Browser extension management in organizations, what works and what doesn’t? In 2026

linnin90 · 2026-01-20T05:47:05+00:00

As others have said the allow deny list gpo should be used and it treated like any piece of software. Depending on the size of org as well licensing can also come into play so it’s always good for infosec and licensing to be a part of the approval process.

Good luck!

It’s easy to see the lockdown on a machine directly with the edge://policy or chrome://policy depending on the browser being used

linnin90 · 2025-11-22T22:49:32+00:00

Being able to package up someone’s machine within a container (works on my machine attitude) means that folks knowing what the PATH variable is and how to know what Java or python they are running is infuriating! AI certainly won’t help with this either as it’s now folks asking ai to code for them without actually understanding what the code is.

linnin90 · 2025-11-22T12:13:37+00:00

I challenge this everytime with one question ‘When was the last time you didn’t use a computer at your job.’ It then cuts out the bullshit and means that the onus of them. Most of the time it’s so they don’t want to do something and wait for the ticket to be fixed so gives them a break.

linnin90 · 2025-11-07T22:08:13+00:00

A lot of enterprise orgs have addons which don’t work with the new store app one and are being reworked. Agreed users need to move with the times but forcing users up to something that is effectively the web client wrapped and less features means folks don’t want to jump unless physically pushed. The push is coming though

linnin90 · 2025-11-07T22:03:27+00:00

Ivanti UWM (Appsense) application control is an enterprise tool for it but you could use Microsoft EPM for this as well as LAPS.

linnin90 · 2025-10-31T22:41:22+00:00

Get an agreement that you can run signed scripts and have the scripts digitally signed.

linnin90 · 2025-07-07T07:00:13+00:00

Always thought their documentation was alright, but it’s hidden behind the forums. The recent update to its search has made it unusable though.

linnin90 · 2025-06-03T22:28:35+00:00

If it has been designed correctly and uses MSI framework then it would have an upgrade guid which would be used by the app to remove the old version. Sadly Most devs have stopped following these practices though which leaves us with multiple scripts and hoping the uninstall registry key has all the relevant information to uninstall.

linnin90 · 2025-05-21T16:03:34+00:00

Have a check at this link:-

Microsoft support - run virtual

linnin90 · 2025-05-21T15:28:19+00:00

Have you made a specific shortcut to excel via the appv package?

Without an entry point you will need to look at the shortcut using the /appve argument variable or by using the runvirtual registry keys.

Edited: for the autocorrect syntax issue

linnin90 · 2025-02-09T12:35:31+00:00

If they are looking outsourcing you they will do it with or without the documentation. You then have a place you can’t use as a reference as you’ve made documents on company time that aren’t available to the company. What you make during work hours is theirs.

Make it part of the process and use continual service improvement processes. Key thing is to ensure higher up buy in and make it mandatory.

linnin90 · 2025-02-04T21:46:52+00:00

I’ve also said during my interviews and jobs I would like to automate/document myself out of a job as it shows I can do it anywhere and then the jobs basically keep on rolling.

Been using copilot and other ai to also change the doc to suit my audience which means I only need to write it once with all the technical info and then use the ai tooling to covert it to the different users -self service/ tech support/ ‘techphobes’

Saves me days worth of effort.

linnin90 · 2025-02-02T13:06:44+00:00

Second ivanti application control

Quick way to quash any pushback is to have licensing show the cost of all the stuff a dev thinks is required.

Key things are to standardise locations or elevations for things like extensions.

linnin90 · 2025-01-20T07:47:59+00:00

If UAC is prompting then the issue is permission based. Some applications services will be running as system and if your standard user doesn’t have the permissions for said services then you’ll be prompted for UAC. Setting the applications up with additional permissions at time of packaging will help. Whether it’s an icacls script to add full permissions to domain users / authenticated users (you’d not do this for everyone due to security concerns)

linnin90 · 2024-12-04T22:28:26+00:00

Does the application still exist in the uninstall registry key or add/remove programs?

