-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathinstall_info.txt
executable file
·89 lines (62 loc) · 5.31 KB
/
install_info.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
PerUser/PerMachine
There's no such thing as "install privileges".
The only reason that a non-admin user cannot install a conventional application is that the installer typically
(a) wants to put the application files in Program Files which requires admin privilege; and
(b) wants to create a registry key in HKEY_LOCAL_MACHINE\Software and write to it.
[Still older installers may also want to write files into system32, make other global registry changes, and so on, but this is discouraged nowadays.]
A per-user install happens without any administrator privilege.
The application files are put in the user's own space, e.g., inside the application data folder,
and the application's registry key is created in HKEY_CURRENT_USER\Software instead of HKLM.
This means the user can install the application themselves without the admin's assistance or permission.
[Actually an administrator can lock down the system in such a way that users can't install their own applications, but this isn't common outside of the stricter enterprise environments.]
If an application only supports per-user installation, there is no way for the administrator to install the application on the user's behalf.
Each user has to run the installer themselves.
[Of course a skilled administrator could automate this so that, for example, the installer runs automatically when the user logs in.]
Whether per-user installation makes things easier or harder on the IT staff depends entirely on the scenario.
However, many enterprise sysadmins are unhappy about per-user applications.
There are also scenarios (roaming profiles, for example) where per-user applications may either malfunction or cause other problems such as excessive network load or disk quota issues.
[And in some enterprises they will be locked out altogether due to software restriction policy, AppLocker, and/or third-party equivalents.]
It is possible for an installer to support both per-machine and per-user installation, so this is usually the best option;
alternatively, like Google Chrome, you could provide separate per-user and a per-machine installers for the same application.
If I understand correctly, Windows Installer makes it particularly easy to provide an installer that can do both per-machine and per-user installations.
Most .msi files that support per-user installations will also support per-machine installations via the ALLUSERS property.
I'm not sure whether the developer needs to do anything in particular to make this work.
https://docs.microsoft.com/en-us/windows/win32/msi/installation-context
PerUser Install (cannot be used by sysadmins, they need a perMachine install)
------------------------------------------------------------------------------
=> both on win7 and win10: LocalAppDataFolder (wix) folder points to user/AppData/Local
=> see with set in environment variable to LOCALAPPDATA
=> native app beidconnect is same for all browsers (except Safari on Mac where all sources are directly part of the Safari App extension ObjC++ => C/C++)
Installation of beidconnect to .../user/AppData/Local/BOSA/beidconnect/
- Chrome (also Edge based on Chromium, Opera), firefox
Json file points to native app beidconnect.exe
- Safari Extension
Safari app extension contains all the sources from beidconnect -> common so no link to beidconnect app
Internet explorer ActiveX
==============================
For the ActiveX control to be allowed, a trusted site domain needs to be added to the security settings of Internet Explorer
https://support.microsoft.com/nl-be/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users
PerUser install
----------------
\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\belgium.be
=> key "https" value: 2 (DWORD)
PerMachine install
------------------
\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\belgium.be
=> key "https" value: 2 (DWORD)
(Wow6432 is the key for 32bit apps on a 64bit system)
*** \HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\belgium.be
*** => \HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\belgium.be
Group Policies
-----------------
If group-policies are set or regkey HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings -> Security_HKLM_only (DWORD:1)
Then current user settings are not active (although still displayed in internet settings)
(Internet settings show that settings are managed by admin)
=>use Group policies to set registry settings for current users
https://docs.microsoft.com/en-us/troubleshoot/browsers/ie-security-zones-registry-entries
https://www.grouppolicy.biz/2012/07/how-to-configuring-ie-site-zone-mapping-using-group-policy-without-locking-out-the-user/
https://serverfault.com/questions/788463/why-is-sitetozoneassignment-gpo-applying-but-sites-not-appearing-in-ie
https://getadmx.com/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetExplorer::IZ_Zonemaps_2
Windows defender SmartScreen can block new (unknown) applications
==================================================================
https://support.microsoft.com/en-us/topic/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8