Effective immediately, the PackageStoreAccessControl (PSAC) feature that was introduced in Microsoft Application Virtualization (App-V) 5.0 Service Pack 2 (SP2) is being deprecated in both single-user and multi-user environments.
The PSAC feature has been unsupported in multi-user environments since the first hotfix package for App-V 5.0 SP2, however PSAC deployment in single-user environments has been supported until now. If you have deployed PSAC to single-user environments, remove the configuration option from any deployments
The scope of application entitlement enforcement in App-V will be reviewed and addressed as appropriate in a future release.
To address App-V application entitlement concerns, you can leverage the following features available today in App-V 5.0 SP2:
- By default, the location in Windows where App-V stores applications, %ProgramData%, is a hidden folder that most users will not understand how to browse. You can use this hidden folder with the “Pending Unpublish” feature in App-V 5.0 SP2 to alleviate some of the entitlement concerns.
- To prevent your end users from copying shortcuts and executables from the Program Data folder, consider the following:
The App-V 5.0 Team
Get the latest System Center news on Facebook and Twitter:
System Center All Up: http://blogs.technet.com/b/systemcenter/ System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/ System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/ System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
Windows Intune: http://blogs.technet.com/b/windowsintune/ WSUS Support Team blog: http://blogs.technet.com/sus/ The AD RMS blog: http://blogs.technet.com/b/rmssupp/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/ The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ The Forefront TMG blog: http://blogs.technet.com/b/isablog/ The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Security by hidden folders.. nice.
"Copying executables from Program Data won’t allow users to run the application outside of an App-V environment, except for simple applications without any subsystems or integration."
How Naïve! This is a total mess and does not pass our pen-test or licensing requirements for application control.