Restrict Unprivileged User Actions on Applications
Ordinary users cannot remove or turn off approved apps on their own.
Plain language
This is about making sure that regular staff members can't uninstall or turn off important software on company devices. It's important because if someone were to remove essential software by mistake, it could open the door for security risks, leading to data breaches or other disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ManagementOfficial control statement
Unprivileged users do not have the ability to uninstall or disable approved applications.
Why it matters
If unprivileged users can uninstall or disable approved apps, security controls (e.g. AV/EDR) may be removed, increasing risk of compromise and data loss.
Operational notes
Enforce policy/MDM so standard users cannot uninstall or disable approved apps; regularly review local admin rights and alert on removal/disable events.
Implementation tips
- IT team should configure user permissions: Restrict staff access so they can't uninstall or disable approved applications. This can be done by setting user roles on devices that limit their ability to make changes.
- System administrators need to review software settings: Regularly check device settings to ensure restrictions are properly applied. Use tools like device management software to automate compliance checks.
- Managers should communicate policy: Inform staff about the software use policy and why these restrictions are in place, emphasising security benefits. Send out regular reminders and include this in onboarding training.
- IT support should monitor for exceptions: Keep an eye out for any attempts to bypass restrictions and quickly address any issues. This can be done by setting up alerts for unauthorised software changes.
- Procurement should standardise approved software: Maintain a list of approved applications and ensure all purchases and installations align with those guidelines. Regularly update this list to include any new recommended tools.
Audit / evidence tips
-
Askdevice configuration settings: Request documentation showing user permission settings
Goodincludes settings showing non-admins can't uninstall critical applications
-
Askthem about the software they can install or remove
Goodis that they know only IT can make such changes and they have been informed about this policy
-
Goodincludes real-time compliance monitoring and spot checks
-
Goodincludes a list of training dates and attendance confirming understanding
-
Goodis a report showing no non-approved apps installed by non-admin users
Cross-framework mappings
How ISM-0382 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.3 | ISM-0382 requires that unprivileged users cannot uninstall or disable approved applications | |
| handshake Supports (1) expand_less | ||
| Annex A 8.18 | ISM-0382 requires that unprivileged users cannot uninstall or disable approved applications | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-AC-ML1.2 | E8-AC-ML1.2 requires application control coverage for user profiles and temporary folders to stop unapproved execution from common user-w... | |
| E8-AH-ML1.4 | ISM-0382 requires that unprivileged users cannot uninstall or disable approved applications | |
| E8-AH-ML2.7 | ISM-0382 requires that unprivileged users cannot uninstall or disable approved applications | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.