Configure deployment security settings

May include but is not limited to: configuring and integrating UAC by using ClickOnce deployments; setting appropriate security permissions to deploy the application

I have read some very controversial information about UAC and ClickOnce and WPF, so I decided to get onto the bottom of things.

By default, a WPF application needs Full Trust permission, because it needs to call unmanaged code to build its window. However, Full Trust is the devil itself (and is obviously a mock in the philosophy of least principle) so you should configure your applications to have the relevant rights.

This can be done in the Project Properties menu’s Security tab. There you can edit ClickOnce security settings. You can even set the application to run in Partial Trust (which will be the level your users will use it). Even better, you can set Visual Studio to debug in Partial Trust mode – a very nice thing, because you’ll surely see what your end users will. You can set the Local Intranet and the Internet zones’ security settings. You can even define a custom one, where you can edit the resulting XML file by hand. For some strange purposes, the ClickOnce deployment model doesn’t allow demanding administrative rights (at least you cannot specify the requestedExecution level element’s level attribute to requireAdministrator or highestAvaliable). I think this makes sense, because the whole point of ClickOnce development is to get an application up and running with a couple of mouse clicks.

As for configuring UAC with ClickOnce I didn’t find any useful information. In fact MSDN and the rest only told me that it’s against the nature of ClickOnce to have UAC support. If you need some, then you will need to write a shell application which requests for a UAC prompt, and call your ClickOnce setup from there. A stinking but working solution.


Configure a ClickOnce deployment

May include but is not limited to: configuring the installation of a WinForms, WPF, or XBAP application; choosing appropriate settings to manage upgrades

Excuse me for putting this one first, but I needed something from another topic to dig into, because I got overwhelmed by data binding. So ClickOnce!

As you may know, ClickOnce is a deployment and distribution technology. Most of its functionality lives in dfsvc.exe. You can publish your application directly from Visual Studio with it, and can be very happy with the results, because if you’d set up the deployment appropriately, you’ll get automatic update checking and other cool features.

On the other hand, ClickOnce is very limited. You won’t be able to get inside to the setup menu, nor to tell the engine where you’d like to install your application. But as its name suggests, you can deploy an app by just a couple of clicks (yes, even by one click).

OK let’s get started. There are several places you can install your applications with ClickOnce. You can use a disk path, a UNC share, an FTP server or a web site. All of them have their pros and contras, and I think you’ll be able to figure them out yourself. After specifying this, you will be asked how the users will install your application. You can specify a web site for that (although you’ll need IE or Firefox with a little plugin to install directly from the browser). You can specify a UNC path, or tell the engine that you’d like to install from a CD/DVD. If you specify CD/DVD, then you’ll be asked whether or not you’d like to let your application check for updates, and if yes, where to do that. Continue reading