Troubleshooting Access Control Rules
Certero Access Control gives the ability to Allow or Deny applications from running on Windows and MacOS Computers. Configuring Access Control can be complex so this article will detail the requirements, rules and troubleshooting steps. It also explains how new Access Control rules are applied and why they do not immediately take effect.
Requirements for Access Control
Your Certero platform must be licensed for Access Control. Within the Certero platform, you should see Access Control at the top of the system menu.
Access Control is a module of the Certero Client Agent. The Certero Client Agent must be installed and running on the Windows or macOS computer. There is no Certero Client Agent for Unix/ Linux therefore access control cannot run on these systems.
The Access Control module must be Enabled in a Configuration applying to the computer(s) with the Certero Client Agent install. See Computer Systems – Configurations. The Modules column shows which modules are Enabled. The computers column shows how many computers the Configuration applies to.
One or more Access Control rules must apply to the desired computer(s). See Access Control - Access Rules. Double-click a rule to see its properties. Check the Criteria on the Computers page to ensure it applies to the desired computer(s).
Access Control rules can apply to Remote Desktop Server (RDS) environments, previously called Terminal Servers. In this scenario the RDS server(s) should be defined on the Devices tab of the rule, and the connecting computer(s) defined on the Computers tab.
E.G. An Access Control rule could be created that allows only users from a defined Active Directory group of computers, to run Visio.exe on a Remote Desktop Server.N.B. On Windows computers Files located in C:\Windows\ and subfolders cannot be Blocked by Access Control. Important system files are stored here and restricting their use would impact the running of the Windows operation system.
Access Control - Rule Check
Multiple Access Control rules can quickly become complicated. The Access Rules page contains a
button. Selecting this Rule Check button, prompts you for a Host Computer, a Client Device and a User. Click Finish to see a list of Blocked Files. Use the same computer name for host and client in none RDS scenarios.
Troubleshooting Steps - Windows Computers
You can ensure that the Windows computer is Access Control “Ready”. Choosing About Certero from the Certero Client Agent will show the list of installed modules. AccessControl will be top of that list.
The file AccessControl.dll will appear in the folder C:\Program Files\Certero\Client. This folder may differ if you have installed the Certero Client Agent in a different location.
The Certero Mini Filter (cmflt.*) files, required by Access Control, will appear in the folder C:\Program Files\Certero\Client\Install.
N.B. If the computer that does not pass the above three checks, then look again at your Configurations. Also ensure that the computer is successfully communicating with an Endpoint Server.
If the computer does pass the above three checks, then you can test the access control rules by attempting to launch a blocked application. When Access Control blocks an application, the user will receive a visible notification.
N.B. Notifications from the Certero Client Application can be blocked depending on the Windows Settings. Look under Settings – System – Notifications (Notification & Actions on Windows 10) for the computer specific settings.
The AppsMonitor log file will also log that an application has been blocked. This log file will be in the folder C:\Program Files\Certero\Client\Logs. For troubleshooting, we recommend enabling Verbose logging on the Certero Client Agent.
E.G.
04/11/2025 11:26:24 - DEBUG: Process has been denied, entry will be logged
04/11/2025 11:26:24 - INFO: CONSULTANCY\marklabadmin was denied access to the file %programfiles%\7-zip\7zfm.exe
N.B. When an Access Control rule has been created or updated, the Certero Client Agent does not immediately pick up that change. The user must perform a logon process (i.e. sign out and then sign back in again). The Certero Client agent picks up changes during the Windows login process.
The Access Control rule filenames that the Certero Client Agent currently has can be seen in the Windows registry. Look under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Certero\Client\Sessions\nn\Applications
where nn is the latest session number seen.
If an expected Filename from an Access Control rule does not appear. Try logging off and on again. The updating of the rules for the Certero Client Agent is also captured in the AppsMonitor log file. Look for the text “Updating application blacklist for“, it will be followed by the Filenames being added.
E.G.
05/11/2025 09:37:25 - DEBUG: Getting Endpoint Server value from the registry
05/11/2025 09:37:25 - INFO: Updating application blacklist for CONSULTANCY\marklabadmin
05/11/2025 09:37:25 - DEBUG: Url: https://eps01.lab.consultancy.local:443/CerteroEndpointServer/…
05/11/2025 09:37:26 - DEBUG: Setting value in registry key: SOFTWARE\Certero\Client\Sessions\26\Applications
05/11/2025 09:37:26 - DEBUG: Adding: 7z.exe
05/11/2025 09:37:26 - DEBUG: Adding: 7zfm.exe
05/11/2025 09:37:26 - DEBUG: Adding: 7zg.exe
05/11/2025 09:37:26 - DEBUG: Adding: mspaint.exe
If Access Control rules are not updating, ensure that the computer can still communicate with the last Endpoint Server it successfully communicated with.
N.B. The process of updating the application blacklist will attempt to communicate with the last Endpoint server the Certero Client Agent connected to. It does not try any other Endpoint servers.
Troubleshooting Steps - macOS Computers
You can ensure that the macOS computer is Access Control “Ready”. The file libAccessControl.dylib will appear in the folder System\Library\assetstudio\client
After following these troubleshooting steps, if you are still experiencing difficulties then please contact the Certero Help Desk.