Support Request: Applying System Security configuration

Description

My question is based on a response you provided to another customer. This is the link to that conversation - https://www.provisio.com/en-GB/CustomerSupportCenter/ArticleDetails.aspx?ArticleID=16015. Your response in question was this "You need to edit the underlying “swconfig.xml” (of an existing installation). Then you e.g. can copy the file to the corresponding folder after a new installation.
Once that has been done a job to run an executable can be used to start the systemsecurity.exe with the /applydefault parameter.". My question is, does that job have to be run every time the SiteKiosk user account is signed into, or does it just have to be run once? For some reference, we are using the Windows Configuration Designer to build Provisioning Packages that will completely configure the PC, to include silent installation of SiteKiosk. As of right now, we have a 100% working package but recently found out that we need to provide the Sitekiosk account access to some folders that get created when our custom software gets installed, during the same provisioning.

Answer: (4)

Re: Applying System Security configuration 4/1/2020 2:55 PM
Hello,

Thank you for your inquiry. That is correct. The settings in “swconfig.xml” are only assigned to the SiteKiosk user once when you run "SystemSecurity.exe /applydefault" and are not changed afterwards unless you customize the users access setting through the application later on. The “swconfig.xml” file will never be changed by the System-Security-Manager program. The settings of the System-Security-Manager are based on corresponding Windows settings (e.g.: NTFS access permissions) and are only set when running the application and assigning the settings.

Best regards,
Andre.
Re: Applying System Security configuration 4/1/2020 5:09 PM
Thank you Andre. As far as editing the swconfig.xml, do I just add the directory paths I need the SiteKiosk user to have access to, or would I have to edit the existing lines? For example, can I add this line - <directory expand="true" path="$(CSIDL:ProgramFilesX86)\Custom App" x64="false" read="true" write="true" execute="true"/> which I think allows write access to the files in that location, or can I only edit <directory expand="true" path="$(CSIDL:ProgramFilesX86)" x64="false" read="true" write="false" execute="true"/>, changing the Write value to True? Thinking about it, if its based on Windows permissions, I would think the default value would override my custom one. If that is the case, I might need to get my devs to write their software so that files the Sitekiosk account needs read/write access to go to another directory.
Re: Applying System Security configuration 4/1/2020 5:50 PM
Hello,

Thank you for your inquiry. By default, your software will have access to the C:\Program Files (x86) folder but write permissions are blocked by default. This would also block the user account from overwriting the files for your program. You are correct in considering to reviewing another folder of access. If you need a way make changes to data for your program, you can review the option of saving changes to App Data/Local folder found under each user or having data written to the public user folder. The Restricted user account has full access to those folders. You can use the System Security Manager>>Customized>>Folder Access to see a visualization of the rights given those folders under the Restricted user account.

Best regards,
Andre.
Re: Applying System Security configuration 4/1/2020 5:53 PM
Excellent, thank you.
My Account
Login
Language (Tickets):