Re: Teams
Out of interest, what are your issues with applications in the user's profile?
*Users can download and install apps themselves : Use application control, now they can't.
But if they can't install the application themselves then how does it get into their profile? They can't change the HKLM registry, but having them able to download an executable (knowingly or not) and run it from within their profile folders should simply be a no-no.
*Profile bloat : all VDI shops use a profile management solution that helps you manage profile bloat, be it UPM, UEM, FSLogix etc.
We don't suffer profile bloat - documents, desktop, downloads etc etc are subject to folder redirection, so it's not a problem. There's the actual profile itself, but it's miniscule. ApplicationData\Local is scrubbed on each login.
*Files can be downloaded and overwrite genuine files : use application control, now they can't.
But it's just 'a piece of disk', so if the user has permissions to write to the files in there, they have the permissions to write over the files with something else, possibly something malicious.
My issue is that it's an area of disk that something, anything, running as that user could potentially place a malicious executable into and it could be run. The mechanism for that running could be one of a dozen things. We have users that demand Flash Player, Adobe Reader etc, and they're full of holes. Could be a browser exploit that sneaked past the last browser update and past the web filter. Could be a macro in a document (yes we have users whose banks send out macro-enabled MS Office files, so that has to be on). Could be anything we've not thought about - doubtless there are thousands of things we've not considered. But we're bending as far as we reasonably can with the security of the applications, with the safety net that if something manages to break through it can't 'just run' without a massive amount of additional effort.
Not having a Software Restriction Policy in place to prevent users executing arbitrary applications is, in my opinion, foolish. And for the company that built the Software Restriction Policy framework (Microsoft) to deliberately release an application which demands that this safety net is disabled is ludicrous, when it could have been written in a different fashion.
I'm honestly unfamiliar with FSLogix - I'll have to have a look at that. I'm sure I've brushed against it from time to time but nothing stuck! But as I say, user profiles isn't something we have an issue with. Users downloading Angry IP Scanner, PuTTY, iTunes, Steam etc is.
Biting the hand that feeds IT