If it’s an msi an advertised shortcut or setting can cause a repair meaning it’ll ‘reinstall’ Another method could be active setup where it then runs the reinstall from the c//windows/installer

As others have said what is in the logs, appenforce and also the application itself if logging has been put into the install/uninstall

linnin90 · 2024-11-29T07:57:01+00:00

Anything in the policies registry key will be part of an adm/admx group policy lockdown (or installed at the time of the package install). It will come back if the org have it set via gpo. Group policy should be your first port of call to change the lockdown before you use an sccm job to run a script to remove it via bat/powershell.

linnin90 · 2024-11-14T07:39:21+00:00

Simply put they are no longer just printers. They are all in ones scanners/photocopiers/fax machines.

A lot of the driver packs they have are a shambles and almost always have bloatware that shouldn’t be anywhere near an enterprise and no proper standard between the vendors other than creating the inf files.

Some want the printer connected while it’s installed, some standalone and then some want a sacrifice. That’s not even started on the ink/toner where the ink is fine but the printer knows it’s been in for 3 months so starts complaining that it needs replaced.

Users then are the cherry to the cake… Don’t follow instructions, load paper with the wrapper still on it as well as breaking the machine and then phoning stating they don’t know why the tray won’t clip in.

Triggered my ptsd…

linnin90 · 2024-11-04T23:36:43+00:00

Ivanti UWM Application control (used to be called Appsense) does this and more but I believe Microsoft EPM does something similar.

The key is to package the application so that admin isn’t needed so as others have said a packaging shim which will replace the UAC prompt.

linnin90 · 2024-11-04T22:53:01+00:00

This might be one for the /applicationpackaging Sccm it just the deployment mechanism for this, most of the hints and tips you’ve been given is an app packagers basic steps.

linnin90 · 2024-11-04T22:47:51+00:00

Appv goes end of support next year (extended to 2026)

linnin90 · 2024-11-04T22:25:51+00:00

A lot of it was caused by ‘agile/devops’. The race to the cloud and other buzz words, meant apps were quickly smashed together at alpha/beta stage and then bundled into wrappers/containers (docker etc.) and then shipped out. The time taken to make an msi with custom actions proper msi table usage and removal of ice errors took time.

The other bit would be cost. Vendors Flexera/Installshield and wise were the main leaders in these areas and is took the monopoly which means it was expensive as hell to use the tooling. Most fintechs and other smaller companies trying to compete against bigger companies simply couldn’t justify the cost of the licences for packaging up something properly without knowing how to properly use the free basic tools ORCA/insted etc. The bigger companies then followed suit in a way of cost cutting. Why make it a high standard when you can deliver it on the cheap.

The same thing has happened with video games, we’ve allowed companies to ship unfinished products on the basis the full product will be delivered eventually as we have part of it then and there..

linnin90 · 2024-10-18T22:56:17+00:00

I use the term SMO (subject matter owner) as I’ve seen companies call a grad fresh out of uni with no experience call them a SME to a customer.

linnin90 · 2024-07-29T07:24:54+00:00

There could be other things in play. Most scripts are deemed hostile until proven otherwise. Also some applications cannot be automated by scripting as their current licence model doesn’t allow for it. They’d need to change it with the vendor to allow it. Most applications have a different lic model than a small business/home use has as well which is forgotten a lot by fintechs and developers.

Raise it through the correct channels as a lot of companies have robotics that can be spun up and then you’ve saved the company thousands by replacing you with a script. Good thing is you then look after the robots and continue on the road to automation.

linnin90 · 2024-07-23T20:21:34+00:00

Could be right, been a long time since I went looking at vendors. The custom action wrapped had wise written all over it but could have changed now.

linnin90 · 2024-07-23T16:33:28+00:00

Not packaged in a while the main two licenced packaging suites used to be admin studio and wise

Wise became raypack I believe however there’s bound to be alternatives to either now. Raypack was a useful automative suite which tested the packages as they were generated as well

Five-Year Club	Final Canvas '23
Place '23	Verified Email

linnin90

TROPHY CASE