Please reply anyone???
1)What is the best/recommended possible way to allow the upgrade of application,Is the way I allowed is OK???
2)In the attached screenshot Expiration date is showing as March 1,2015.Will the application will be blocked after that or what will b the consequences??
>No, even though the certificate is expired, it is still valid. So the trust polices will continue to be in effect.
Is the way I allowed it the best possible way??
Hi Haaris, if you trust the publisher's wares for all the computers under that policy's purview, and that their cert hasn't been stolen to sign malware (which has happened to at most a handful of publishers), then what you've done is perfectly reasonable. I use publisher trusts in many circumstances like this.
You could be more surgical if you like. If this is just for one workstation, you could put the workstation into update mode with begin update mode, and then do the upgrade, then end update mode. That would allow any updates between those two times to be allowed. This may be "better" in some circumstances.
Or you could designate the installer as an updater in which case the installation program would be allowed to do changes to other programs on all the systems in policy.
I believe those are your options for this situation.
I agree with your tacit lament that this product doesn't yet do much with publisher certificates. I think I've put in a PER to include revocation list checking for publisher certs and for the ability to make policy decisions on whether to allow things with expired certs to run.
Thanks for the knowledge sharing & your ideas!!!
Actually,Upgradation was to be done o 14 workstations ,so I allowed it by publisher..
thanks for the update....