Configuring Application Persistence policies

Before you activate an Application Persistence policy on a group of Windows devices, you need to configure the policy.

To do so, select the policy configurations that are consistent with the application deployment requirements set by your organization. When the Absolute agent checks the status of the application, it validates the application configurations on the device against the Application Persistence policy configurations to determine if the application is compliant.

NOTE Depending on the Absolute product licenses associated with your account, Application Persistence policies may not be supported, or the number or type of applications that you can persist may be limited. For example, for policy groups assigned an Absolute Ransomware Response license (base or add-on), you can activate policies for up to two (2) Endpoint Management or Endpoint Protection applications only.

Configuring the policy

Configuring Application Persistence policies for each application follows the same general steps. Some applications have additional steps required to complete the configuration.

To configure an Application Persistence policy:

Log in to the Absolute console as a user with Manage permissions for Policies and Licenses.
Do one of the following:
From the Policy Groups area
1. On the Policy Groups sidebar, search for and then click the policy group that contains the policy that you want to configure. The Devices page of the policy group opens in the work area.
2. Click Settings to view the policy configurations for the policy group.
3. Next to Application Persistence, click Configure.
4. On the Configure Application Persistence dialog, the current policy configuration shows under Configuration Summary. Do one of the following:
  - To use the current configuration, activate the policy.
  - To make changes to the current configuration, such as repairing or reinstalling the application if it is non-functional or missing, click Configure.
From the Policies > Persistence area
1. On the Persistence sidebar, click the application you want to configure.
2. Review the list of policy groups and their current policy configurations to find the policy group that you want to update. Do one of the following:
  - To use the current configuration, activate the policy.
  - To make changes to the current configuration, such as repairing or reinstalling the application if it is non-functional or missing, click Configure next to the policy group.
The policy configuration dialog opens.

Configure the application version by doing one or both of the following:

If a drop-down box shows under Application version, select the version of the application that you expect to be running on your devices. For some applications, only one version is available.
IMPORTANT Use caution when you select the application version. If you select a higher version and save your changes, the lower version is no longer available when you try to edit the policy configuration. This behavior occurs because downgrades are not supported.
If a text field shows under Application configuration, enter the version number that you expect to be running on your devices.

If both a drop-down box and a text field appear, the version you enter in the text field must be included in the range you select in the drop-down box.

The Absolute agent uses these settings to perform the version check on each device. A status of Not Compliant is returned if any other application version is detected.

Invalid health checks for higher versions

The System requirements section for each application specifies which versions are supported. For some applications, a version is listed and followed by the words or higher. For these applications, not all higher versions have been tested. If there are significant software changes in higher versions, the health checks used for the application may no longer be valid. If the version you configure in the policy is a higher version, the application may report as Not compliant, and the repair and reinstall actions may fail to resolve the issue.

Example
If a service that is part of the health check is no longer used in a higher version, the health check fails since the service is not detected. If you selected Report and repair, Report and reinstall, or Report, repair, and reinstall, the Application Persistence (RAR) component A lightweight software component of the Absolute agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Persistence policy is activated. attempts to repair or reinstall the application. Once the repair or the reinstall is complete, the service is still missing, and the application reports as Not compliant.

If the Report higher versions as Compliant check box is available, and the policy group includes devices that are running a higher version of the application than you selected, you may want to select the check box.

WARNING This check box causes different behavior depending on the application and version. Make sure to check the wording below the check box to confirm the behavior.
- If you see Select this option to report higher versions as Compliant without running health checks, all higher versions are reported as Compliant without running additional health checks.
- If you see Select this option to report higher versions of the application as Compliant if all health checks pass, all higher versions are reported as Compliant only if the application's health checks pass.
  
  NOTE For higher versions to be reported as Compliant, all health checks—other than the version check—must pass successfully. Note that these health checks are validated for the selected version only, so if there are significant software changes in the higher version, the health checks may not adequately test the application’s overall health.

Select one of the following options:

Option	Description
Report only	Collect status information about the application and show it in the Application Persistence report
Report and repair	Collect status information about the application and show it in the Application Persistence report Attempt to repair the application if the Absolute agent detects that the application is non-functional
Report, repair, and reinstall	Collect status information about the application and show it in the Application Persistence report Attempt to repair the application if the Absolute agent detects that the application is non-functional Download and reinstall the application if the application can't be repaired, or it was uninstalled NOTE If the application was never installed on a device, the Absolute agent installs it. Therefore, before you proceed, we recommend that you ensure you have sufficient licenses available for the application to accommodate any new installations.
Report and reinstall	Collect status information about the application and show it in the Application Persistence report Download and reinstall the application if the application can't be repaired, or it was uninstalled NOTE If the application was never installed on a device, the Absolute agent installs it. Therefore, before you proceed, we recommend that you ensure you have sufficient licenses available for the application to accommodate any new installations.

NOTE Depending on the Absolute product associated with the policy group and depending on the application selected, the Report and repair, Report and reinstall, and Report, repair, and reinstall options may not be available.

If you selected Report and reinstall or Report, repair, and reinstall in the previous step, additional configurations show on the page. Do one of the following to configure the location of the installation files:
To upload files
1. Select Upload installer.
2. Click Upload or Manage, depending on which button appears.
3. If required for the application, indicate whether you want to configure a 64-bit installer, a 32-bit installer, or both. By default, only 64-bit installer is selected. Devices automatically download the appropriate installer for their operating system. To clear a selection, click its check box. At least one installer type must remain selected.
  
