MS-Teams with AppSense Application Manager Agent (Ivanti) is very difficult to deploy

%3CLINGO-SUB%20id%3D%22lingo-sub-539237%22%20slang%3D%22en-US%22%3EMS-Teams%20with%20AppSense%20Application%20Manager%20Agent%20(Ivanti)%20is%20very%20difficult%20to%20deploy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-539237%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20in%20our%20it-infrastructur%20the%20Ivante%20AppSense%20%2F%20Application-Manager%20Agent.%3C%2FP%3E%3CP%3ETo%20deploy%20MS-Teams%20with%20the%20AppSense%20is%20very%20difficult%2C%20because%20after%20every%20update%20of%20MS-Teams%20we%20must%20change%20the%20entries%20for%20the%20signatur%2Fkeys%20(exe%20and%20some%20dll's).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20make%20this%20easier%3F%3C%2FP%3E%3CP%3EDo%20the%20signatures%20always%20have%20to%20change%20after%20each%20update%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20also%20OneDrive%20or%20DropBox%20as%20an%20exception%20in%20the%20AppSense-Admin%2C%20and%20this%20local%20user-applications%20works%20fine.%20We%20have%20only%20with%20MS-Teams%20this%20problems.......%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20in%20advance%20for%20any%20help%20%26amp%3B%20best%20regards%2C%3C%2FP%3E%3CP%3EMichael%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-539237%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAppSense%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIvanti%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-540088%22%20slang%3D%22en-US%22%3ERe%3A%20MS-Teams%20with%20AppSense%20Application%20Manager%20Agent%20(Ivanti)%20is%20very%20difficult%20to%20deploy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-540088%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F292949%22%20target%3D%22_blank%22%3E%40Michael_E%3C%2FA%3E%26nbsp%3Bcan%20yu%20not%20trust%20the%20publisher%20rather%20than%20the%20certificate%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-551110%22%20slang%3D%22en-US%22%3ERe%3A%20MS-Teams%20with%20AppSense%20Application%20Manager%20Agent%20(Ivanti)%20is%20very%20difficult%20to%20deploy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-551110%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F178440%22%20target%3D%22_blank%22%3E%40Steven%20Collier%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello%3C%2FP%3E%3CP%3Ethanks%20for%20your%20reply.%3C%2FP%3E%3CP%3EPublisher%20is%20a%20part%20of%20the%20meta-info%20and%20can%20easily%20be%20falsified.%20Good%20idea%20but%20unfortunately%20easily%20compromising.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-552838%22%20slang%3D%22en-US%22%3ERe%3A%20MS-Teams%20with%20AppSense%20Application%20Manager%20Agent%20(Ivanti)%20is%20very%20difficult%20to%20deploy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-552838%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F292949%22%20target%3D%22_blank%22%3E%40Michael_E%3C%2FA%3E%26nbsp%3BI%20don%3Bt%20think%20so%2C%20this%20is%20how%20we%20trust%20using%20Software%20Restriction%20Policies%2C%20using%20the%20Publishers%20public%20key.%20See%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fsoftware-restriction-policies%2Fwork-with-software-restriction-policies-rules%23set-trusted-publisher-options%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fsoftware-restriction-policies%2Fwork-with-software-restriction-policies-rules%23set-trusted-publisher-options%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1501543%22%20slang%3D%22en-US%22%3ERe%3A%20MS-Teams%20with%20AppSense%20Application%20Manager%20Agent%20(Ivanti)%20is%20very%20difficult%20to%20deploy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1501543%22%20slang%3D%22en-US%22%3EHi%20Michael%2C%20we%20have%20the%20same%20issue.%20Have%20you%20found%20any%20solution%20for%20this%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1591806%22%20slang%3D%22en-US%22%3ERe%3A%20MS-Teams%20with%20AppSense%20Application%20Manager%20Agent%20(Ivanti)%20is%20very%20difficult%20to%20deploy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1591806%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F715613%22%20target%3D%22_blank%22%3E%40Radha1012%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F178440%22%20target%3D%22_blank%22%3E%40Steven%20Collier%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESlightly%20late%20to%20the%20party%2C%20but%20this%20is%20an%20issue%20I%20am%20having%20with%20frequent%20blocking%20of%20Teams%20and%20found%20this%20discussion.%20After%20having%20a%20play%2C%20one%20option%20would%20be%20to%20use%20a%20Custom%20rule%20with%20a%20Scripted%20Condition.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20Allowed%20Items%20you%20would%20add%20the%20required%20%25LOCALAPPDATA%25%20Teams%20files%20(use%20some%20meta%20data%20if%20you%20like%20too)%20then%20you%20create%20a%20Powershell%20Scripted%20Condition%20to%20verify%26nbsp%3Bthe%20authenticode%20signature(s).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20basics%20of%20the%20Scripted%20Condition%20check%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24cert%20%3D%20Get-AuthenticodeSignature%20%22%24(%24env%3ALOCALAPPDATA)%5CMicrosoft%5CTeams%5CUpdate.exe%22%0A%0A%23%20Inspect%20certificate%2C%20fail%20if%20information%20is%20incorrect%0Aif%20(%24cert.Status%20-ne%20%22Valid%22)%20%7B%20exit(1)%20%7D%0A%23%20Other%20if%20conditions%20to%20also%20fail%20on...%0A%0A%23%20Pass%0Aexit(0)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20a%20basic%20level%20this%20would%20also%20require%20the%20file%20to%20be%20digitally%20signed%20and%20valid%20but%20you%20could%20also%20check%20the%20issuer%26nbsp%3B%24cert.SignerCertificate.Issuer%20matches%20the%20Microsoft%20one%20or%20any%20number%20of%20additional%20checks%20(Increasing%20security).%20Instead%20of%20just%20a%20single%20file%2C%20you%20could%20also%20check%20a%20list%20of%20files%20related%20to%20Teams.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20would%20make%20it%20harder%20to%20replace%20the%20original%20files%20with%20malicious%20ones%20as%20it's%20not%20a%20simple%20as%20just%20matching%20the%20meta%20data%20as%20you%20would%20need%20to%20pass%20the%20checking%20of%20meta%20data%2C%20be%20digitally%20signed%20%2B%20any%20other%20checks%20in%20Powershell.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20used%20the%20below%20dev%20blog%20to%20get%20more%20info%20info%20on%26nbsp%3BGet-AuthenticodeSignature%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdevblogs.microsoft.com%2Fscripting%2Freporting-on-digitally-signed-files-with-powershell%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdevblogs.microsoft.com%2Fscripting%2Freporting-on-digitally-signed-files-with-powershell%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello

