Aug 12, 2013 - 4 Comments - Virtual Vibes -

PackageStoreAccessControl – Restricting Access to the Package Cache in App-V 5.0

5th December 2014 | PLEASE NOTE: This feature has been deprecated and is not supported. Please use RequirePublishAsAdmin feature.

8th November 2014 | PLEASE NOTE: This feature is being deprecated and is not supported.

8th April 2014 | PLEASE NOTE: Enabling PackageStoreAccessControl client configuration setting on a computer that is running Remote Desktop Services (RDS) or a multi-user environment is not supported until further notice.

With App-V 5.0 SP2 (Beta) we now have a new configuration item called PackageStoreAccessControl

getconfig

This setting allows us to lock down the cache location/package store according to who has been authorised to access a particular package.

We can issue the following command to enable this setting:

This will change the relevant registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Streaming

setconfig

If I now log in as a non admin user and try to browse the package store of a package I have not had published to me I get the following access denied message:

accessdenied

All that is happening behind the scenes is that the “everyone” read permissions are being removed from the package cache on the version GUID folder level:

enabledisable

Enabling this setting also naturally locks down the ability for non-admin users to use PowerShell to publish/unpublish packages to themselves. Without this setting enabled, non-admin users can normally manually publish a package if it has already been added into the package store via the Add-AppvClientPackage command by an administrator.

Once this setting is enabled, non-admins will be unable to publish packages to themselves and get an access denied message:

publisherror

I have heard plenty of customers express concern about non-admin access to the package store in terms of compliance from a security and licensing perspective, enabling this setting will ensure non-admin users will not be able to browse the package store for packages they have not been granted access to, moreover it will stop users publishing packages that have already been added to the package store.

4 Responses to PackageStoreAccessControl – Restricting Access to the Package Cache in App-V 5.0

  1. Vaishnavi Sreedharan

    Good Information Thamim Karim  Thank u 🙂

    26 Apr 2014 - Reply
    • Thamim Karim

      No problems Vaishnavi, your welcome!

      26 Apr 2014 - Reply
  2. App-V 5.0 Ramp up Guide | VirtualVibes

    […] Package Store Access Control | Blog […]

    1 May 2014 - Reply
  3. App-V 5.0 SP2 Now Available | VirtualVibes

    […] Package Store Access Control […]

    14 Jan 2015 - Reply

Leave a Reply

Your email address will not be published. Required fields are marked *