All OpenFin application installers automatically setup the OpenFin container, and optionally create application shortcuts in the user’s Start Menu as well as on the desktop. The OpenFin installer creates a base folder structure with full read-write permissions and places the the Runtime Version Manager (RVM), and the OpenFin Runtimes within it.
The Runtimes themselves are contained in the “runtime” folder. Older versions of the Runtime are not overwritten when a new version is added. Unused versions of the Runtime are removed automatically. The below depicts the “runtime” directory of a system with three versions of the Runtime:
- Microsoft Windows machine, XP or newer (Windows 7, 8, 10)
- User account has write access to %localappdata% folder
- Internet connection or private line required
- Ports 80 and 443 open to non-browser applications
We recommend whitelisting both the Application Provider’s and OpenFin’s domains:
By default, OpenFin installs the RVM and Runtime to the user’s home directory under the following locations:
“%USERNAME%\Local Settings\Application Data\OpenFin”
Windows 7, 8, & 10:
If needed, the OpenFin RVM and Runtime can be installed in a specific location on a user’s desktop by setting a registry key via Group Policy.
Note: The directory needs to have Read/Write access.
To set your custom path, set a string value for rvmInstallDirectory in:
For older installer versions (v0.0.0.14 and earlier) you also need to set a string value for installDir in:
The OpenFin installer creates application shortcuts that link the server hosted manifest file with a desktop shortcut or Start Menu item. These shortcuts have a target that takes the following form:
To designate a custom shortcut location in the Start Menu, Desktop Owners can set the following registry key via Group Policy.
To enable this option, create a new string value: startMenuRootFolder under:
This option suppresses all shortcut creation (e.g. desktop and Start Menu) and disables shortcut creation going forward for all OpenFin applications. If set, the responsibility of managing shortcuts for application utilizing OpenFin is controlled entirely by the Desktop Owner.
To enable this option, set a value of 1 for:
disableShortcutCreation (DWORD) under:
Desktop users have the ability to remove or “uninstall” shortcuts through an option in their Windows Start Menu. The uninstall action is app specific, effectively removing the Shortcut(s) from a user’s machine.
OpenFin applications are not available in the “Uninstall or Change a Program” menu of Windows by design. An OpenFin app is a configuration on the machine and not a program. The OpenFin Runtime is also not “installed” on a user’s machine as it is not registered with the Operating System.
The Uninstall application option is located in:
This option enables a Desktop Owner to suppress auto updates of the OpenFin RVM, which Application Providers may intend to use with their application.
Option #1 – To enable this option, set a value of 1 for:
disableAutoUpdates (REG_DWORD) under
Option #2 – To enable this option, set the following command line argument:
OpenFinRVM.exe ––disable-auto-updates ––config=”https://targetapp.com/my/path/appConfig.json”
This option enables a Desktop Owner to silently run an NSIS Installer.
Example command line to run the install:
installer.exe ––no-ui ––do-not-launch
This option enables a Desktop Owner to silently install the the Runtime and prevents the application from launching on install via command line arguments.
Example command line to do the install:
OpenFinRVM.exe –do-not-launch –no-ui –config=”https://targetapp.com/my/path/appConfig.json”
OpenFin works with anti-virus software vendors to whitelist the openfin.exe process and installer to eliminate false positives (incidents where antivirus programs mistake OpenFin, and the Chromium Sandbox, for malicious code). Elimination of all AV false-positives is a complicated problem due to the sheer number of security configurations within financial institutions. We are working with AV providers to expand the scope of our whitelisting in order to eliminate false positive occurrences at runtime and reduce any deployment friction.
We recommend asking clients prior to installation if they use any type of security/anti-virus software. Security software has been known to falsely flag the Chromium Sandbox as exhibiting ‘virus like’ behavior. This issue is normally resolved by whitelisting the openfin.exe processes and certificates with the security software.
Example log entry highlighting A/V Software interfering with OpenFin:
[01/01/2018 01:01:01]-[FATAL:sandbox_win.cc(486)] Check failed: !(basic_info.GrantedAccess & kDangerousMask). You are attempting to duplicate a privileged handle into a sandboxed process. Please contact email@example.com for assistance.
OpenFin has known incompatibilities with the below security/anti-virus packages:
Symantec & McAfee – Some older versions of Symantec Endpoint Security and McAfee identify the Google Chromium security sandbox setup process as virus-like activity, as it uses some undocumented parts of the Windows APIs. This can be solved by asking the client to whitelist openfin.exe processes.
Microsoft AppLocker – Blanket Application Control Policies can prevent OpenFin from running. This can be mitigated by having the client install an Executable rule that is Certificate Based on the Publisher as follows:
Publisher: “O=OPENFIN INC., L=NEW YORK, S=NY, C=US” Product Name: “*” File name: “*” File version: “*”
- Bit9 – Security software that does active endpoint monitoring. An exception needs to be made for OpenFin software to run consistently.
- Sophos – Some older versions of Sophos End Client impact a machine’s ability to support web sockets accordingly. We recommend upgrading to 10.3 or higher.
Have questions? Get in touch with us at firstname.lastname@example.org.