How much is Admin Rights a problem for installing productivity applets?


One of the issues we’re facing at Microsoft is how do we release products, or more specifically components, to customers more frequently.  There’s an expectation that Microsoft released components have a servicing and support model associated with them.  It’s a fair assumption.  However this assumption has a “price” associated with it.  Our current ability to support managed code is through the global assembly cache.  Which means that unless the components are installed in the GAC we don’t have a way to service them directly.  And, of course, installing in the GAC requires Administrator rights. 


Now we could say our servicing model is we make the components available on the web for developers to upgrade their applications once they test the “fix”.  However the application development group isn’t always around when the issue surfaces.  For the typical enterprise development environment building small applet applications, the development team is long gone once the app goes into production.  There’s nobody around to keep up with components that may require servicing 


For consumers I would suggest this isn’t as much an issue.  Someone “in the house” has administrative rights.  For consumers, I’d suggest the problem is more related to size of the components and dependencies.  If I have a 3mb app I want to share with my friends, does it require a 25mb download of the .net FX or a 55mb download of SQL Server Express?


For enterprise developers size isn’t as much of an issue as computers are usually connected through high bandwidth connections.  (Note the caveats here of “as much” and “usually”)  However, are admin rights an issue?  We’ve seen excellent adoption by IT to roll out the .NET Framework.  However, we haven’t seen IT willing to roll out every little application individual groups within a company develop.  And, does it really make sense for the inventory department to have the accounting applets?  Applications that do “affect the bottom line” of the company get exec management visibility and get IT support.  But for the hundreds of small apps that workgroups want to create, the only real answer they seem to have is building an internal website.  For $300 a manager can host a webserver on a dedicated desktop machine and email URLs to their workers.  Voila, their productive, or are they? 


We’re increasingly seeing additional value we can add to the Windows Client.  Features that are completely end user focused.  Whether it’s the ability to go offline with a local database and sync components, or the ability to create reports locally with Reporting Controls developers need to get Microsoft, and other vendor, components on end user machines. 


So, what is Microsoft doing about this tug of war?  Well, we have a number of ideas in the works.  Some may take a while to get out to customers, some that may be quick fixes. 


But my question to you is how much of an issue is this? 



  • Are admin right requirements a problem? 
  • Do development groups get full support from their IT staff to rollout applications, large and small, to their users? 
  • Do end users have Admin rights to their machines?  
  • Should Microsoft service critical security fixes directly to end user machines or should we leave it to the application owners to service the apps?

Steve


Comments (7)

  1. That is the question Steve Lasker is asking in this blog post.
     
    Basically he ask for 4 short answers…

  2. >> Are admin right requirements a problem?

    Yes, in large corporations this would be a show stopper.

    >> Do development groups get full support from their IT staff to rollout applications, large and small, to their users?

    Not all the time. If everything works well there is no problem but in some places there is open hostility between IT maintenance and software development.

    >> Do end users have Admin rights to their machines?  

    Most of the time they don’t.

    >> Should Microsoft service critical security fixes directly to end user machines or should we leave it to the application owners to service the apps?

    Leave it up to the application owners!

  3. >> Are admin right requirements a problem?  

    Yes.

    >> Do development groups get full support from their IT staff to rollout applications, large and small, to their users?  

    No.  And if an ISV can produce a fully functional demo version of their app, that doesn’t require sign-off by IT to try out, that’s a plus.

    Do end users have Admin rights to their machines?  

    In a large corporate environment, almost never.

    Should Microsoft service critical security fixes directly to end user machines or should we leave it to the application owners to service the apps?

    Leave it to the app vendors.  If it had a higher surface area, like SQL Server, I might feel differently.  

  4. I’d personally feel much more comfortable with just copying the dlls into my application directory.  This would be much easier for deployment, and would ensure that only the tested version is paired with my app.

  5. stuart.carnie says:

    It is critical this can be deployed without admin rights.  Vendors considering ClickOnce deployment will not be able to utilize SQL/e, because of this restriction.

    Cheers,

    Stuart

  6. Shane Jimmerson says:

    These are good questions.  Right now we are developing an application that uses SQL Express on the desktop.  Obviously our users are users must have admin rights to install SQL Express.  I think we will have some organizations balk at this.  If we weren’t targeting a Sept. 2006 release of this product I would probably push heavily for a SQL/e implementation.  But, even for a Click Once deployment the .NET FX would need to be deployed, but as was already mentioned organizations don’t seem to have a problem with this, probably because it is so prevalent.  I think if SQL/e could be deployed through GPO this requiring Admin rights wouldn’t be a huge problem.  I am sure that some Network Admins would probably hesitate, but I don’t think it would be a showstopper.  In our case I think they would much rather deploy SQL/e than SQL Express even if SQL/e required Admin rights.  Ideally, I would want the best of both worlds (deployment and servicing) and I understand that Microsoft is under a lot of pressure in the security arena so I understand why the servicing aspect is so important.  If I had to choose between ease of deployment and servicing, I would choose ease of deployment in this situation because the surface area for attach is small.

  7. Mike Brooks says:

    We are BETA testing a winforms application that uses ClickOnce to deploy. In some cases the user is the only that uses their office PC. In other cases, multiple users share a pool of PC’s – these are staff that are in the field and then come to the office to enter their data.

    I am interested in ClickOnce documentation/experiences that speak to the later multi-user requirement.

    I would be glad to share our experience once we have concrete results to report.