In this quarter, we have brought to you the following new features, changes and enhancements to existing functionality:
- New Windows -specific security attributes for devices
We have added number of new Windows -security related datapoints to the agent data which are applicable to Windows 10 or Windows 11 devices (or selected Windows Server versions) meeting specific Microsoft's requirement for each of the technologies:
Microsoft Defender Application Guard
Applixure now reports if Application Guard technology has been turned on for the device. With Application Guard, Windows can launch Microsoft Edge and Office processes into hypervisor -protected isolated environment to better security containment for these applications. Application Guard requires specific hardware features and Windows editions/releases to function and be available.
Agent's security readiness displays Application Guard status only when it is detected by the Applixure Agent to having been turned on.
Windows Defender Credential Guard
Applixure now reports if Credential Guard technology has been turned on for the device. With Credential Guard, Windows protects stored credentials using hypervisor-based isolation. Credential Guard requires specific hardware features and other Windows security features to be present and enabled to function and be available.
Agent's security readiness displays Credential Guard status only when it is detected by the Applixure Agent to having been turned on.
Applixure now reports if Memory Integrity - or Hypervisor-protected Kernel Code Integrity by another name - has been turned on for the device. With Memory Integrity, Windows protects kernel-mode code's integrity from tampering using hypervisor-based isolation.
Agent's security readiness display Memory Integrity status only when it is either detected by the Applixure Agent to having been turned on or its requirements for enabled are met but feature not being turned on. Please note that setting for enabling Memory Integrity might be visible in the Windows Security -app under Device security -section, but unless feature requirements, such as Hypervisor-based Security is not enabled on the machine, enabling it on does not actually turn it on.
Kernel DMA Protection
Applixure now reports if Kernel DMA protection - or Memory Access Protection by another name - has been turned on for the device. With Kernel DMA protection, Windows is able to protect PCIe originated DMA -based attacks against Windows kernel such as when using Thunderbolt 3 connected devices. Kernel DMA protection requires specific hardware and Windows security features to be present and enabled to function and be available.
Agent's security readiness display Kernel DMA protection status only when it is either detected by the Applixure Agent to having been turned on or its requirements for enabled are met but feature not being turned on
Windows Defender System Guard Secure Launch
Applixure now reports if System Guard Secure Launch - or Firmware Protection by another name - has been turned on for the device. With Secure Launch, Windows can protect the boot path for the operating system even in the presence of untrusted firmware.
Agent's security readiness displays Secure Launch status only when it is detected by the Applixure Agent to having been turned on.
Related to Secure Launch, if additionally System Management Mode (SMM) protection is enabled and in use for the device, Agent's security readiness displays SMM protection having been turned on.
Both Secure Launch and SMM protection requires specific hardware features to be present to function and be available.
Windows Defender Application Control
Applixure now reports if Windows Defender Application Control - or Usermode Code Integrity / Hypervisor-based Usermode Code Integrity by another name - has been turned on for the device. With Application Control, devices can be locked down at the hypervisor-level to running only allowed/whitelisted set of binaries and is usable mostly for single-purpose computers. Application Control requires specific Windows security features and configuration to be present and enabled to function and be available.
Agent's security readiness displays Application Control status only when it is detected by the Applixure Agent to having been turned on.
In addition to displaying status for the Windows security features described above in the individual Agent device's security readiness section, Kernel DMA protection state and Memory Integrity state graphs has been added to Performance & Issues -dashboard, as further details graphs for Device and OS security readiness.
- Fix and updates for CO2 calculation
CO2 / emissions calculation has been updated in the Use dashboard.
Previous implementation used single incorrect CO2 / kWh values for calculating total amount of emissions per month and per year for the whole Applixure environment. Now, Applixure uses CO2e (CO2-equivalent) values on per country basis (for the supported major countries) and calculates amount of CO2e per agent device based on the detected country location of the device. For devices geo-located into countries we don't have CO2e / kWh datapoint available for electricity generation, the emissions calculation is skipped against the environment total.
In the future we plan to enhance this calculation further and expose the calculated CO2e values on per agent device basis.
- Updated Mac Agent mass deployment files
We have now added a new more mass-deployment suitable installer package and files available for the Applixure's Mac Agent.
Previously customers were required to re-package Mac Agent's installer into their own mass-deployment wrapper package in order to automate un-attended installation on multiple machines as opposed to administrator installing Mac Agent manually and interactively on a device-by-device basis. New installer package has been added into deployment kit that should make this fully automatic and straightforward to use with software deployment tool, or MDM system, without further need for additional steps. Alongside in the kit are also new policy files to be used in MDM scenarios for granting Full Disk Access to the Applixure Agent on managed machines.
This new deployment kit is downloadable from the Deploy -tab on the Applixure Web UI, next to the single deployment DMG file which is functionally the same as before for the installation of Mac Agent on individual machines.