Solved

Aurena agent installation method issue

  • 14 February 2024
  • 8 replies
  • 206 views
pasana
Rank
Userlevel 4
Badge +5

One of our customers is having some the below issue with aurena agent,

The prebuild package for Aurena Agent IFS are providing on the landing-page is for single user, to install on their clients by themselves, and it works if you have the security parameter “native messaging hosts” sat to enabled.

 

Found this in IFS Community an article that describes the same issue, https://community.ifs.com/document-management-docman-248/aurena-agent-will-not-enable-in-edge-browser-but-does-in-chrom-39986

 

The conclusion according to this article is:
"We have found that the issue was due to a security setting that was disabled in our GPO which as a result, did not permit the Aurena extension in Edge to communicate with the Aurena Agent on the computer. It was “Allow user-level native messaging hosts (installed without admin permissions) “To correct, we needed to enable that setting."

 

customers got the below answer from their security technician:
This setting is the issue: Allow user-level native messaging hosts (installed without admin permissions) (admx.help)

They have to set to "Disabled" this setting for their security reasons.

 

If you are an IT department who push out applications such as Aurena Agent with centralized tools, they want a prebuild package where you must be administrator in order to install it.The problem in itself is that the installation of Aurena Agent is done at the user level and does not require administrator rights.
More specifically, the problem is that the key in the registry is located here: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\NativeMessagingHosts
Needs to be located here: HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\NativeMessagingHosts

 

If a customer can't change this setting due to security reasons and follows Microsoft's recommended Security Baseline. Do we have a solution for this?
 

icon

Best answer by Mathias Dahl 19 February 2024, 10:06

View original
~ Pasan ~

8 replies

pasana
Rank
Userlevel 4
Badge +5

Hi @domze 

 

Can you share your thoughts on this issue?

~ Pasan ~
Mathias Dahl
Rank
Userlevel 7
Badge +30

Hi Pasan,

At the moment we only have one version of the MSI and, as you found out, it's a version that is meant to be installed in the context of a normal user, not an admin.

I suggest you create an idea in the Ideas section here on IFS Community so that we can look into the possibility of creating another version that is better suited for being pushed out to clients.

The details shared above should help out if and when we can prioritize this work.

As for now, customers need to create their own installation package if the one we provide does not work. The disadvantage is of course that such a package will not be signed by IFS (but the exe file inside will be).

 

/Mathias
E
Rank
Userlevel 2
Badge +4

Hi,
Are we the only one facing this problem or how has other customer solved this or found a way around when we have disallowed user-level native messaging hosts?

You mention @Mathias Dahl, that we could create our own installation package, do we need the code from IFS in order to do that or could I extract from the existing MSI if I have a workplace technician?

//Leffe Welén

//Leffe W
Mathias Dahl
Rank
Userlevel 7
Badge +30

Hi,
Are we the only one facing this problem or how has other customer solved this or found a way around when we have disallowed user-level native messaging hosts?

You mention @Mathias Dahl, that we could create our own installation package, do we need the code from IFS in order to do that or could I extract from the existing MSI if I have a workplace technician?

//Leffe Welén

I realized that you might not be able to create your own MSI, since it "does things" on the machine, it doesn't only place files there. But it does not do much. It fetch the hash of the SSL/TLS certificate from the server and writes that to a settings file, it places the Aurena Agent exe file and related files in a folder and it installs to the IFS Chrome extension plus the necessary registry entries in the Windows registry. In theory, that can be done centrally too. If you have a way to record what an MSI is doing, you might be able to catch these steps and replay them.
 

/Mathias
Mathias Dahl
Rank
Userlevel 7
Badge +30

@EvrLeiflW 

Would it be possible to push out a small Windows registry modification to the users' machines after the installation has been done?

I just tried on my machine (I have local admin privileges) and moved the com.ifsworld.aurenaagent "folder" in the registry.

It moved from:

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\NativeMessagingHosts

to:

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\NativeMessagingHosts

Here's how it looks after the move:

At least on my machine, the Aurena Agent continues to work (I don't know yet if it's necessary, but I reloaded the web browser tab before I tried).

 

/Mathias
E
Rank
Userlevel 2
Badge +4

Thank you for your quick response!
I have forward your suggestion both to the customer and to our workplace technicians.
I let you know the outcome.

//Leffe W
E
Rank
Userlevel 2
Badge +4

@Mathias Dahl 

I’ve got this from my customer:

One question regarding this workaround, it will not work for shared computers that is common for them.
There is one thing to move the registry key com.ifsworld.aurenaagent from HKCU to HKLM, but the registry key itself are pointing at C:\Users\<user1>\AppData\Local\IFS\IFSAurenaAgent\aurenaagent_manifest.json.
When the next user are logging on to the computer that user will not have accesss to user1 appdata.
In our opinion the whole installation should be moved out from user dependencies.

//Leffe W
Mathias Dahl
Rank
Userlevel 7
Badge +30

Thanks! Then they need to move the folder there as well, until we have looked into and delivered the possibility of providing a "admin" version of the Aurena Agent installer.

/Mathias

Reply


Terms & ConditionsCookie settings