The remote user cannot control the SMA

book

Article ID: 162797

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

It appears that if a user is running the 7.6 agent and is an Administrator on their PC then during a Desktop Sharing session the remote user cannot control the SMA interface on the Host computer when control is passed.
 
A banner message appears stating ‘other people can’t control applications that require admin privileges’

Other people can’t control applications that require admin privileges

Cause

This is caused by security of the operating system and user access control.  In order to show the icon the process has to have certain privileges, specifically the same integrity level as Windows Explorer. If Explorer has "High Integrity Level" then SMA UI process has to have High level as well, if Explorer has Medium then SMA UI process has to have Medium or High. Process with lower integrity level does not have access to higher integrity level process, that's a security feature introduced in Vista along with UAC. Explorer has High level at least on server OS where UAC is off.

Additionally this problem was not seen in earlier versions of ITMS.  For 7.6, security features were added to the product causing this problem to be noticeable.

This was not a problem in 7.5 because agent's UI in 7.5 was running in a context of the logged on user but without any UAC elevation. This means UI did not have admin privileges when you're logged in as the administrator and UAC is on, this caused other functionality to not work if UAC is on. Now the 7.6 UI is running in context of the elevated admin.

Resolution

This issue has been reported to the Symantec Development team. A fix will be available in a later release (current ETA is ITMS 8.0).

Workaround:

For whatever software is applicable, the user will have to launch the program as administrator.

For WebEx: Internet Explorer on the host machine should be started "as administrator" prior to running WebEx session there. That solves the problem - IE gets High Integrity level and WebEx process atmgr.exe also gets High integrity level and it can access SMA UI, regedit UI and any other app UI.

For Skype. Skype for Business should be also started "as administrator", this leads to lunx.exe running with "High Integrity level" and ability to control any app UI.

Pointifx:

A pointfix for ITMS 7.6 HF5 is available. See attached "Pointfix_eTrack3885600_SMP_7.6_HF5.zip"

REQUIREMENT:
Installed SMP 7.6  HF5

 

HOW TO INSTALL THIS POINTFIX:

  1.      Retrieve files from the archive to the NS hard drive.
  2.      Run as administrator “PFInstaller.exe”, click "Install Files" button.
  3.      Run scheduled tasks "NS.Package Refresh" and "NS.Package Distribution Point Update Schedule"
  4.      Upgrade Symantec Management Agent on Package Servers via default SMA upgrade policy
  5.      Upgrade Symantec Management Agent on client machines via default SMA upgrade policy
  6.      The Symantec Management Agent version will be incremented from 7.6.1635 to 7.6.1637
  7.      In order to decrease the default integrity level on the SMAgent UI (AeXAgentUIHost.exe), modify the new registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\Medium Integrity Level UI" by changing its value from 0 to 1. This value is created automatically, if user changes it from zero to not zero the UI process will be automatically restarted and will get another integrity:
    0 (default):       high
    1:                     medium
  8. This registry key value change needs to be done manually on any machine that remote control is needed and if the SMAgent UI is also required.

 

CHANGES MADE:

  • Changed integrity level of agent's UI process, added registry key to control integrity level by user.

    Note: will this value set to default if the agent is upgraded or reinstalled?
    No, the value is never changed by the agent, if it is set, it will not be touched by agent, upgrade or reinstall.
    But if you uninstall agent then the whole registry key will be gone and value will be lost.

HOW TO UNINSTALL:

  • Make sure that Backup subfolder is located in Pointfix directory
  • Run as administrator “PFInstaller.exe”, click "Uninstall Files" button

Attachments

Pointfix_eTrack3885600_SMP_7.6_HF5.zip get_app