Hello,
Thank you for reaching out to Hexnode Connect! We completely understand your concern—user-level portable apps are a well-known blind spot for endpoint compliance and security.
Here is a breakdown of how this works and the best practices for managing it:
1. Blocking Browser Downloads
To address your first question: blocking the download of .exe and .msi files directly from the browser is not something that can be achieved through standard UEM policies. UEM platforms are primarily designed to manage device configurations and app deployments, rather than inspecting or filtering active web traffic.
- Recommended Approach: If your goal is to stop specific file extensions before they ever reach the endpoint, the best practice is to implement a SASE (Secure Access Service Edge) solution with a DLP (Data Loss Prevention) module. A SASE setup acts as a network gateway, giving you the granular control needed to intercept web traffic and completely block those file types mid-download.
2. Restricting the Execution of Portable Apps
While preventing the actual download requires a network-level tool, Hexnode can help you mitigate the risk if those files do make it onto the device.
Even if a portable app is downloaded and installed at the user level, you can prevent it from actually running by using Hexnode’s Blocklist/Allowlist policy for Windows. By adding the specific executables to this list, the operating system will actively block the user from launching them, regardless of their admin rights.
I hope this clarifies the best approach for securing your endpoints! Let us know if you need any further assistance.
Best regards,
George
Hexnode UEM
180 Views
