How to deploy SoftGrid MSI's under Limited User context

  • Article

This was a nice little post that Ment van der Plas wrote. Its funny cos it helped in a discussion that I was having Matheesha who works in another team but does a similar job! The discussion was around delegating permissions to allow application installations virtualized and non-virtualizaed.

---------------------------------------------

One of the main advantages of Microsoft Application Virtualization (SoftGrid) is that applications that would normally require Administrator privileges now can be virtualized and therefore can run under Limited User context. Application delivery can be done through a “classic” streaming server and through MSI deployment.

A downside to the MSI deployment model is that it needs Administrator privileges to install, not so much for the SoftGrid part (i.e. adding and loading the application) but for the MSI part. In this post I will explain how to get the MSI to install / uninstall to work under Limited User context and to make it suitable for CD/DVD deployment for example.

Disclaimer: only use this post for test purposes, not for production environment.
For this post I used an MSI generated by the Microsoft Application Virtualization Sequencer version 4.5.0.606

Step 1. Removing the Launch Condition
If you run the MSI with Limited User privileges it will result in an error stating “You must be an administrator to install application”. This error has nothing to do with the MSI actually executing operations that require this. It’s the result of a launch condition in the MSI which just checks it.
1
What you need to do is:

Open the generated MSI with Orca and locate the LaunchCondition table

Remove the row containing “Privileged”

Now the MSI won’t check for Administrative privileges anymore. If the MSI were to execute operations that the user isn’t allowed to, it will result in an access denied and a rollback of the MSI. This is probably the case for “normal” MSI’s but not for SoftGrid MSI’s.
SoftGrid MSI’s are merely a wrapper around the Virtual Application and manage the creating and loading of the application. This could also be done through scripting, which was the case with the former SMS connector.

 

Step 2. Changing the ALLUSERS property
After removing the Privileged launch condition the MSI launches and you can click through the setup screens. However you will receive the error: “You do not have sufficient privileges to complete this installation for all users. Log on as Administrator and complete the installation”.
2
By default the MSI installs the package for all the users on the machine provided the user has administrative privileges.
To change this behavior do the following:

Locate the Property table

Set the property ALLUSERS to 2

This checks the user’s privileges for administrative rights. Pending the outcome of this check, it installs for all users if the user has enough administrative privileges; otherwise, it installs for the current user.

 

Step 3. Editing the SFTMIME commands
Now the MSI installation finishes, but the SoftGrid application is actually not loaded. This is because it's being added with the /GLOBAL parameter, which if present, indicates that the association applies to all users. The Limited User doens't have privileges to do so.
Locate the CustomAction table in the MSI and edit the following CustomActions:

SOFTGRID_ADD_PACKAGE; in the Target column remove the /GLOBAL parameter from the SFTMIME command

SOFTGRID_DELETE_PACKAGE; in the Target column remove the /GLOBAL parameter from the SFTMIME command

Step 4. Change User permissions on the client
It's also needed to give the user some additional permissions in the Microsoft Application Virtualization Client Console (sftcmc.msc):

Add applications

Delete applications

Unload applications from the cache
Obviously the last two are needed if you want the user to also uninstall applications.

Be sure to setup the SoftGrid client as described Microsoft Application Virtualization 4.5 Trial Guide for Standalone Deployment which can be found here.

That's it: you can now install a MS Virtual Application under Limited User context.