Skip to content
Support
  • There are no suggestions because the search field is empty.

E8 Guide | Application Control

This article explains how Devicie supports the application control controls recommended by the ACSC Essential Eight.

Application control helps prevent unapproved or malicious software from running. This significantly reduces the likelihood of malware infections and limits the ability of attackers to execute unauthorised code. This strategy uses technologies such as AppLocker and Windows Defender Application Control (WDAC) to enforce rules for allowed applications, scripts, and executables. Devicie supports this strategy by providing pre-configured baseline policies that align with Essential Eight requirements and can be deployed through Intune.

What's Covered

Devicie supports the following controls related to application control:

  • Baseline AppLocker or WDAC policies to enforce application allow-listing.

  • Rules that restrict execution of unauthorised scripts and executables.

  • Blocking software from running in specific user profile locations and mapped drives.

  • Intune-delivered configuration policies for centralised management.

  • Alignment with ACSC E8 guidelines for application control implementation.

What’s Not Covered

The following areas are outside Devicie’s scope and remain the responsibility of the customer:

  • Creation and maintenance of custom allow/deny lists beyond the provided baseline policies.

  • Application control enforcement on non-Windows platforms (e.g. macOS, Linux).

  • Management of application control for software development environments or other specialist needs that require frequent changes.

  • Ongoing monitoring for application control bypass attempts — Devicie does not provide active security event correlation or SIEM integration.

Potential Impact and Callouts

When implementing this Essential Eight mitigation strategy, it's important to understand the impacts on your environment and end users so that you can better plan your change processes.

  • Application control may block legitimate business applications unless they are explicitly allowed.

  • Special consideration should be given to developers or IT admins who require more flexible execution policies.

  • Testing is recommended before broad deployment to avoid unexpected disruption.

  • Ongoing allow-list updates may be needed as software changes or is updated.

Devicie Delivered Controls

ML1 ML2 ML3
Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email clients. Event logs are protected from unauthorised modification and deletion. Event logs from workstations are analysed in a timely manner to detect cyber security events.
Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set. Allowed and blocked application control events are centrally logged. Application control restricts the execution of drivers to an organisation-approved set.
Application control is implemented on workstations. Microsoft's recommended application blocklist is implemented. Microsoft's vulnerable driver blocklist is implemented.
  Application control is applied to all locations other than user profiles and temporary folders used by operating systems, web browsers and email clients.  
  Application control rulesets are validated on an annual or more frequent basis.  

 

Customer Responsibility

ML1 ML2 ML3
All ML1 controls are supported Application control is implemented on internet-facing servers. Application control is implemented on non-internet-facing servers.
  Cyber security events are analysed in a timely manner to identify cyber security incidents. Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events.
  Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered.  
  Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.  
  Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.  
  Following the identification of a cyber security incident, the cyber security incident response plan is enacted.  

💡 Tip: Use the Devicie Essential Eight report to view all controls broken down by strategy, maturity level and responsibility.