Thursday, June 20 | 12 PM EDT / 6 PM CEST

Action1 5 Blog 5 Security Implications of Per-user Application Installs

Security Implications of Per-user Application Installs

January 13, 2023

By Mike Walters

One of our customers recently brought up this issue. In their environment, Action1 successfully deployed critical updates for third-party apps for newly enrolled endpoints. However, one of those apps was installed on a few endpoints as a user-specific app directly into the user profile, not as a machine-wide installation. Those per-user installs were outdated, so Action1 replaced them with the latest versions, but it also proceeded to remove the user-specific installs and replaced them with a system-wide install. As a side effect, some users of those apps had to do some reconfiguration steps.

Unfortunately, many application vendors are notorious for defaulting to per-user installs (Microsoft included!), mainly because they want to remove every obstacle to user adoption. Yes, they DO NOT want your user to ask for your permission to install the app since they want the user to download and start using it immediately and not deal with your IT department’s boring bureaucratic workflows.

The customer asked if there was a way to tell Action1 to keep the user-specific installs it detects on the endpoints. Well, the answer was a firm NO – and here is why. The feature of automatic replacing of per-user installs with machine-wide installs was added for a few good reasons:

  • IT department ownership of all installed apps: the user cannot modify what IT the department deployed unless IT approves it.
  • Per-user installs are less secure because the executable modules can be modified if the user’s non-privileged account is compromised. Machine-wide installs are more difficult to infect under a non-privileged user context.

Yes, it’s a bit of a hassle for users to reconfigure from per-user to machine-wide once it’s updated. We get it. But they have to do this only once. The long-term benefits of machine-wide installs substantially outweigh the negatives.

Final thought: if you don’t do this yet, seriously consider automating your third-party app patching. Shameless plug: Action1 does third-party application patch management seamlessly with OS updates, and it is free forever for your first 100 endpoints – with no footnotes or fine print!

See What You Can Do with Action1


Join our weekly LIVE demo “Patch Management That Just Works with Action1” to learn more

about Action1 features and use cases for your IT needs.


spiceworks logo
getapp logo review
software advice review
g2 review
spiceworks logo

Related Posts

No Results Found

The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.