If the policy isn't activated and you want to activate it now, click Activate next to the policy group name.

        If the policy configuration uses uploaded files, the installer is validated. If the previously uploaded installer has been removed, the application's policy configuration dialog opens. Either upload the required installer or provide the information to host the installer yourself.

        If an Absolute Ransomware Response license (base or add-on) is assigned to the policy group, you can activate up to two (2) policies. After two policies are activated, all other Activation sliders are disabled.

      • If the policy is activated and you want to deactivate it now, click Deactivate next to the policy group name.

The policy activation status is updated and an App resilience policy activated or an App resilience policy deactivated event is logged to Event History.

If you activated the policy, the Secure Endpoint Agent's RAR component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. is activated on the device on its next connection to the Absolute Monitoring Center. The component then runs a script to check the functional status of the third party application. Going forward, the component checks the status of the application within ten minutes of each system restart and then every 15 minutes thereafter. The results are uploaded to the database using a secure connection. You can view the results in the Application Resilience report and the Application Resilience Events report.

Some of the health checks used to report on the functional status and compliance of the third-party applications run PowerShell scripts. To prevent some antivirus programs and some execution polices from blocking the scripts from running on your Windows devices, all PowerShell scripts that are used by the RAR component are signed by Absolute.