Synopsis:
When FlexApp packages are played back, they inherit the ACL and permissions of the existing parent folder on the playback machine. I.e., whatever the "C:\Program Files" ACL is. There may be scenarios in which you might want to apply custom permissions to files/folders contained within a FlexApp package and override the automatic inheritance.
One example might be that simply adjusting the permissions of a file or folder that a user needs write access to contained within the FlexApp package avoids otherwise having to make the user a local administrator or needing to run the application in an elevated state using the Elevation Module.
Options: (Ordered by recommendation)
- Create a "Post Activation" script that applies the needed permissions using something like icacls.exe or Set-ACL and include it in the Scripts section of the FlexApp package, itself.
- Use a similar script, or even just a command, and apply it within the Application Launcher module. This would give you the ability to filter it on an as-needed-basis instead of it applying to everyone, as would happen with the former option.
Overview:
- Post Activation Script
- On the FlexApp Packaging Console, (Skip to step 2 if you're working with a package that is neither assigned within a ProU configuration nor actively in use and currently played back to users)
Clone the application in question and we will be working with the cloned copy which will then be swapped into the ProU config instead of the current package. - Click the Play button next the the application so it is replayed on the FPC and click OK when done
- Click the Edit button on the package to drop-down the menu, scroll and click on the "ABC Scripts" button
- Click Add Script, select "appdir-1", "Post Activation", point to your script's location to insert it into the package and click OK (twice)
- The package will then be saved and ready for assignment within a ProU configuration
Notes / Troubleshooting: (Note numbered to match option)
- Post activation scripts contained within the FlexApp package execute after playback for all users that get the package or as the ProfileUnity Client Service account, if played back on boot. If you use the USERNAME environment variable in the script, it will match the user doing the actual playback.
- Using Application Launcher rules should be a last result because there can be timing issues. Since FlexApp playback happens in parallel to other ProfileUnity operations, its possible the Application Launcher command could run before the application in question is actually played back. This would result in the appearance that the script isn't working since playback would be overriding them after-the-fact. Using the client_FlexAppDIA and client_ApplicationLauncher logs from the user's %TEMP%\ProfileUnity folder, you can see the last timestamp in each log to get some ideas around timing. Then you may need to have your script wait/loop until it no longer see a process named "LwL.ProfileUnity.Client.ShortcutCleanup.exe" running and then apply the needed permission changes. That process remains open until all of the FlexApp packages have been played back.
Product: ProfileUnity-FlexApp
Product Version: 6.8.3+