With App-V 5.0 SP2 (Beta) we now have a new configuration item called PackageStoreAccessControl
This setting allows us to lock down the cache location/package store according to who has been authorised to access a particular package.
We can issue the following command to enable this setting:
Set-AppvClientConfiguration -PackageStoreAccessControl 1
This will change the relevant registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Streaming
If I now log in as a non admin user and try to browse the package store of a package I have not had published to me I get the following access denied message:
All that is happening behind the scenes is that the “everyone” read permissions are being removed from the package cache on the version GUID folder level:
Enabling this setting also naturally locks down the ability for non-admin users to use PowerShell to publish/unpublish packages to themselves. Without this setting enabled, non-admin users can normally manually publish a package if it has already been added into the package store via the Add-AppvClientPackage command by an administrator.
Once this setting is enabled, non-admins will be unable to publish packages to themselves and get an access denied message:
I have heard plenty of customers express concern about non-admin access to the package store in terms of compliance from a security and licensing perspective, enabling this setting will ensure non-admin users will not be able to browse the package store for packages they have not been granted access to, moreover it will stop users publishing packages that have already been added to the package store.
Good Information Thamim Karim Thank u :)
No problems Vaishnavi, your welcome!