  NOTE Installer type does not apply for every application.
4. Do one of the following:
  - Click browse. Navigate to and select the file you want to upload.
  - Navigate to and select the file that you want to upload and drag it to the work area.
  The file must be a file type supported by the application.
  
  If the policy supports both 64-bit and 32-bit installers, you can upload one 64-bit installer and one 32-bit installer at the same time.
  
  If a file has already been uploaded, it is moved to the Other versions drop-down when a new file is uploaded.
5. Wait for the file to upload.
6. [Optional] Click Add description (optional)… and enter a description, if desired.
7. Repeat the previous steps for each file you want to add.
8. When you have finished uploading the files, click Save.
The names of the selected files appear under Upload installer.

NOTE This option isn't available for all applications.

For more information on managing your files and for supported applications, see Hosting Application Persistence files.
To use previously uploaded files
1. Select Upload installer.
2. Click Upload or Manage, depending on which button appears.
  
  Currently selected files show in the work area. The file name, size, description (optional), upload date, and SHA-256 hash appear.
3. Click Other versions.
4. Select one of the previously uploaded files from the drop-down menu.
5. Click Save.
NOTE This option isn't available for all applications.

For more information on managing your files and for supported applications, see Hosting Application Persistence files.
To host your own installer
1. Select Host my own installer file.
2. Under Installer type, indicate whether you want to configure a 32-bit installer, a 64-bit installer, or both. By default, both types are selected. You'll want to leave the configuration as is if the policy group contains both 32-bit and 64-bit Windows devices. Devices automatically download the appropriate installer for their operating system. To clear a selection, click its check box. At least one installer type must remain selected.
  
  NOTE Installer type does not apply for every application.
3. Under Location of the <application> installer, enter the location of the installer or installers in URI format. You can host the installers on any web server. Both HTTP and HTTPS protocols are supported. If necessary, you can restrict access to the installers by enabling HTTP basic authentication on the server.
4. For each installer, click Go to URI to test that you entered the location correctly.
5. Under Username and password (if required), enter the Username and Password of the user who is authorized to access the location where the installer resides.
  
  To verify that you've entered the password correctly, select the Show Password check box.
  
  If you are configuring multiple installers, ensure that you enter the correct information in each field.
  
  NOTE You can skip this step if authentication is not required to access the specified location.
6. Assign a SHA-256 hash to each application installer file by doing the following:
  1. Use a hash generator tool of your choice to generate a SHA-256 hash. For example, you can use the CertUtil.exe command-line utility, which is included with most Windows operating systems.
  2. For each installer, enter the hash in the SHA-256 Hash field. Ensure that you haven't inadvertently inserted any whitespace characters in the field along with the hash.
See Hosting Application Persistence installers on third-party platforms for information on creating a shareable link on a third-party platform.

If you are configuring multiple installers, ensure that you enter the correct information in each field.
IMPORTANT The installer version must match the version selected under Application version.
Complete any application specific configuration. Visit the page for each application for details on completing specific configuration details.
In the statement near the bottom of the page:
1. Review the terms and conditions.
2. Select the check box to agree to the terms and conditions.
Click Save.

The Application Persistence policy is configured.

Changing the activation of the policy

You can change the activation state from the Policy Groups area or the Persistence area.

To change activation state from the Policy Groups area:

On the Policy Groups sidebar, search for and then click the policy group that contains the policy that you want to change the activation state for. The Devices page of the policy group opens in the work area.
Click Settings to view the policy configurations for the policy group.
Next to Application Persistence, click Configure.
On the Configure Application Persistence dialog, do one of the following:
- If the policy is not activated and you want to activate it now, click the Activation slider to set it to On.
  If the policy configuration uses uploaded files, the files are validated. If a previously uploaded file has been removed, the application's policy configuration dialog opens. Either upload the required files or provide the information to host the installer yourself.
- If the policy is activated and you want to deactivate it now, click the Activation slider to set it to Off.
NOTE If an Absolute Ransomware Response license (base or add-on) is assigned to the policy group, you can activate up to two (2) policies. After two policies are activated, all other Activation sliders are disabled.
Click Save and Apply or Save, depending on whether or not you are activating the policy.

The policy activation status is updated.

To change activation state from the Persistence area:

On the Persistence sidebar, click an application name to open it in the work area.
To activate a deactivated Application Persistence policy for a policy group:
1. Click Activate next to the policy group name.
  If the policy configuration uses uploaded files, the installer is validated. If the previously uploaded installer has been removed, the application's policy configuration dialog opens. Either upload the required installer or provide the information to host the installer yourself.
2. On the Activate Policy dialog, click Activate. The policy is activated using the current policy configurations set for the application.
To deactivate an activated Application Persistence policy for a policy group:
1. Click Deactivate next to the policy group name.
2. On the Deactivate Policy dialog, click Deactivate.

The policy activation status is updated.

If you activated the policy, the Absolute agent's RAR component A lightweight software component of the Absolute agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Persistence policy is activated. is activated on the device on its next connection to the Absolute Monitoring Center. The component then runs a script to check the functional status of the third party application. Going forward, the component checks the status of the application within ten minutes of each system restart and then every six hours thereafter. The results are uploaded to the database using a secure connection. You can view the results in the Application Persistence report and the Application Persistence Events report.