Unfortunately, many application vendors are notorious for defaulting to per-user installs (Microsoft included!), mainly because they want to remove every obstacle to user adoption. Yes, they DO NOT want your user to ask for your permission to install the app since they want the user to download and start using it immediately and not deal with your IT department’s boring bureaucratic workflows.
The customer asked if there was a way to tell Action1 to keep the user-specific installs it detects on the endpoints. Well, the answer was a firm NO – and here is why. The feature of automatic replacing of per-user installs with machine-wide installs was added for a few good reasons:
- IT department ownership of all installed apps: the user cannot modify what IT the department deployed unless IT approves it.
- Per-user installs are less secure because the executable modules can be modified if the user’s non-privileged account is compromised. Machine-wide installs are more difficult to infect under a non-privileged user context.
Yes, it’s a bit of a hassle for users to reconfigure from per-user to machine-wide once it’s updated. We get it. But they have to do this only once. The long-term benefits of machine-wide installs substantially outweigh the negatives.
Final thought: if you don’t do this yet, seriously consider automating your third-party app patching. Shameless plug: Action1 does third-party application patch management seamlessly with OS updates, and it is free forever for your first 100 endpoints – with no footnotes or fine print!