Question A Question of Trust (1 Viewer)

theDBguy

I’m here to help
Joined
Oct 29, 2018
Messages
7,689
I agree but in my experience, certain users will just ignore the security bar message and complain the app doesn't work. That's why I use the approach I mentioned in post #14
Hi Colin. Unfortunately, that only works with non-corporate clients. Where I work, all VBA are disabled by IT and must be acknowledged by the user before it can run. Users are not able to adjust the Trust Settings on their machines.
 

isladogs

CID Moderator
Staff member
Joined
Jan 14, 2017
Messages
12,335
End users don't adjust any settings in my client organisations either.
In fact because the apps are locked down they have no access to Access options / nav pane etc

My commercial apps are always installed to a fixed location e.g. C:\Programs\MendipDataSystems\SchoolDataAnalyser

The program admin organises the distribution of the app to a set location as specified in the installation script.
The script is run. The entire folder structure including subfolders is then made trusted on each user's workstation.
As far as the end user is concerned, they don't need to do a thing (in fact they can't!).
When they first run the app its already trusted
 

theDBguy

I’m here to help
Joined
Oct 29, 2018
Messages
7,689
End users don't adjust any settings in my client organisations either.
In fact because the apps are locked down they have no access to Access options / nav pane etc

My commercial apps are always installed to a fixed location e.g. C:\Programs\MendipDataSystems\SchoolDataAnalyser

The program admin organises the distribution of the app to a set location as specified in the installation script.
The script is run. The entire folder structure including subfolders is then made trusted on each user's workstation.
As far as the end user is concerned, they don't need to do a thing (in fact they can't!).
When they first run the app its already trusted
See? There's the difference. In our environment, the app is "always" untrusted.
 

KACJR

Registered User
Joined
Jul 26, 2012
Messages
57
We are just starting our Windows 10 rollout. What I'm going to try is modifying the trust settings on my Win10 "gold" image so that everything is set when I image a PC.
 

theDBguy

I’m here to help
Joined
Oct 29, 2018
Messages
7,689
We are just starting our Windows 10 rollout. What I'm going to try is modifying the trust settings on my Win10 "gold" image so that everything is set when I image a PC.
That might be one way to tackle it. Good luck!
 

KACJR

Registered User
Joined
Jul 26, 2012
Messages
57
Thanks to all of your for insight and assistance. I learned an awful lot today thanks to you.
 

isladogs

CID Moderator
Staff member
Joined
Jan 14, 2017
Messages
12,335
See? There's the difference. In our environment, the app is "always" untrusted.
That's exactly the point I've been trying to make...but in reverse!
The system admin ensures my apps are saved to locations made trusted for all authorised users using the supplied script. Its a system I've used with all my clients for well over 10 years and works perfectly.
 

theDBguy

I’m here to help
Joined
Oct 29, 2018
Messages
7,689
That's exactly the point I've been trying to make...but in reverse!
The system admin ensures my apps are saved to locations made trusted for all authorised users using the supplied script. Its a system I've used with all my clients for well over 10 years and works perfectly.
Hi Colin. Just to clarify, in my environment, no app gets installed unless it's an approved application. Even still, I am saying "all VBA" are disabled, no matter what. So, even approved VBA-capable apps have to be manually "enabled" by the user when they use it. This happens whether IT set up a Trusted Location or not. Because VBA is disabled "by default," the warning still comes up and the user has to click the yellow button. I think this only applies to those programs that can execute macros/VBAs. Probably, the decision was made at some point to be safer than sorry. Cheers!


PS. Another thought... Probably the other reason for using the above approach (VBA disabled by default) is it also prevents anyone with a VBA application from simply putting a copy of it in a "known" trusted location. Just thinking out loud...
 

isladogs

CID Moderator
Staff member
Joined
Jan 14, 2017
Messages
12,335
Hi DBG
Also to clarify, in my clients' networks its also true that no app ever gets installed unless it's an application approved by the IT network staff following advice from other senior staff. That decision can typically take several months and I've often had to overcome hostility from network staff to installing any Access app across the network. If the 'powers that be' are not prepared to accept my conditions, I don't proceed with the sale.

However, once approved, the application(s) are installed by program admins/network staff to the workstations of all approved users ONLY.
This happens automatically the next time the user(s) log on. Similarly the script to trust the location is run automatically.

