cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Profile based apps installing for non admins

jlorraine
Copper Contributor

‎Dec 26 2020 08:04 AM

‎Dec 26 2020 08:04 AM

Profile based apps installing for non admins

Our managed environment restricts the ability to install any apps (non-admins) though lately some collaboration apps (Teams, Zoom, etc) install directly to the user profile, circumventing the rights requirement.  This creates risk via unapproved downloads over small circuits, ensuring updates can be performed in a managed way, and managed uninstall methods.  We need a solution to restrict this type of download / install without creating additional restrictions via App Locker, general exe execution restrictions or zone download restrictions.  File exe names change upon each download or we could call them by name via policy.

 

Specific to this larger issue, we will option to deploy 365 without Teams... so when a user needs to connect to a Teams meeting they would use the browser only.  They are prompted to install the client upon connection, and we would like to prevent this without creating any additional content related problems when retrieving data from MS.... or anywhere else.

 

Browser = EDGE Chromium

6,677 Views
0 Likes
8 Replies
Reply
8 Replies
HotCakeX

‎Dec 26 2020 12:27 PM

‎Dec 26 2020 12:27 PM

Re: Profile based apps installing for non admins

Hi,
if your environment doesn't allow installing apps/programs to non-admins, no app/program should be able to install, but PWA app (progressive web apps) can be installed regardless.
it can be controlled of course using Edge group policies.
Teams online doesn't need a client to be installed first. Teams online can be run standalone only through the browser.
0 Likes
Reply
jlorraine

‎Dec 26 2020 03:21 PM

‎Dec 26 2020 03:21 PM

Re: Profile based apps installing for non admins

I'll clarify.  Only admins should be able to install apps, though standard users can choose to install apps such as Teams when prompted while connecting to a Teams meeting.  We would like to restrict the user-initiated install and force the session to run in the browser.

 

You mention EDGE policies, have you seen this scenario corrected by any specific GPO settings?  I'm not finding them..

 

@HotCakeX 

0 Likes
Reply
HotCakeX

‎Dec 27 2020 02:19 AM

‎Dec 27 2020 02:19 AM

Re: Profile based apps installing for non admins

Sir you don't need to install anything to use Teams meetings on the web, it's all done through the browser, the website. no need to install a client.

user can "install" the Teams website as an app in Edge (this install is not the same as installing a Win32 software), then user will receive notifications from Teams, and user can use it to join online meetings. Teams icon can appear in Start menu or taskbar for the user.

I do this myself with my M365 education subscription.

to block URLs in Edge there is a policy:
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#urlblocklist

more on PWAs: https://docs.microsoft.com/en-us/microsoft-edge/progressive-web-apps-chromium/
0 Likes
Reply
jlorraine

‎Dec 28 2020 06:34 AM

‎Dec 28 2020 06:34 AM

Re: Profile based apps installing for non admins

Yep, I'm clear on all of the items you mention above - the browser launch is the only option we would like the user to have... so restrict the PWA.

 

I would rather not restrict certain URLs in fear of unintended consequences.. and the potential need to maintain a list over time.  Just hoping there would be a much more simple way of restricting, or limiting PWAs.

 

 

@HotCakeX 

0 Likes
Reply
HotCakeX

‎Dec 28 2020 12:10 PM

‎Dec 28 2020 12:10 PM

Re: Profile based apps installing for non admins

Do you want to prevent users from installing a site as an app in Edge or not use a site at all?

because PWAs are websites in their core. even if Edge had a policy that would prevent users from installing sites as an app, users would still be able to use Teams online (or any other PWA) in regular browser tabs, unless you block that URL with a policy.

PWAs are websites, Edge lets allows users to install any website (whether they are a PWA or not), as an app.

you can contact Edge support here: https://www.microsoftedgeinsider.com/en-us/support
0 Likes
Reply
jlorraine

‎Dec 28 2020 05:12 PM

‎Dec 28 2020 05:12 PM

Re: Profile based apps installing for non admins

A standard user clicks to open a Teams meeting via email link.  EDGE Chromium opens and displays the options in this screenshot (happens when testing with IE and legacy EDGE as well).  If 'Download the Windows app" is selected the install is permitted and installs to a profile based directory.  We would like to restrict the ability of the user to either access the download link, prevent the install... or both.  Just looking for the most practical way to accomplish this.

jlorraine_0-1609204312734.png

 

@HotCakeX 

0 Likes
Reply
HotCakeX

‎Dec 29 2020 01:31 AM

‎Dec 29 2020 01:31 AM

Re: Profile based apps installing for non admins

Would you like to use GPO for this?
I found a topic with accepted answer here:
https://techcommunity.microsoft.com/t5/microsoft-teams/prevent-teams-windows-app-installation/m-p/29...

0 Likes
Reply
smbridges

‎May 17 2021 06:28 AM

‎May 17 2021 06:28 AM

Re: Profile based apps installing for non admins

Was there a fix found for this?
0 Likes
Reply