Profile based apps installing for non admins

New Contributor

Our managed environment restricts the ability to install any apps (non-admins) though lately some collaboration apps (Teams, Zoom, etc) install directly to the user profile, circumventing the rights requirement.  This creates risk via unapproved downloads over small circuits, ensuring updates can be performed in a managed way, and managed uninstall methods.  We need a solution to restrict this type of download / install without creating additional restrictions via App Locker, general exe execution restrictions or zone download restrictions.  File exe names change upon each download or we could call them by name via policy.

 

Specific to this larger issue, we will option to deploy 365 without Teams... so when a user needs to connect to a Teams meeting they would use the browser only.  They are prompted to install the client upon connection, and we would like to prevent this without creating any additional content related problems when retrieving data from MS.... or anywhere else.

 

Browser = EDGE Chromium

8 Replies
Hi,
if your environment doesn't allow installing apps/programs to non-admins, no app/program should be able to install, but PWA app (progressive web apps) can be installed regardless.
it can be controlled of course using Edge group policies.
Teams online doesn't need a client to be installed first. Teams online can be run standalone only through the browser.

I'll clarify.  Only admins should be able to install apps, though standard users can choose to install apps such as Teams when prompted while connecting to a Teams meeting.  We would like to restrict the user-initiated install and force the session to run in the browser.

 

You mention EDGE policies, have you seen this scenario corrected by any specific GPO settings?  I'm not finding them..

 

@HotCakeX 

Sir you don't need to install anything to use Teams meetings on the web, it's all done through the browser, the website. no need to install a client.

user can "install" the Teams website as an app in Edge (this install is not the same as installing a Win32 software), then user will receive notifications from Teams, and user can use it to join online meetings. Teams icon can appear in Start menu or taskbar for the user.

I do this myself with my M365 education subscription.

to block URLs in Edge there is a policy:
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#urlblocklist

more on PWAs: https://docs.microsoft.com/en-us/microsoft-edge/progressive-web-apps-chromium/

Yep, I'm clear on all of the items you mention above - the browser launch is the only option we would like the user to have... so restrict the PWA.

 

I would rather not restrict certain URLs in fear of unintended consequences.. and the potential need to maintain a list over time.  Just hoping there would be a much more simple way of restricting, or limiting PWAs.

 

 

@HotCakeX 

Do you want to prevent users from installing a site as an app in Edge or not use a site at all?

because PWAs are websites in their core. even if Edge had a policy that would prevent users from installing sites as an app, users would still be able to use Teams online (or any other PWA) in regular browser tabs, unless you block that URL with a policy.

PWAs are websites, Edge lets allows users to install any website (whether they are a PWA or not), as an app.

you can contact Edge support here: https://www.microsoftedgeinsider.com/en-us/support

A standard user clicks to open a Teams meeting via email link.  EDGE Chromium opens and displays the options in this screenshot (happens when testing with IE and legacy EDGE as well).  If 'Download the Windows app" is selected the install is permitted and installs to a profile based directory.  We would like to restrict the ability of the user to either access the download link, prevent the install... or both.  Just looking for the most practical way to accomplish this.

jlorraine_0-1609204312734.png

 

@HotCakeX 

Would you like to use GPO for this?
I found a topic with accepted answer here:
https://techcommunity.microsoft.com/t5/microsoft-teams/prevent-teams-windows-app-installation/m-p/29...

Was there a fix found for this?