Increasing Visibility to Ivanti Application Control Events with Xtraction


Ivanti’s Application Control has great built-in auditing features that provide insight to actions controlled within Application Control. Although historical auditing is useful, sometimes it can become overwhelming and noisy.

Common Auditing Events:

  • Applications allowed/denied execution
  • Applications running under elevated privileges
  • Self-elevation of applications to run as Administrator
  • Policy change requests

It is key to be able to separate the actionable events from the informational events and be able to present this information in a visible and readable format. Depending on the size of the environment and the number of devices reporting information, the sheer amount of data can become overwhelming.

Ivanti’s Xtraction is a powerful dashboard reporting tool that produces charts and tables in an organized format for better consumption. Xtraction can integrate with a plethora of products, including Application Control, to produce just about any imaginable report.

How Application Control Auditing works out-of-box

Application Control utilizes a configuration deployed on endpoints that determines what programs, websites, and actions a user can and cannot access. Each of these access controls, whether it is an allow or deny, the result can be audited to help refine policy and configuration. There are a number of defined audited events that can be enabled depending on the information that needs to be captured; some events produce more traffic than others, so be careful what is being captured and how long the events are retained.

Trusted ownership is a large part of Application Control. Trusted ownership only allows apps that were introduced by trusted administrators; the list of trusted administrators can be modified to suit any environment. Trusted ownership helps prevent unwarranted and unwanted execution of code, whether it’s good or bad. This code could be introduced into the environment from software a user downloaded or via other means.

Figure 1 – Denied Execution Template 

Upon execution, since the software was not downloaded by a trusted owner, or explicitly defined in the policy, they will get an execution denied prompt; as seen in Figure 1. This can be leveraged with auditing to know exactly who tried to execute untrusted software and what they were trying to execute.

Xtraction Integration with Application Control

Xtraction is a reporting software that uses Data Sources to communicate with databases for information extraction. Each Data Source establishes its own database connection which allows for individual, or compound reporting.

Xtraction uses Dashboards to present information in a clean format and utilizes graphs and charts depending on business needs; Xtraction can also create Documents and Reports.

Dashboard features:

  • Ability to customize components/multiple datasets into charts, graphs, or lists
  • Drill down for more in-depth data visibility
  • Filter based on specific criteria
  • View real-time or historical data
  • Generate and schedule reports for email delivery

Figure 2 – Event Monitor

All of these mechanisms can be used together to have a true understanding of the environment.

Application Control auditing is an important part of Application Control. Each audited event is useful for tweaking the configuration, for example, if there is a need to allow or deny a new item. Auditing helps to gain insight into the actions being performed on an endpoint within an environment.

Xtraction can be used to report on the auditing produced by Application Control, this can be coupled with a number of different charts or graphs depending on the need; figure 2 shows an example of a Dashboard produced from Xtraction for Application Control auditing events.

Figure 2 uses the following components and features to quickly display data for Application Control events:

  • Pivot Charts
    • Displays filtered event numbers compared with event description and user
  • Time Chart
    • Displays the number of events within the past week
  • Filters for specific event numbers that pertain to Application Control events

For optimal reporting, this Dashboard could be scheduled and sent out via email weekly to stay up to date on the events being produced by Application Control.


After a brief overview of Xtraction and Application Control, hopefully there is a better understanding of how they can be used together and the benefits they provide. Application Control is a very useful security tool that provides powerful auditing capabilities.

Leveraging Xtraction, the audited events can be utilized to produce customizable Dashboards in an organized format that will help you refine Application Control policies to create a better user experience. Each created Dashboard can be saved for reuse, sent out regularly via email, or customized at any time if the information needs to be changed.

Zach Thurmond
IT Consultant
Critical Design Associates

LinkedIn Profile

Creating Configured Deployment Packages with Ivanti Package Studio

Introduction to Ivanti Package Studio

Ivanti Package Studio is a customized version of the Liquit Setup Commander. This product is specifically designed to take the guesswork out of creating configured deployment packages by leveraging a collection of downloadable source software which has already been verified and reviewed by the software vendor.

This source software collection is referred to as the ‘Setup Store’. Package Studio can then download or create Import Wizards for all of these applications which enables the technician to quickly configure and create packages for most commercial off-the-shelf (COTS) applications.

The ‘Setup Store’ is a repository of Windows applications, similar to any other App Store. From the ‘Setup Store’ link within the application, queries can be sorted, searched and filtered based on Manufacturer Name, Product Name, Version Number, Setup Type, Category, Platform, Filename, Language or Date.

