Dec 26 2020 08:04 AM
Dec 26 2020 08:04 AM
Our managed environment restricts the ability to install any apps (non-admins) though lately some collaboration apps (Teams, Zoom, etc) install directly to the user profile, circumventing the rights requirement. This creates risk via unapproved downloads over small circuits, ensuring updates can be performed in a managed way, and managed uninstall methods. We need a solution to restrict this type of download / install without creating additional restrictions via App Locker, general exe execution restrictions or zone download restrictions. File exe names change upon each download or we could call them by name via policy.
Specific to this larger issue, we will option to deploy 365 without Teams... so when a user needs to connect to a Teams meeting they would use the browser only. They are prompted to install the client upon connection, and we would like to prevent this without creating any additional content related problems when retrieving data from MS.... or anywhere else.
Browser = EDGE Chromium
Dec 26 2020 12:27 PM
Dec 26 2020 03:21 PM
I'll clarify. Only admins should be able to install apps, though standard users can choose to install apps such as Teams when prompted while connecting to a Teams meeting. We would like to restrict the user-initiated install and force the session to run in the browser.
You mention EDGE policies, have you seen this scenario corrected by any specific GPO settings? I'm not finding them..
Dec 27 2020 02:19 AM
Dec 28 2020 06:34 AM
Yep, I'm clear on all of the items you mention above - the browser launch is the only option we would like the user to have... so restrict the PWA.
I would rather not restrict certain URLs in fear of unintended consequences.. and the potential need to maintain a list over time. Just hoping there would be a much more simple way of restricting, or limiting PWAs.
Dec 28 2020 12:10 PM
Dec 28 2020 05:12 PM
A standard user clicks to open a Teams meeting via email link. EDGE Chromium opens and displays the options in this screenshot (happens when testing with IE and legacy EDGE as well). If 'Download the Windows app" is selected the install is permitted and installs to a profile based directory. We would like to restrict the ability of the user to either access the download link, prevent the install... or both. Just looking for the most practical way to accomplish this.
Dec 29 2020 01:31 AM