Product: FlexApp
Product Version: ProfileUnity 6.8.4+
Expires: 365 days from publishing.
Updated: December 28, 2023
Problem: Depending on your Windows Firewall security settings/policies, you may get a firewall prompt for a FlexApp that appears to make no sense. This can occur in all ProfileUnity Versions, but the solution is only slightly different between 6.8.4 and 6.8.5/6.8.6.
The offending firewall prompt looks something like this: (It can also show as D:# in some circumstances).
You can see the full Path of the exe above is a variable number based on a virtual (And somewhat "Invisible") mountpoint of the VHDX for that particular FlexApp.
In order to fix this, you can use a Pre-Activation or Post-Activation Script to dynamically create the firewall rule based on the full underlying disk path.
Here is the PowerShell code that provides a framework for creating Firewall Rules to mitigate this issue/pop-up prompt:
## USER VARIABLES TO CHANGE HERE
# DiskLabel (Some unique portion of the package name goes here, leave off the first and last characters as it uses wildcards on the front and end of the string).
$Label = "988_Mediatel_Cli"
# Full path to exe you want to allow through the Firewall:
$ExePath = "2015-03-04UTC14-53-50-797-appdir-1\Volumes\C\Program Files (x86)\mediatel data\client\client.exe"
# Display name for firewall Rule(s):
$DisplayName = "MediatelClient"
#### DO NOT CHANGE ANYTHING IN THIS PART! #########################################################
$Kernel32 = Add-Type -Name 'Kernel32' -Namespace '' -PassThru -MemberDefinition "[DllImport(""kernel32"")] public static extern int QueryDosDevice(string name, System.Text.StringBuilder path, int pathMaxLength);"
$DevicePath = New-Object System.Text.StringBuilder(255)
$GetDevicePath = {$Kernel32::QueryDosDevice($_.UniqueId.TrimStart('\\?\').TrimEnd('\'), $DevicePath, $DevicePath.Capacity) | Out-Null; $DevicePath.ToString().Substring($DevicePath.Length - 1)}
$HardDiskVolume = (Get-Volume | Where-Object {$_.FileSystemLabel -like "*$Label*"} | ForEach-Object { & $GetDevicePath }) -join ''
$ProgramStringC1 = "C:$HardDiskVolume\$ExePath"
$ProgramStringD1 = "D:$HardDiskVolume\$ExePath"
############# END DO NOT EDIT ######################################################################
## FIREWALL RULES TO ADD/EDIT HERE: DIRECTION/ACTION/PROTOCOL/ENABLED/PROFILE
## Note, Set up 2 Sets of rules per application, in case it mounts on C: or D: (This can happen in some environments) the application will still work.
New-NetFirewallRule -DisplayName $DisplayName -Program $ProgramStringC1 -Direction Inbound -Action Allow -Protocol UDP -Enabled True -Profile Domain
New-NetFirewallRule -DisplayName $DisplayName -Program $ProgramStringC1 -Direction Inbound -Action Allow -Protocol TCP -Enabled True -Profile Domain
New-NetFirewallRule -DisplayName $DisplayName -Program $ProgramStringD1 -Direction Inbound -Action Allow -Protocol UDP -Enabled True -Profile Domain
New-NetFirewallRule -DisplayName $DisplayName -Program $ProgramStringD1 -Direction Inbound -Action Allow -Protocol TCP -Enabled True -Profile Domain
Version 6.8.4 -
1. Change the $Label variable to something that will match on your package's volume-label - For example, when running Get-Volume in PowerShell 5, if "FriendlyName" was "13988_Mediatel_Client", change $Label variable to "3988_Mediatel_Clie" (Whatever will match on your own partial, yet unique as possible volume-label's FriendlyName) but will NOT match on another FlexApp package volume name that might be running as well.
2. Change the $ExePath after '\2015-03-04UTC14-53-50-797-appdir-1\volumes\c\ to the full path of the executable you wish to create a firewall rule for. (in this example, it is "2015-03-04UTC14-53-50-797-appdir-1\volumes\c\program files (x86)\mediatel data\client\client.exe)"
4. The $DisplayName variable is a static string to be used in the Firewall Rules (-DisplayName). It MUST be one word, no spaces, or you can leave it out and it will be blank. (Note, if you wish to remove this rule in a Pre/Post De-Activation script, you must define the -DisplayName parameter - it cannot be blank).
5. Be VERY careful with quotes and double quotes, as FlexApps are very sensitive to those.
6. For testing - Enable PowerShell transcription in either Domain GPO or local GPO to log to somewhere like C:\windows\Temp. It will generate a folder like YYYYMMDD and inside you can view the
output of all/any PowerShell commands run on the system.
7. Since 6.8.4 version FlexApps can only run BAT or CMD files as scripts, take the script above once you have it set to your desired settings, and edit the package you wish to have it run from. Copy/Paste the .PS1 file somewhere in the packages file system - For example, we will put FirewallRules.PS1 in the "C:\Program Files (x86)\Mediatel Data" Folder: First, copy the file:
In the FPC Editor, PASTE the file you just copied:
Now, save the package with the FirewallRules.PS1 inside of it.
Now, create a Post-Activation FirewallRules.cmd file containing the following that will call and execute the PS when the FlexApp opens/mounts:
powershell.exe -executionpolicy bypass -noprofile -file 'C:\Program Files (x86)\Mediatel Data\Firewall.ps1'
Version 6.8.5+
FIrst, 6.8.5+ has the ability to run PowerShell scripts (PS1 Files) as Pre or Post activation scripts, so you can launch the above script directly as a Pre/Post-Activation script instead of having to put it inside the package.
The File naming is also a bit different, in that the "2015-03-04UTC14-53-50-797-appdir-1" string is no longer the same in every package. To get the folder name of your package, Edit the package on the FPC:
Once open for editing, go to C:\Windows\Temp in Windows File Explorer, and you should see a folder like this with a disk drive for an icon:
Double-click on the folder, and you will see the string you need for the firewall script(ing).
Simply replace the 2015-03-04UTC14-53-50-797-appdir-1 folder with the folder name above (Or whatever your FlexApp's folder name is) in the scripting example for 6.8.4 above.
Deleting the firewall rules for persistent desktops: You can use a simple BAT or CMD script like this that removes the rule based on the -DisplayName you set in the FirewallRules.PS1 script:
powershell.exe -executionpolicy bypass -noprofile -command "Get-NetFirewallRule -DisplayName MediatelClient | Remove-NetFirewallRule -Confirm:$false"
NOTE: If you are using "CTL" (Click to Layer), you may want to make the script a "Pre-Activation" script, as it may take longer to load once clicked on, and this way it will already have run beforehand.
FlexAppOne: If you are using FA1, you will need to make sure the Pre or Post-Activation script file name(s) start with "_system" for example: "_system_FirewallRules.ps1" for it to execute in Elevated mode upon launching the FA1 executable.
FlexApp Documentation References:
6.8.4 FlexApp Packaging Console Guide
6.8.5 FlexApp Packaging Console Guide
6.8.6 FlexApp Packaging Console Guide