Group policy and registry settings

OpenFin provides desktop owner administrators the ability to customize the Runtime environment to manage controls around specific API features. These controls over the Runtime and RVM enable application providers to use all API features, but give their customers (on a case by case basis), the option to turn them off via group policy. These additional settings are an extension of the Chromium base Group Policy flags.

OpenFin supports all policies that are managed in Chromium and supported on Windows. For the list of these policies and their settings, refer to the Chrome Enterprise policy list.

We’ve created templates for desktop owners to simplify the process of setting up group policy for users. These can be found in the following repos:

Locations

There are two key paths where the RVM looks to read settings value data from, which can exist in both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE.

  • Group policy registry base path: Software\Microsoft\Windows\CurrentVersion\Policies\OpenFin\RVM

  • Registry base path: Software\OpenFin\RVM

Definition precedence

If the same value name (for example, rvmInstallDirectory) exists in multiple locations, the value that is actually used is based on the following rules:

Desktop owner settings > HKEY_CURRENT_USER > HKEY_LOCAL_MACHINE > Group policy registry > Registry > App manifest

That is, a value for an option in desktop owner settings takes precedence over a value in HKEY_CURRENT_USER, etc. Note that some values must be defined in the registry; this includes DesktopOwnerSettings, for the location of a desktop owner settings file.

For example, for the value “rvmInstallDirectory”, the following order is used to determine which value is applied:

  1. Desktop owner settings: "deployment" : { "rvmInstallDirectory" : "value" }

  2. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\OpenFin\RVM\Settings\Deployment\rvmInstallDirectory

  3. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\OpenFin\RVM\Settings\Deployment\rvmInstallDirectory

  4. HKEY_CURRENT_USER\Software\OpenFin\RVM\Settings\Deployment\rvmInstallDirectory

  5. HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings\Deployment\rvmInstallDirectory

  6. Application manifest: "rvmInstallDirectory"

  7. OpenFin default rvmInstallDirectory

OpenFin group policy settings


allowHttpsToHttpNetworkRedirects

(Starting in RVM v10) Whether to allow redirects from URLs that use HTTPS to ones that use HTTP. For best security, set to 0 (false). If set to 1 (the default), a warning banner appears in the RVM log and if the RVM health check is run, a failed check occurs for HTTPS. See Enable HTTPS security features for details.

Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings
DWORD (REG_DWORD) value: allowHttpsToHttpNetworkRedirects
Expected data: 0 or 1
Default data: 1 (true)
Example data: 0
Example result: The RVM does not allow redirects from HTTPS to HTTP URLs.


allowHttpToHttpsNetworkRedirects

(Starting in RVM v10) Whether to allow redirects from URLs that use HTTP to ones that use HTTPS. This type of redirect is normally allowed under HTTPS. See Enable HTTPS security features for details.

Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings
DWORD (REG_DWORD) value: allowHttpToHttpsNetworkRedirects
Expected data: 0 or 1
Default data: 1 (true)
Example data: 0
Example result: The RVM does not allow redirects from HTTP to HTTPS URLs.


allowInvalidNetworkCertificates

(Starting in RVM v10) Whether to ignore encryption certificates that are invalid due to missing the common name or expiry date, unknown certificate authority (CA), or revocation by the CA. For best security, set to 0 (false). If set to 1 (the default), a warning banner appears in the RVM log and if the RVM health check is run, a failed check occurs for HTTPS. See Enable HTTPS security features for details.

Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings
DWORD (REG_DWORD) value: allowInvalidNetworkCertificates
Expected data: 0 or 1
Default data: 1 (true)
Example data: 0
Example result: The RVM enforces that network encryption certificates must be valid.


assetsUrl

Globally sets a URL to the server that hosts application assets.
Key: HKEY_LOCAL_MACHINE\SOFTWARE\OpenFin\RVM\Settings
String (REG_SZ) value: assetsUrl
Default data: https://cdn.openfin.co/release
Example data: http://ASSET_SERVER_NAME.com
Example result: RVM and Runtime assets are retrieved from the specified asset server as opposed to the OpenFin asset repository.
DOS example


cleanUnusedRuntimes

Globally determines whether the RVM cleans up runtime and runtime cache folders that are no longer referenced by any installed applications. By default, the RVM does clean up unused runtimes.
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings
DWORD (REG_DWORD) value: cleanUnusedRuntimes
Expected data: 0 or 1
Default data: 1 — The RVM cleans up unused runtimes.
Example data: 0
Example result: Runtime and runtime cache folders are not cleaned up, even if no applications reference them.
DOS example


crashReporterUrl

The endpoint URL to which the RVM sends crash reports.
Key: HKEY_CURRENT_USER\SOFTWARE\OpenFin\RVM\Settings
String (REG_SZ) value: crashReporterUrl
Default data: https://dl.openfin.co/services/crash-report-v2"`
Example data: "http://CRASH_REPORT_SERVER.com/crash-reporter"
Example result: The RVM sends crash reports to the specified URL instead of to OpenFin's crash report server.


createShortcutsForAllUsers

Whether to create shortcuts in the public shortcuts folder for all users.
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings
DWORD (REG_DWORD) value: createShortcutsForAllUsers
Expected data: 0 or 1
Default data: 0x0
Example ata: 1
Example result: The RVM creates shortcuts for all users.
Note: This setting cannot be overridden by a desktop owner settings file.