 

We have in our it-infrastructur the Ivante AppSense / Application-Manager Agent.

To deploy MS-Teams with the AppSense is very difficult, because after every update of MS-Teams we must change the entries for the signatur/keys (exe and some dll's).

 

Is there a way to make this easier?

Do the signatures always have to change after each update?

 

We have also OneDrive or DropBox as an exception in the AppSense-Admin, and this local user-applications works fine. We have only with MS-Teams this problems.......

 

Many thanks in advance for any help & best regards,

Michael

5 Replies
Highlighted

@Michael_E can yu not trust the publisher rather than the certificate ?

Highlighted

@Steven Collier 

Hello

thanks for your reply.

Publisher is a part of the meta-info and can easily be falsified. Good idea but unfortunately easily compromising.

Highlighted

@Michael_E I don;t think so, this is how we trust using Software Restriction Policies, using the Publishers public key. See

 

https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/work-with-sof...

Highlighted
Hi Michael, we have the same issue. Have you found any solution for this?
Highlighted

@Radha1012 @Steven Collier 

 

Slightly late to the party, but this is an issue I am having with frequent blocking of Teams and found this discussion. After having a play, one option would be to use a Custom rule with a Scripted Condition.

 

In the Allowed Items you would add the required %LOCALAPPDATA% Teams files (use some meta data if you like too) then you create a Powershell Scripted Condition to verify the authenticode signature(s).

 

Here is the basics of the Scripted Condition check: 

 

 

$cert = Get-AuthenticodeSignature "$($env:LOCALAPPDATA)\Microsoft\Teams\Update.exe"

# Inspect certificate, fail if information is incorrect
if ($cert.Status -ne "Valid") { exit(1) }
# Other if conditions to also fail on...

# Pass
exit(0)

 

 

At a basic level this would also require the file to be digitally signed and valid but you could also check the issuer $cert.SignerCertificate.Issuer matches the Microsoft one or any number of additional checks (Increasing security). Instead of just a single file, you could also check a list of files related to Teams.

 

This would make it harder to replace the original files with malicious ones as it's not a simple as just matching the meta data as you would need to pass the checking of meta data, be digitally signed + any other checks in Powershell.

 

I used the below dev blog to get more info info on Get-AuthenticodeSignature:

 

https://devblogs.microsoft.com/scripting/reporting-on-digitally-signed-files-with-powershell/