05-27-2019 07:15 AM
We have the situation, that some customers with restricted settings of Windows 10 AppLocker see the problem, that java.exe - which is launched from %USERS%\AppData\Local\Hexagon\App Launcher\cache is blocked by AppLocker.
This effect is independant of where the AppLauncher was installed to.
Is this the standard behaviour, that java.exe is beeing copied into the %USERS%-Directory? Whats the reason therefor?
Solved! Go to Solution.
05-27-2019 09:04 AM
AppLocker is specificaly for applicaton control so an IT department can restrict what applications be used on a Windows 10 machine.
If the IT does not allow for Java.exe to be executed, and the customer has the requirement to run the AppLauncher / Java then an exception has to made by the IT department.
AppLocker is doing it's job by restricting the execuition of a an application that is not permitted to run by the IT policies.
05-27-2019 10:31 PM
Ok, nothing against the AppLocker from my side. But from my point of view, it's hard to understand, why we copy the whole OpenJDK Binaries into c:\%user%\AppData\Local and execute java.exe from there. Especially because we have the opportunity to install the AppLauncher (silent and by params) into a directory of free choice (where we need Admin rights to install, but where we have no further restrictions by some policies).
05-28-2019 12:26 AM
the reason is to not require administrative priviliges, like stated in the last comment here:
if the customer's IT decides to add additional security levels, we cannot do much.
07-04-2019 11:04 PM
One follow up question keeps me still busy: We installed AppLauncher into a custom directory (f.e. C:\Hexagon\AppLauncher). If I launch GMSC I see, that the initialized Java Runtime is the one which is installed in %USERS%\AppData and not the one which is located in the custom configured AppLauncher Directory. The problem is, that we need another exception rule for the Windows10 AppLocker, even though we have a java.exe in the ordinary place.
Thanks for your ideas and hints.
2 weeks ago
@olivergrimm Did you find a way around this issue?
We are currently experiencing the same issue with our customer. They have installed the AppLauncher to C:\Program Files, but when the client launches it downloads all of the files to \AppData\Local\Hexagon which means that the AppLocker blocks the process again (or something does)
Is there anyway of changing where the extra files are downloaded too, to ensure that the user always has the right level of access?
2 weeks ago
Hello DA226694, olivergrimm.
The reason we use the \AppData\Local\Hexagon is so the user does not require admin privileges to run the App launcher but it also insures that the java and App launcher can be upgraded with each release of the App launcher thus guaranteeing the App launcher is using the correct version of java and in a supported configuration.
Before App Launcher, the management of supported Java versions was one of the biggest impacts to our customers generating a large amount support issue's every time a new Java version was released or if there was a change to the Java configuration.
This eliminates any need to manage Java versions and insures the App launcher is running in a supported configuration.
Also note that Microsoft has defined %USERS%\AppData for such use of applications and if your IT department decides to block applications with AppLocker then you will need to work with your IT department.
Please also note a configuration that does not use %USERS%\AppData is not a supported configuration.