DesktopOwnerSettings

Globally sets the path or URL to a JSON file containing desktop owner settings configuration settings.
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings
String (REG_SZ) value: DesktopOwnerSettings
Default data: none
Example data: "https://FILE_SERVER/PATH_TO_FILE/DESKTOP_OWNER_SETTINGS_FILE.json"
Example result: The RVM reads the desktop owner settings from the specified URL, using the settings in the file and overriding any settings that were defined in the registry.
Note: This setting cannot be overridden by a desktop owner settings file.


desktopOwnerSettingsMandatory

Whether to require that the file at the DesktopOwnerSettings location must be used. If required, and the location is not reachable, the RVM does not load.
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings
DWORD (REG_DWORD) value: desktopOwnerSettingsMandatory
Expected data: 0 or 1
Default data: 0
Example data: 1
Example result: If the RVM cannot read the file at DesktopOwnerSettings, it exits without continuing.
Note: This setting cannot be overridden by a desktop owner setting file.


disableShortcutCreation

Whether to globally prevent all applications installed through the RVM from creating shortcuts. The desktop owner can choose to be responsible for shortcut creation.
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings
DWORD (REG_DWORD) value: disableShortcutCreation
Expected data: 0 or 1
Default data: 0 — Applications installed through the RVM install their shortcuts.
Example data: 1
Example result: When an application is installed through the RVM, shortcuts for the application are not created.
DOS example


enableRuntimeDiagnostics

Whether to enable reporting Runtime diagnostics information to OpenFin. (RVM v4.2.0.35+, Runtime v20+)
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings
DWORD (REG_DWORD) value: enableRuntimeDiagnostics
Expected data: 0 or 1
Default data: 1
Example data: 0
Example result: The RVM does not report diagnostic information about the Runtime session to OpenFin.


enableSBDLocalhostTrusted

Whether secured APIs should be automatically allowed for applications hosted on http://localhost. This setting can be convenient during application development, but desktop owners might prefer to disable it for ordinary users of production applications.
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings
DWORD (REG_DWORD) value: enableSBDLocalhostTrusted
Expected data: 0 or 1
Default data: 1
Example data: 0
Example result: The RVM follows the API security permissions defined in desktop owner settings regardless of where the application is hosted.


lrsUrl

Globally sets the license relay server (LRS) URL for all applications. The RVM sends all licensing information to the specified LRS server instead of directly to the OpenFin default server.
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings
String (REG_SZ) value: lrsUrl
Default data: https://dl.openfin.co/services
Example data: https://LRS_SERVER/license-services
Example result: The RVM sends all licensing information to the specified URL.
DOS example


maxAppLogFileSizeMB

The maximum log file size in megabytes for an application-specific log. Note that the RVM uses the base-2 definition: 1MB = 1048576 bytes. (RVM 4.2.0.35+)
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings\ApplicationLogging
DWORD (REG_DWORD) value: maxAppLogFileSizeMB
Default data: none (unlimited)
Example data: 0x00000400 (1024 MB)
Example result: The RVM does not let application logs grow over 1024 MB.
DOS example


maxAppLogFiles

The maximum number of archived log files for an application that uses application logging.
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings\ApplicationLogging
DWORD (REG_DWORD) value: maxAppLogFiles
Default data: 0 (unlimited)
Example data: 10
Example result: The RVM keeps the newest zipped log files and deletes the oldest zipped log files, without exceeding the number specified in this setting.
DOS example


noUi

Whether to disable user interface elements generated by the RVM, such as error dialog boxes, splash screen, etc.
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\Settings
DWORD (REG_DWORD) value: noUi
Expected data: 0 or 1
Default data: 0x0
Example data: 1
Example result: The RVM suppresses all UI elements.
Note: This setting cannot be overridden by a desktop owner settings file.


numberOfDelegationRetries

The number of times for that the RVM attempts a delegation. When there is RVM already launched at the time when new instance is started, the latter delegates its job to the first RVM. If primary RVM fails to receive the message (such as, it's performing an auto-update) the second RVM retries to send the message. This setting allows you to overwrite default number of these retries (RVM v9+).
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings
DWORD (REG_DWORD) value: numberOfDelegationRetries
Default data: 0x0000000a (10 retries)
Example data: 0x00000010 (16)
Example result: A RVM tries to delegate its job 16 times to the primary RVM before it gives up.


