Adobe-Runtime-Support
Adobe-Runtime-Support copied to clipboard
airsdk
Permission for Windows 11 Outbound / Inbound Rules
Problem Description
Windows 11 needs a permission for the Windows Defender Firewall for 3rd party apps to connect for example to a rtmp streaming server. AIR SDK should have a permission request to add the permission to the Firewall, as native apps do this. At the moment the user has to do this by himself, which is absolutely not user friendly. Figuring out how this works is not that easy.
This is an important feature. Which should be added.
Also macOS needs a lot of permission request options such as save pictures to the harddisk or photo library,....
Is there a way to resolve this?
I think this sort of capability might be better off provided via an ANE, as it's very platform-specific.. e.g. wrapping up the APIs such as https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ics/c-adding-a-service-rule We can take a look at this unless anyone knows of an existing ANE that does it..?
On macOS, there are an increasing set of pop-ups that you get when the app tries to access various file system locations or hardware peripherals, but these are generally determined by the OS at run-time, I don't know of any way that these can be programmatically requested. For some of them - accessing the photo library etc - the existing permissions mechanism should work for that but again there will be prompts to the user.. Are there any specific permissions here that you aren't able to obtain currently, either via the PermissionsManager or just by trying to access them?
thanks
Hi @ajwfrost ! Thanks for your reply. @windows: I did not find any ANE for this problem. This is why I am adding this here. It would be a huge help to have this. @macos: Until now I did not have any issue, but the main problem is the review. I think it would be good to have permissions to ask to save images or videos to folders. Just in case the review team discovers this as a guideline violation. Or GeoLocation. Until now the permission manager only supports microphone and camera, if I am not completely wrong.
For Windows, you can start the netsh.exe process from AIR, and check/add/remove firewall entries. Note that for this to work, the app needs to be run as administrator (only when you want to edit the firewall). You can check the elevation from command line too, before attempting to edit the firewall.
Example: https://nimdati.com/2019/04/15/create-firewall-rule-via-command-line/
There are a lot of things you can do by running Windows processes, and reading their print output :)
Hi @htmiel, thanks for your message. But I think a permission request which does not need any knowledge of the user would be better. I did it with netsh, running the cmd as administrator. netsh advfirewall firewall add rule name="NewRule" dir=out program="C:\Program Files (x86)\myApp" action=allow. This does all. maybe @ajwfrost this could be inegrated as ANE
@ajwfrost, wish you a happy 2024! Will there be a solution for the firewall permissions on windows. Most of the users do not want to do this manually. It is not user friendly.
These to lines of permissions have to be added to the firewall settings:
netsh advfirewall firewall add rule name=”AppName” dir=in program=”C:\Program Files (x86)\MyApp\MyApp.exe” action=allow profile=any
netsh advfirewall firewall add rule name=”AppName” dir=out program=”C:\Program Files (x86)\MyApp\MyApp.exe” action=allow profile=any
@ajwfrost I could resolve the problem with an installer for windows. But it would be great to have this as permission in Adobe Air. Maybe you could implement this feature. Thank you!
Hi
In a normal AIR application, we'd be running with user privileges, so that call to "netsh" would only work if the user was able to then enter admin details to run the elevated command. It would be feasible to create an ANE for adding this kind of firewall rule - launching 'netsh' with the elevated permission. I'm a little concerned at adding an inbound rule, this shouldn't be required if you're initiating the connection from the AIR app..?
Running the rule during installation would help because you've generally already got the elevated permissions in order to do the install, but then with this approach you're not giving the user any choice.. and there are multiple ways to install AIR apps so I'm leaning in favour of the ANE-based approach.
Just so we're clear on this (and can reproduce whatever Windows is currently doing) - are you using the AIR app as a server and listening on an inbound socket? (in which case yes I guess "in" is needed too!) - or are you getting blocked when an AIR app is trying to connect to another machine? What port numbers are you using for this?
Reopening the issue because although there's a workaround, I think it's something where we could provide a simple/standard ANE that could be added where needed.
thanks
Hi @ajwfrost, the installer opens the cmd.exe as admin and the installer itself runs as admin and asks the user if changes can be done. Fact is, that I asked to resolve this August 2023. I was tired, that users wrote bad reviews, because windows blocks the app and also tired to receive user emails that we are unable to resolve this problem user friendly. I tried to resolve this with a Tutorial. But unfortunately most of the users only know how to download, install and switch on a computer. So I found a workaround. The app needs inbound and outbound rules. Inbound to receive a video stream, outbound to send a video stream. Ports are 443, 1935, 1969, 80. Profile has to be any because I need the permissions domain, inbound, outbound. Windows blocks the app connecting to a streaming server via rtmp protocol. It would be great to have this resolved according privacy policy rules. Thanks for your help.
@ajwfrost, Hi, Is there now a solution from your side or do I still have to do it with the terminal at the installer? I was waiting for the SDK update with a solution for that.
Hi
We're looking at this as an ANE rather than baking a solution into the AIR SDK itself, since the requirement is fairly specifically targeted at Windows. I'll try to give you an update on the likely timescales for this one, shortly..
thanks
Yes, I have a colleague working on this, but he's out this week for half term - sorry, I'd forgotten to update here. I'll talk to him next Tuesday and will put a reminder in my calendar to update this thread with the latest details! thanks
Hi -> update here, we have a slight challenge in that to amend the firewall rules, we need to be running as an administrator, and we can't just elevate the permissions whilst running. To get this working we would need to re-launch the whole AIR application from scratch as a new process, and I don't think that's a viable option as you'd lose all state/UI information etc....
So the current plan is to have a separate process that we can launch from the ANE that would handle this. Currently on Windows, ANEs only support DLL binaries, and it doesn't look like we can package up a separate EXE file - so we will change that to make it a little more like the mobile platforms where you can have separate dependencies that would be deployed with the application...
It's going to be a week or two more I think, in order to get this set up..
thanks
Hi @ajwfrost Thanks for the information. Hopefully you may have a solution soon. All the best Johannes
Hi @ajwfrost is there still no solution? Wish you a peaceful Easter time.