9 Replies Latest reply: Oct 31, 2017 9:39 AM by Mike Stone RSS

    Qlik Sense Desktop without admin rights and Group Policy control on running .exes

    Tom Weissmann

      We tried to install Qlik Sense Desktop on a couple of machines at work without success. The program seems to be quite unconventional as regards where it puts files and runs them from.

      Our environment is a typical Windows corporate system: roaming profiles; users don't have local admin rights; group policy will block an exe from running unless it's located in an authorised folder (ie, a folder where the user has no write control - eg C:\Program Files).

      In order to install the software it was necessary to temporarily give the user local admin rights and to temporarily change the personal folder registry setting in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal from a network to a local drive.

      Having managed to install it, we couldn't run it because the main executable is in the user's AppData directory, under Local\Programs\Qlik\Sense, so Group Policy blocks it.

      Moving the Qlik directory to a whitelisted directory such as C:\Program Files means that the exe runs but doesn't work: the browser window never opens and while the server component seems to run - at least it listens on port 4848 - it never replies. The Event Log fills up with event id 300s. A "Start_Engine" log file is produced but only gets as far as Initiating server license.

       

      It appears that there are whole bunch of other directories that are created when the application runs (on first run or every time?), for example:

      1. %USERPROFILE%\AppData\Local\Programs
        • Common
        • Common Files
      2. %USERPROFILE%\AppData\Local\Temp
        • DataPrepService2.2.50501.0409.10  
        • MigrationService2.2.50501.0409.10 
        • QlikSenseBrowser2.2.50501.0409.10 
        • SensePrinting2.2.50501.0409.10

      Running exe files from these directories is not an option is our environment.


      Are these locations configurable? In particular, is there way to allow the app the necessary write access (log files, caches, etc) while keeping the exe files somewhere read-only?