App Control will always start in audit mode to avoid blocking anything. Over a period of time we'll catalog all of the applications that run on the endpoints and verify that they are legitimate software. Those will get added to the allow list and once the number of applications that are flagged as not being on the list gets to zero, we can flip the policy over to enforce and block everything else.

We've got the granularity to enable policy enforcement all the way down to individual endpoints, so it's possible to have some endpoints in enforce while others are still learning in audit mode. We'll handle flipping a policy from audit to enforce since we've got all the data and can build automation around it. This isn't something you'll need to do. We fully understand the gravity of that change and the potential business impact, so we're working on ways to do this without breaking things.

Figuring out exactly when you have enough data is kind of a hard problem. If a user only runs an application once a week, then you'll have to wait at least a week to see that application. If they are out or it doesn't get run you may think you've seen all the applications, but you haven't.

One way we're looking to mitigate this and new applications after a policy is enforced is by making the feedback loop quick when something is blocked. Instead of trying to pass this along to the Huntress admin users and asking them to quickly respond and make a policy decision, we're going to make the decision quickly based on whether the application is legitimate or not and then notify the Huntress admins so they can decide if they want to block the application in the future.

This should balance the need to get work done and get out of the way of the users with security. It can never be perfect because usability and security are inversely proportional, but it should make it a lot better than letting users (who are often local admins) run whatever they want unchecked.

This would be a concern not having this available, when onboarding we'd want to audit the rules first, see what is aligned before pushing to the masses.