Blocking an Install of an application, but allowing the use of the application in Sophos Central

Question

We are working on using group policy to push Google Chrome to users using our own configuration, and want to prevent the ability for users to download chrome on their own. I am assuming this is some mix of web control/application control in central policies but am coming up short finding a clear answer. Is there a way that we can stop our users from being able to install, but still allow the application to run on a machine? (Including the installer via GPO)? This is a Windows 10 environment running Sophos Central Intercept X on all endpoints.

Marcel · Answer

HI Lou, 
 I am afraid that what you are trying to achieve is not possible with Intercept X. Some reasons for this are: 
 
 Application Control can be used to block Chrome but this would then also apply to your version Chrome, so is not an option. 
 You could try blocking the download of Chrome using Web Control by blocking the download of Windows Executables but then what about an installer in a ZIP-File or on a USB stick. 
 Users do not need admin rights to install Chrome (not related to Intercept X, it is just how Chrome works) 
 
 So the big question remains how to solve this issue. The best option that comes to mind is to use the software restriction policies in Windows. If these computers are member of a domain you could simply distribute them by GPO. In your Software Restriction Policy you could for example use a path rule with which you block chromesetup.exe or you could simply block users from running any executable from their download folder or even their complete user profile (this will have side effects with other applications that like to install themselves under %appdata% so I do not recommend this). 
 Regards, Marcel

Blocking an Install of an application, but allowing the use of the application in Sophos Central

Top Replies