Access to 64-bit applications is blocked by Managed Application security

Version 2

    Problem

    Consider the following scenario:

    • Ivanti Workspace Control 10.1 or later is used on a 64-bit operating system.
    • Managed Application security is enabled.
    • A managed application uses a command line that points to an executable in Windows system folder (e.g. c:\Windows\System32\notepad.exe).
    • In the user session, the executable is started directly from Windows Explorer or through a file type association.

    In this scenario, the access to the application is blocked.

     

    Note

    This scenario also applies to applications that have an executable both in C:\Program Files as in C:\Program Files (x86).

     

    Cause

    The option Disable file system redirector on 64-bit systems is not selected on the properties of the application under Properties > Settings.

    Without selecting this option, all applications that are launched through Ivanti Workspace Control are launched as 32-bit applications. This is because Ivanti Workspace Control is a 32-bit application itself.

    As a result, the Windows File System Redirector will redirect the access to an architecture-specific path (e.g. c:\Windows\SysWOW64\notepad.exe).

    This same path is used for the authorization of the file.

     

    Before Ivanti Workspace Control 10.1 the 64-bit path was authorized, although the option Disable file system redirector on 64-bit systems was not selected.

    This incorrect behaviour has been corrected.

     

    Solution

    Enable the option Disable file system redirector on 64-bit systems on the properties of the application under Properties > Settings to use a 64-bit context.

     

    Workaround

    As a workaround, the path to the executable can be manually added to the authorized files on the properties of the application under Security > Authorized Files as an extra rule beside the default rule.

     

    Note

    • The default rule of the authorized files will show the path as configured in the command line of the application. This is because, from the Ivanti Workspace Console, it is not possible to predict if an application will be launched on a 32-bit or 64-bit system.
    • See this link for more information on File System Redirector (Windows).