A typical client organisation will have anything up to 250 users but, at most, only 2 or 3 will be given elevated permissions to manage the application

End users do not have permissions to install or edit any applications anything themselves nor do they have permission to edit the registry (even if they know how). As they have no ability to reach Access options, end users cannot do any editing there either.
The reason for doing all the above is once again to be safe rather than sorry.
As I say the system has been in use for well over a decade and is absolutely foolproof.
 

theDBguy

I’m here to help
Joined
Oct 29, 2018
Messages
7,689
Hi DBG
Also to clarify, in my clients' networks its also true that no app ever gets installed unless it's an application approved by the IT network staff following advice from other senior staff. That decision can typically take several months and I've often had to overcome hostility from network staff to installing any Access app across the network. If the 'powers that be' are not prepared to accept my conditions, I don't proceed with the sale.

However, once approved, the application(s) are installed by program admins/network staff to the workstations of all approved users ONLY.
This happens automatically the next time the user(s) log on. Similarly the script to trust the location is run automatically.

A typical client organisation will have anything up to 250 users but, at most, only 2 or 3 will be given elevated permissions to manage the application

End users do not have permissions to install or edit any applications anything themselves nor do they have permission to edit the registry (even if they know how). As they have no ability to reach Access options, end users cannot do any editing there either.
The reason for doing all the above is once again to be safe rather than sorry.
As I say the system has been in use for well over a decade and is absolutely foolproof.
So, I guess the only difference then is in my workplace VBA is disabled and at your client's, it's not. Correct? Do you know if any of their users could potentially put a VBA enabled file in the approved Trusted Location?
 

isladogs

CID Moderator
Staff member
Joined
Jan 14, 2017
Messages
12,335
I don't see how any application can run code if VBA is somehow disabled.

I'm talking about my clients networks - not my own networks.
Therefore I cannot guarantee they all lock down their networks appropriately.
However, I've never yet sold an site license for an application where the security has been less than I've described.

Users do not know which locations are trusted nor can they install or move any VBA enabled apps to locations trusted by my apps. As I keep saying there have never been any issues related to the deployment of my commercial apps in 15 years with multiple clients and several thousand workstations.

If any suspicion ever arose that installing my apps had indirectly caused a problem, I guarantee I would be informed...and not necessarily in a polite way.
 

theDBguy

I’m here to help
Joined
Oct 29, 2018
Messages
7,689
I don't see how any application can run code if VBA is somehow disabled.

I'm talking about my clients networks - not my own networks.
Therefore I cannot guarantee they all lock down their networks appropriately.
However, I've never yet sold an site license for an application where the security has been less than I've described.

Users do not know which locations are trusted nor can they install or move any VBA enabled apps to locations trusted by my apps. As I keep saying there have never been any issues related to the deployment of my commercial apps in 15 years with multiple clients and several thousand workstations.

If any suspicion ever arose that installing my apps had indirectly caused a problem, I guarantee I would be informed...and not necessarily in a polite way.
No, the app won't run, initially, because VBA (or perhaps more accurately, the Content) is disabled as a default. But as soon as the user clicks the "Enable Content" button, then the app will run. I guess I wasn't so much as saying your app can cause any issues or problems. I was just saying some organizations could elect to be more strict than necessary. And so, even if the app passed all the approval tests and was deemed "trusted," users on out network still has to click that stupid button before the thing will work.
 

isladogs

CID Moderator
Staff member
Joined
Jan 14, 2017
Messages
12,335
The point I'm making is that by requiring users to click the button they are effectively being given 'privileges' they may try to misuse later with another app.

That option doesn't arise with the system I'm describing. In my opinion its safer.

As I've already stated, every organisation I've ever worked with has been incredibly strict about security. I've frequently had to argue my case and almost always have done so successfully. If I can't convince them, I don't get the sale ...but I'm happy anyway as it has saved me unwanted hassle in additional support time.
 

theDBguy

I’m here to help
Joined
Oct 29, 2018
Messages
7,689
The point I'm making is that by requiring users to click the button they are effectively being given 'privileges' they may try to misuse later with another app.

That option doesn't arise with the system I'm describing. In my opinion its safer.

As I've already stated, every organisation I've ever worked with has been incredibly strict about security. I've frequently had to argue my case and almost always have done so successfully. If I can't convince them, I don't get the sale ...but I'm happy anyway as it has saved me unwanted hassle in additional support time.
Misuse privileges, who me? Never! :D
 

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

Top Bottom