Readily available Windows applications and patches can then be downloaded to a pre-configured directory on a local drive or on a file share. After an installation has been downloaded, a package can easily be created using Packing Studio to be configured for enterprise deployment.

Ivanti states that the ‘Setup Store’ has grown to more than 2500 entries. Every day the repository is updated with the latest versions and releases of a listed application.

Ivanti Package Studio also supports every vendor MSI. If Package Studio does not have the installation in its repository, the tool will quickly auto-generate a new Configuration Wizard.

Configuration Wizards provide options to remove all Desktop and/or Start Menu shortcuts, suppress reboots, disable auto-update mechanisms, include licensing information, include database settings, and configure many other deployment options. These options are stored in a transform file (MST) for the selected MSI.

Configuration Wizard files are automatically downloaded for each application. When selected, the configuration options will be unique for each application.

In this example, the ‘Google Chrome Configuration Wizard’ can configure a myriad of options for the Google Chrome deployment as follows:

After launching Ivanti Package Studio, in the lower pane, navigate to the vendor install that will be configured.

Right click on the Windows Installer for Chrome Enterprise and select “Generate Transform”

The Google Chrome Configuration Wizard will then launch.
On the Options tab, select any options that are required for the configuration.

On the “Homepage preferences” tab, enter the default homepage.

On the “Distribution preferences” tab, select any distribution options that are required for the configuration.

On the “Features” tab, make any required feature changes.
When all options have been selected, click “OK”

A “Save Transform File” dialog box will open, prompting the user to save the MST file to disk. This file, in combination with the corresponding MSI and optional (CAB), will constitute the completed package.

Ivanti Package Studio can be configured to directly connect to Ivanti Endpoint Manager (formerly LANDesk), Microsoft System Center Configuration Manager, Microsoft Deployment Toolkit, and other software distribution tools for automatic creation of a deployable package.

In summary, Ivanti Package Studio can be a significant time saver in deploying many commercially available applications. Thanks to the ‘Setup Store’, it may be the most complete source for creating Windows Installer Transform files.

Mike Doneson
Senior Consultant
Critical Design Associates

Deploying Office 365 using SCCM

The deployment of Office 365 applications (Word, Excel, PowerPoint, Outlook, etc..) just became much easier. Beginning with SCCM version 1702, from the Office 365 Client Management dashboard, the Office 365 application Installer can be automated.

From this console the following can be performed:
• Office 365 installation settings can be configured
• Files from Office Content Delivery Networks (CDNs) can be downloaded
• Office 365 can be deployed as an application

What is the Office 365 Client Installer?

The Office 365 client installer is the SCCM installation wizard for the Office 365 client applications installer. This wizard will automate the deployment of the Office 365 applications to client devices like Windows 10, Windows 8.1 and Windows 7.

The Office 365 Client Installation Wizard

The Office 365 client installation wizard is started from with the SCCM console. Navigate to

\Software Library\Overview\Office 365 Client Management

and click on the title. The Office 365 dashboard will launch. Click on the “+ Office 365 Installer” to launch the Office 365 installation Wizard.

Application Settings: This is the initial window. The wizard will prompt for the Name of the deployment, a Description, and the Content Location.

The Office 365 client installation files will be downloaded to the location specified in the wizard if they do not already exist.

NOTE: In order to proceed, either SCCM must be connected to the Internet or the Office 365 installation must have already been downloaded offline and placed in the selected directory.

Import Client Settings: This window offers a choice to Manually specify the Office 365 client settings or Import Office 365 client settings from a configuration file.
Choosing the Import option will automatically configure all the settings for the Office applications.

A Sample configuration.xml file can be found here: Download

If you choose to manually specify the Office 365 client settings, continue to the Client Products window.

Client Products: In this window, the initial option is to select the Office Suite.

Primarily, there are two office suites available as part of the installation wizard.
• Office 365 ProPlus
• Office 365 Business

NOTE: Microsoft may offer pre-release versions such as Office Professional Plus 2019 in the dropdown. This may also become the standard method of deploying Office in future versions.

Below the Suite dropdown list, a frame is shown where you can select the Office 365 applications installed for this deployment.In the example above, “OneDrive (Groove)” is not selected to be installed since it is obsolete. All other standard applications are selected.

Additional Office Products: There are additional dropdowns for Visio and Project.

For this deployment, Visio Pro for Office 365 and None have been selected. The default options are:
Visio Pro for Office 365
Project Online Desktop Client

NOTE: For those two products, they are licensed based on the associated Office 365 licensing.

