+26
Considering for Future Release

Whitelist custom extensions in 6.5+

shawnkhall 8 months ago • updated 1 week ago 6

Background: Control 6.5 imposes a signature validation scheme to ensure the integrity of the Connect install (per this post). This is a net good for most of the community base. For the rest of us it's more trouble than it's worth.


Request: We need the ability to either whitelist custom extensions from validation or disable the signature validation scheme entirely.


Reasoning: I've developed quite a few extensions in an on-premise Control installation to automate significant portions of my business. I'm not willing to share some of this code since it exposes the inner workings of my business, sometimes usernames and passwords, trigger URLs, and plenty of other information that would be useless for the rest of the world, but could increase the risk of my own business data should it be shared with a third party -- even ConnectWise. Microsoft, Google and Adobe have each been hacked in the past, so it's safe to assume that anything I share with CW will eventually be exposed as well.


The hosted developer instance option requires me to share business logic and requires significant rewrites to the code for each of my extensions to be able to prevent business information exposure. Furthermore, as far as I can tell, some of the functionality can not be rewritten in a way that prevents this exposure.


I've submitted an extension to CW in the past and it took weeks to have it approved. It took weeks to be approved for a developer instance. I can only imagine initial approval of each of my extensions to be able to use them in my own on-premise install will take weeks as well, and even minor updates to my extension (such as cosmetic changes or field formatting) will likely take weeks to be approved as well. 


On-premise users require the ability to continue to use and develop our extensions without exposure to ConnectWise. Please enable us to whitelist our custom extensions within the web.config so we can maintain the integrity of our own installations and source code.

Available in Version:

ConnectWise's silence on this issue is deafening.  I have yet to see one single logical reason put forth on why it is beneficial for customers that ConnectWise must review and approve private extensions that can only run in a private on-premise install.  Of course it makes sense for public extensions and for cloud-hosted deployments, but not for private extensions.  Please listen to your on-premise customers, especially those that you obtained through buying ScreenConnect.

+1

I used to use the Guest Session Starter Exe extension, by Elsinore Support (Remember them?). This enables a guest to download a very small exe (suitable for placing on the desktop), which would initiate a Guest Session on demand.  Now depreciated, Quick Support SOS is supposed to do similar.  However I was able to customise the exe file to carry my brand & logo, and now due to "signature violation", this crucial feature has been "outlawed". 


My brand and logo tells MY customers that it's ME at the other end of the remote support connection & not some scammer.

I have had to clean up after one client was actually scammed by some from "Microsoft" who used a ScreenConnect client.  That's why I put MY logo on ScreenConnect.


Preventing me from doing so is interfering with my business.  Branding customisation was the key reason why I chose ScreenConnect over other Remote Support packages.  I host my own on-premise install & pay my renewal licences.  You should not break things that worked perfectly before. And when you do, you MUST put them right quickly.

FAB-ITRescue, we have registered your request to customize the SOS deployer. In the meantime, you can submit your version of GSSE and we will get it signed for you. You can also sign up for a developer instance here: https://docs.google.com/forms/d/1xIku2r1fZgX5VlxXUNih_u6l25-vATYBwU9CxX1GOSE/edit. Thank you.

+1

I agree with Davidson. There is NO good reason to prevent someone from using unsigned extensions ON THEIR OWN SERVER. This is functionality which has been a part of the tool for a very long time, and allowed many of us to incorporate the tool tightly into our businesses. Now that this functionality has been locked out, we are prevented from upgrading and receiving security fixes or new features, or getting resolutions to bugs in the software. You are incentivizing your customers to look at your competitors. 


We have already chosen NOT to purchase another ConnectWise product due in part to this decision (you were eliminated from consideration for a new ticketing tool for our customer support department).

+2
Considering for Future Release

Do you have a potential ETA for future release? My ConnectWise Control renewal is due soon and getting this feature back is the deciding factor.