Aug 12, 2013 - 4 Comments - Virtual Vibes -

PackageStoreAccessControl – Restricting Access to the Package Cache in App-V 5.0

5th December 2014 | PLEASE NOTE: This feature has been deprecated and is not supported. Please use RequirePublishAsAdmin feature.

8th November 2014 | PLEASE NOTE: This feature is being deprecated and is not supported.

8th April 2014 | PLEASE NOTE: Enabling PackageStoreAccessControl client configuration setting on a computer that is running Remote Desktop Services (RDS) or a multi-user environment is not supported until further notice.

With App-V 5.0 SP2 (Beta) we now have a new configuration item called PackageStoreAccessControl

getconfig

This setting allows us to lock down the cache location/package store according to who has been authorised to access a particular package.

We can issue the following command to enable this setting:

This will change the relevant registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Streaming

setconfig

If I now log in as a non admin user and try to browse the package store of a package I have not had published to me I get the following access denied message:

accessdenied

All that is happening behind the scenes is that the “everyone” read permissions are being removed from the package cache on the version GUID folder level:

enabledisable

Enabling this setting also naturally locks down the ability for non-admin users to use PowerShell to publish/unpublish packages to themselves. Without this setting enabled, non-admin users can normally manually publish a package if it has already been added into the package store via the Add-AppvClientPackage command by an administrator.

Once this setting is enabled, non-admins will be unable to publish packages to themselves and get an access denied message:

publisherror

I have heard plenty of customers express concern about non-admin access to the package store in terms of compliance from a security and licensing perspective, enabling this setting will ensure non-admin users will not be able to browse the package store for packages they have not been granted access to, moreover it will stop users publishing packages that have already been added to the package store.