locked
how can block the clickonce application deploy ? RRS feed

  • Question

  • Hi,
    First of all sorry for my english.

    In my Enterprise I want to block the execution of clickonce application from UNC.
    Some people write .NET application and deploy on a UNC path the application, but this is no good for enterprise policy.
    How I can resolve the problem ?

    thanks.
    Wednesday, October 28, 2009 3:49 PM

Answers

  • Hi meiemy,

    I don't think you can, unless you fully restrict the users' ability to write anything to their profile. ClickOnce apps install under the user's profile, and require no privileges to install. It also can't do anything privileged, if that makes you feel any better.

    Now, the .NET Framework is required to run it, so if you have no other reason for having that installed, including any other product that your company use, you could remove it.  They have to have administrative privileges to install it. This is a pretty radical thing to do, and on Vista and Windows 7, I have no idea what it might do, but I sure wouldn't do it.

    RobinDotNet

    Click here to visit my ClickOnce blog!
    Microsoft MVP, Client App Dev
    • Proposed as answer by Kira Qian Thursday, October 29, 2009 6:26 AM
    • Marked as answer by Kira Qian Friday, October 30, 2009 3:09 AM
    Wednesday, October 28, 2009 6:59 PM
  • Sorry, as I said before, I don't know of any way to do this. You could take Visual Studio away from them I suppose, or issue a strict corporate policy, but there's nothing system-related that would allow you to block a ClickOnce installation other than access to the network share where they put it.

    If you could block access by file extension, you could try blocking access to the appname.application file. That's what is called to install the application. I don't know if that's even possible with network shares.

    RobinDotNet


    Click here to visit my ClickOnce blog!
    Microsoft MVP, Client App Dev
    • Marked as answer by Kira Qian Friday, October 30, 2009 3:09 AM
    Thursday, October 29, 2009 7:15 PM

All replies

  • Hi meiemy,

    I don't think you can, unless you fully restrict the users' ability to write anything to their profile. ClickOnce apps install under the user's profile, and require no privileges to install. It also can't do anything privileged, if that makes you feel any better.

    Now, the .NET Framework is required to run it, so if you have no other reason for having that installed, including any other product that your company use, you could remove it.  They have to have administrative privileges to install it. This is a pretty radical thing to do, and on Vista and Windows 7, I have no idea what it might do, but I sure wouldn't do it.

    RobinDotNet

    Click here to visit my ClickOnce blog!
    Microsoft MVP, Client App Dev
    • Proposed as answer by Kira Qian Thursday, October 29, 2009 6:26 AM
    • Marked as answer by Kira Qian Friday, October 30, 2009 3:09 AM
    Wednesday, October 28, 2009 6:59 PM
  • Hello maiemy,

    > Some people write .NET application and deploy on a UNC path the application, but this is no good for enterprise policy.

    Do you mean some people deploy the app into the server sharing folder? If so, I think the problem doesn’t relate to ClickOnce deployment, but relate to Windows server security. You can give permission to some user accounts in a domain with NTFS permission settings.

    If I misunderstood you, please feel free to tell me.

    Sincerely,
    Kira Qian
    MSDN Subscriber Support in Forum
    If you have any feedback on our support, please contact msdnmg@microsoft.com
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework!
    Thursday, October 29, 2009 6:41 AM

  • I thought there was a chance to stop the run of not authorized .NET  application.
    I need to prevent that some people develop and deploy applications that are not required

    thank you very much

    Thursday, October 29, 2009 9:59 AM
  • Sorry, as I said before, I don't know of any way to do this. You could take Visual Studio away from them I suppose, or issue a strict corporate policy, but there's nothing system-related that would allow you to block a ClickOnce installation other than access to the network share where they put it.

    If you could block access by file extension, you could try blocking access to the appname.application file. That's what is called to install the application. I don't know if that's even possible with network shares.

    RobinDotNet


    Click here to visit my ClickOnce blog!
    Microsoft MVP, Client App Dev
    • Marked as answer by Kira Qian Friday, October 30, 2009 3:09 AM
    Thursday, October 29, 2009 7:15 PM
  • thank you very much for your help.

    ciao
    Thursday, October 29, 2009 8:15 PM