runtimeArgs

Globally add Runtime command-line arguments to apply for all applications. You can specify any number of arguments, separated by spaces.
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM
String (REG_SZ) value: runtimeArgs
Default data: The Runtime arguments specified in the application manifest.
Example data: -–user-data-dir=”%localappdata%custom_cache_directory
Example result: All applications utilizing the RVM specify –user-data-dir runtime option when they are launched. This specific Runtime option can be used to set a custom directory where the Runtime writes its cache information.
Note: This setting cannot be overridden by a desktop owner settings file.


runtimeCache

A directory path where the Runtime writes cache data. This is a global setting that overrides any application configuration.
Key: \Software\OpenFin\RVM\Settings\Deployment
String (REG_SZ) value: runtimeCache
Default data: %rvmInstallDirectory%/cache
Example data: %LOCALAPPDATA%\CUSTOM_CACHE_DIR
Example result: The runtime writes its cache data to the specified directory.
DOS example


runtimeDirectory

A directory path where the Runtime binaries are stored.
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings\Deployment
String (REG_SZ) value: runtimeDirectory
Default data: %rvmInstallDirectory%/runtime
Example data: %LOCALAPPDATA%\CUSTOM_BINARY_DIR
Example result: The RVM uses the specified folder to read and write runtime binaries.
DOS example


rvmInstallDirectory

A directory where the RVM copies itself and operates from.
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings\Deployment
String (REG_SZ) value: rvmInstallDirectory
Default data: %LOCALAPPDATA%\OpenFin
Example data: %LOCALAPPDATA%\CUSTOM_INSTALL_DIR
Result: If the RVM executes from a different folder, it copies itself to the specified folder and re-runs from there.
DOS example


secureAPIDefaultPermission

Defines the default permission for secured APIs, when no matching permission definition is found.
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings\
String (RG_SZ) value: secureAPIDefaultPermission
Expected data: one of "allow", "deny", or "prompt"
Default data: "prompt"
Example data: "deny"
Example result: Secured APIs whose permissions are not explicitly defined are denied access to run.


shortcutPointsToOriginalInstall

Whether shortcuts created by the RVM point to the original installation location of the RVM, and not the rvmInstallDirectory location. This can be useful in environments that wipe the %localappdata% folder, such as Citrix.
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings\Deployment
DWORD (REG_DWORD) value: shortcutPointsToOriginalInstall
Expected data: 0 or 1
Default data: 0
Example data: 1
Example result: The RVM creates shortcuts that point to the original installation location. The RVM re-installs itself every time it runs.


startMenuRootFolder

Globally sets root folder(s) for applications start menu shortcuts. The specified folder is inside the default Windows start menu folder.
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings
Data String (REG_SZ) value: startMenuRootFolder
Expected data: A path of custom folders where you want start menu shortcuts to be placed.
Default data: The standard Windows start menu shortcut folder.
Example data: CUSTOM_SHORTCUT_FOLDER
Result: Start menu shortcuts are placed in CUSTOM_SHORTCUT_FOLDER for all applications installed through the RVM that specify start menu shortcuts.
DOS example


trackBetaAutoUpdates

Whether the RVM automatically updates to the latest beta release of the RVM; the version number is maintained at https://cdn.openfin.co/release/rvm/betaVersion.
Key: HKEY_CURRENT_USER\Software\OpenFin\RVM\Settings
DWORD (REG_DWORD) value: trackBetaAutoUpdates
Expected data: 0 or 1
Default data: 0
Example data: 1
Example result: When the RVM is launched, it updates to the latest beta release.


unusedRuntimeExpirationInMinutes

The amount of time after which the RVM removes an unused downloaded Runtime and its corresponding runtime cache folder(s). The RVM keeps track of the last time a downloaded Runtime was launched. After an amount of time specified by unusedRuntimeExpirationInMinutes has elapsed since the Runtime was last launched, the RVM removes that Runtime and its corresponding cache folder(s) the next time the RVM exits. Note that this does not apply to Runtimes that are not downloaded through the RVM (for example, Runtimes that are copied to the /runtime folder via MSI installers or other means). (RVM 3.5.1.0+)
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings
DWORD (REG_DWORD) value: unusedRuntimeExpirationInMinutes
Default data: 0x0000a8c0 (43,200 minutes, or 30 days)
Example data: 0x00003840
Example result: The RVM deletes the downloaded Runtime after 14400 minutes (10 days) after the last time the Runtime was launched.
DOS example


Advanced group policy settings

Use these settings only in specialized circumstances.

protocolHandlerLocation

Location from which fin and fins links launch the RVM. This setting takes precedence over rvmInstallDirectory. Use only in situations where this location needs to be explicitly set, such as when the default location in a virtual environment is periodically emptied.
Key: HKEY_LOCAL_MACHINE\Software\OpenFin\RVM\Settings
String (REG_SZ) value: protocolHandlerLocation
Default data: Same as rvmInstallDirectory.
Example data: %LOCALAPPDATA%\CUSTOM_RVM_DIR
Example result: When the user accesses a link with a fin or fins protocol, the RVM in the specified directory is launched.


Refer to this page for a complete list of Chromium group policy settings.

Have questions? Get in touch with us at [email protected].