Re: Qlik Sense Desktop without admin rights and Gr... - Qlik Community

Anonymous · ‎2016-03-08

We tried to install Qlik Sense Desktop on a couple of machines at work without success. The program seems to be quite unconventional as regards where it puts files and runs them from.

Our environment is a typical Windows corporate system: roaming profiles; users don't have local admin rights; group policy will block an exe from running unless it's located in an authorised folder (ie, a folder where the user has no write control - eg C:\Program Files).

In order to install the software it was necessary to temporarily give the user local admin rights and to temporarily change the personal folder registry setting in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal from a network to a local drive.

Having managed to install it, we couldn't run it because the main executable is in the user's AppData directory, under Local\Programs\Qlik\Sense, so Group Policy blocks it.

Moving the Qlik directory to a whitelisted directory such as C:\Program Files means that the exe runs but doesn't work: the browser window never opens and while the server component seems to run - at least it listens on port 4848 - it never replies. The Event Log fills up with event id 300s. A "Start_Engine" log file is produced but only gets as far as Initiating server license.

It appears that there are whole bunch of other directories that are created when the application runs (on first run or every time?), for example:

%USERPROFILE%\AppData\Local\Programs
- Common
- Common Files
%USERPROFILE%\AppData\Local\Temp
- DataPrepService2.2.50501.0409.10
- MigrationService2.2.50501.0409.10
- QlikSenseBrowser2.2.50501.0409.10
- SensePrinting2.2.50501.0409.10

Running exe files from these directories is not an option is our environment.

Are these locations configurable? In particular, is there way to allow the app the necessary write access (log files, caches, etc) while keeping the exe files somewhere read-only?

till_bentz · ‎2016-04-20

Hello Tom,

I was wondering if you found a solution for this problem. We have pretty much the same setup and therefore the same problems...

Regards,

Till

Anonymous · ‎2016-05-03

No luck, I'm afraid.

ecagriculture · ‎2017-01-31

Hi Tom,

Your set-up is quite standard and similar to ours so we encounter exactly the same problem...

Did you ever open a support call for this or have you found another solution?

Any reaction from Qlik?

kind regards,

William

till_bentz · ‎2017-03-07

Hi William,

I'm not sure if this is still an open question. But I had contact with Qlik support regarding this question. Apparently the requirements for Sense Desktop are among others 64bit non-server OS and (local) admin rights.

I know its not really a solution but maybe it helps anyway.

Regards,

Till

Anonymous · ‎2017-05-08

Our company seems to have found a solution using a container or virtual machine where the user can have admin rights without affecting other things.

It is a bit slow and occasionally stops working, but better than nothing.

I believe that Qlik could remove the need for admin rights by allowing us to change some of the default file locations and port numbers.

stantrolav · ‎2017-05-10

Hi!

Every time I fight with this old-school security rights. New software need more privileges rather than Notepad. Give user full access to his system folder:

%USERPROFILE%\

This folder is used by user and must be opened for him. Also for stabile work user must have privileges for changing his Registry change in Windows HKCU\

Anonymous · ‎2017-05-10

The issue is not write permissions but execute permissions. It's quite reasonable to limit these. One solution we haven't tried is to identify and whitelist all the .exes that Qlik Sense creates and runs. The fact that these are only created at run time, not on installation, might be a problem.

ecagriculture · ‎2017-05-10

Hi,

We had to find a solution for our training room and we found a working solution (in cooperation with our technical friends).

We copied the whole qliksense installation folder to a folder from which users can execute programs (but users themselves don't have a write access to it). In our case c:\pgm which was created previously for these kind of situations...

We encountered a problem with logins that tried Qliksense in the past on these workstations, so we added in the copy procedure the following:

rename the ...\AppData\Local\Programs\Qlik folder to Qlik_old

rename the ...\AppData\Local\Programs\Common Files to Common Files_old

and we put a shortcut on the desktop that points to:

c:\PGM\Qlik\Sense\QliksenseBrowser\qlikSenseBrowser.exe

and it seems to work without admin rights (we use training accounts which have only very limited permissions), only odbc connections give a problem, but this was not necessary for our course.

I can publish the script but i need to remove first a few company related lines...

Attention, this is for version 3.1SR3 of Qliksense, in 3.2 there is a server authentication necessary..., we don't know yet how to tackle this for the trainingroom...

Kind regards,

Wiliam

mikestone519 · ‎2017-10-31

Exactly the same thing here. I've never seen an application installer that assumes so much about where it will be installed. Assuming the end-user will have admin rights is a sin.

Qlik Sense Desktop without admin rights and Group Policy control on running .exes