Python Dependency Manager Companion

[AppLocker]: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview [Application Identity Service]: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-application-identity-service # Testing with Windows AppLocker Windows environments with [AppLocker][AppLocker] enabled present unique challenges for `conda` development and testing. This guide explains how to set up a testing environment with AppLocker to ensure `conda` works correctly in these environments. ## Why Test with AppLocker? AppLocker is Microsoft's application control solution that allows organizations to: - Control which applications and files users can run - Create rules to allow or deny applications from running based on file attributes - Create exceptions to rules Many enterprise environments use AppLocker to restrict script execution, which can impact environmnet activation and execution processes. Testing with AppLocker ensures `conda` works properly in these restricted environments. ## Setting Up AppLocker for Testing ### Step 1: Enable the [Application Identity Service][Application Identity Service] :::{note} The Application Identity Service is required for AppLocker to function properly. ::: 1. Open the **Services** application (press `Win+R`, type `services.msc`, and press Enter) 2. Find **Application Identity** in the list of services 3. Right-click on it and select **Properties** 4. *Optional*: Change **Startup type** to **Automatic** if you want the service to start on boot 5. Click **Start** to start the service 6. Click **OK** to close the properties window ### Step 2: Configure AppLocker Enforcement 1. Open **Local Security Policy** (press `Win+R`, type `secpol.msc`, and press Enter) 2. Navigate to **Security Settings** > **Application Control Policies** > **AppLocker** 3. Right-click on **AppLocker** and select **Properties** 4. Under the **Enforcement** tab, check **Script Rules** and set it to **Enforce rules** 5. Click **OK** to close the properties window ### Step 3: Create AppLocker Rules 1. In the **Local Security Policy** window, navigate to **Script Rules** under **AppLocker** 2. Right-click on **Script Rules** and select **Create Default Rules** to establish baseline rules 3. Create an Allow Rule for your development environment: - Right-click on **Script Rules** and select **Create New Rule...** - Choose **Allow** under Permissions and set the user/group to **Everyone** - Select **Path** as the condition - Enter the path to your development environment (e.g., path to `devenv`) - Complete the wizard without adding exceptions 4. Create an Allow Rule for the conda source code location using the same process 5. Create a Deny Rule for the `%TEMP%` directory: - Follow the same process but choose **Deny** under Permissions - Set the absolute path 6. Restart your computer to apply the rules ```{figure} /img/applocker.png :name: Windows AppLocker ## Testing Conda with AppLocker Enabled After setting up AppLocker, you can test conda to ensure it works correctly: 1. Start your development environment with `.\dev\start.bat` 2. Run `conda activate` to test activation 3. Test other conda commands to ensure they function properly ### Toggling AppLocker for Testing You can easily toggle AppLocker enforcement on and off for quick testing: 1. Open **Local Security Policy** (press `Win+R`, type `secpol.msc`, and press Enter) 2. Navigate to **Security Settings** > **Application Control Policies** > **AppLocker** 3. Right-click on **AppLocker** and select **Properties** 4. Under the **Enforcement** tab, uncheck or check **Script Rules** as needed 5. Click **OK** to apply the changes This allows you to quickly switch between testing with and without AppLocker restrictions without restarting your machine.