Specify Settings for Office 365 Clients

Client Settings: In this window, there are options to specify settings for the Office 365 Clients.

At the top, there is a radio button to select the Architecture which can be either 32-bit or 64-bit.

In the Channel selection dropdown, there are four update channels listed. Recently, these choices have changed.

Currently the choices are:
Monthly Channel (formerly Current Channel)
Monthly Channel (Targeted)
Semi-Annual Channel (Differed Channel)
Semi-Annual Targeted (formerly First Release for Deferred Channel)

Below this is the Version dropdown. This will populate with numerous choices for each channel. Currently, the latest build in the Semi-Annual channel is 1803 Build 9126.2282.

There is an “Add/Remove…” button that is used to select additional languages. The default is English (United States).

At the bottom are options to configure Properties.

The four properties are:
Accept EULA
Pin Icons to the taskbar (Win 7/8.x only)
Shared computer activation

NOTE: Microsoft still recommends the 32-Bit version of Office. More information on why can be found here.

Deploying the Office 365 Client

Deployment: The next window is for deployment. It has a single question, “Do you want to deploy the application now?

If you choose “Yes”, the standard SCCM Deployment scheduling options are built into the wizard. There are windows for General (select the collection), Content (Distribution Points), Deployment Settings (Install, Required, etc.), Scheduling, User Experience, and Alerts.

If you choose “No”, the next window presented will be the Summary.

Clicking next will bring up Progress and ultimately Completion. At this point a new Office 365 application is available and ready to be deployed, or will be deployed on the schedule created in Scheduling.

Office 365 Client Management

After the wizard completes, SCCM will return back to the Office 365 Client Management window. From here, there is a graphical display showing all of the installed versions across the environment.

There are now new options on the right side of the window which include: Create an ADR and Create Client Settings.

This area of SCCM functionality continues to be upgraded and improved with each new release.

In Conclusion

This walkthrough is only the beginning of Office 365 management utilizing SCCM.

Mike Doneson
Senior Consultant
Critical Design Associates

Securing an Existing ADFS Environment with Okta MFA

Since the introduction of Active Directory Federation Services (ADFS) in 2015, companies have been widely adopting the idea of using this technology to leverage claims-based authentication…

SCCM Video: Creating a Device Collection from a list of Users

Most of the time, requests for deployments come in as vague lists of names or departments. And, although SCCM provides some great user-based deployment options, you may not feel fully comfortable targeting users for a required deployment. This means you’ll have to run a report, do some copying and pasting, and maybe manually enter some machines into a device collection.

Well, we’ve put together a little script which will help speed up that process. Download Script

The script relies on SCCM’s user device affinity information that is automatically collected if enabled in client settings. With this info, we can get device associations for users and then use those associations to create device collections for targeting deployments.

Step 1 – Pull in your list of users

We have three different options for inputting our list of users.
1) Text List
2) AD User Group
3) SCCM User Collection

The Text List should e a list of SamAccount Names as we’re going to query SCCM directly with this list

You can use any combination of the three, and the script will take it into account.

Step 2 – Create a targeting collection, or not

First, we check if the collection exists already. If it does not, we check to see if the -LimitingCollection parameter is used. If it is, we’ll create a new Collection, if not, we’ll exit out.
The limiting collection is a required collection to create any new Collection in SCCM.

This collection limits the scope of What your new collection can contain. The largest limiting collection is “All Systems”

Step 3 – Find all the devices associated with each user

We’re going to loop through our list of users, and with each one, run a WMI query to find all associated Devices. Then each of those devices will be added to an array and to the Targeting collection selected above.

Step 4 – Create a simple CSV report (optional)

If you used the -CSVPath parameter, the script will generate a report a CSV file in the location you designated.

Each row will show what devices were associated with each User and whether or not the devices was successfully added.

There are many reasons a device would not be added, we recommend generating the report and double checking to make sure everything looks right before targeting the collection with a deployment.

In Conclusion

Hopefully this helps make your deployments a little easier. Feel free to leave comments, requests, or inform us of issues on our GitHub page.


In this video we demonstrate a script that allows an SCCM administrator to create a “Device Collection” using a list of users from a text file as input. The script also supports active directory groups or a user collection.

Download Script

This PowerShell script uses the “User Device Affinity” feature in SCCM to determine which device belongs to which user.

Aman Motazedian
Senior Consultant
Critical Design Associates

LinkedIn Profile