Dec 04, 2014 - 2 Comments - Virtual Vibes -

RequirePublishAsAdmin in App-V 5.0 SP3

Right so pre SP3 for App-V 5.0, aslong as a package was added into the client cache, any user (admin or non admin) could go ahead and publish the application to themselves with a quick and easy line or PowerShell. There weren’t really many ways to negate this apart from custom ACLs on the package store or using a feature called PackageStoreAccessControl, a feature which has now been deprecated and is no longer supported.

Enter RequirePublishAsAdmin…

You might notice this new setting available on the App-V 5.0 SP3 client when running a Get-AppvClientConfiguration

setting

You enable this setting with a simple Set-AppvClientConfiguration -RequirePublishAsAdmin 1

Once enabled exactly what you expect takes effect, the next time a non admin user logs on, even if a package has already been added to the client they lose the ability to publish packages to themselves. To understand more about the difference between adding and publishing read here.

Here we can see a standard user has visibility of the fact a package is in cache but not currently published to them:

getdash

If this non-admin user tries to publish this package they will get the following message warning them they need admin rights:

publishdash

This is well welcomed feature, however there is no thing to note, unlike PackageStoreAccessControl, RequirePublishAsAdmin does not prevent a non admin user browsing the package store cache and reading the contents or even copying contents out. It does however stop a non admin gaining access to a package that has not been authorised to them.

2 Responses to RequirePublishAsAdmin in App-V 5.0 SP3

  1. IV

    Great blog, Thamim. I read it religiously. Question: Do you know if enabling ‘RequirePublishAsAdmin’ prevents SCCM from deploying per-user App-V packages?

    Given the SCCM Client will run the Publish powershell command in the context of the target user, I’m wondering if this policy will prevent the application from being published at all!

    8 Jan 2015 - Reply

Leave a Reply

Your email address will not be published. Required fields are marked *