Table of contents

Customize advanced system settings

Several advanced features are located on Administration > System Settings > Advanced.

You can automate system setting changes using the Workload Security API. For examples, see Configure Policy, Computer, and System Settings.


Export file character encoding: The character encoding used when you export data files from Workload Security. The encoding must support characters in your chosen language.

Exported Diagnostics Package Language: Your support provider may ask you generate and send them a Workload Security diagnostics package. This setting specifies the language the package will be in. The diagnostic package is generated on Administration > System Information.

Manager AWS Identity

You can configure cross-account access. Select one of the following:

  • Use Manager Instance Role: The more secure option to configure cross-account access. Attach a policy with the sts:AssumeRole permission to the Workload Security instance role, then select this option. Does not appear if Workload Security does not have an instance role.
  • Use AWS Access Keys: Create the keys and attach a policy with the sts:AssumeRole permission before you select this option, and then type the Access Key and Secret Key.

Application control

Every time you create an Application Control ruleset or change it, it must be distributed to all computers that use it. Shared rulesets are bigger than local rulesets. Shared rulesets are also often applied to many servers. If they all downloaded the ruleset directly from the manager at the same time, high load could cause slower performance. Global rulesets have the same considerations.

Using relays can solve this problem. For information on configuring relays, see Distribute security and software updates with relays.

To use this option, create a relay group, then go to Administration > System Settings > Advanced and select Serve Application Control rulesets from relays.

Verify compatibility with your deployment before using relays. If the agent does not have any previously downloaded rulesets currently in effect, and if it does not receive new Application Control rules, then the computer cannot be protected by Application Control. If an Application Control ruleset fails to download, a ruleset download failure event is recorded on the manager and on the agent.