Prevent Acc 2003 JET Security Warning for MDE

N

NormR

Hi,

How can I prevent the start up messages from Access in a runtime environment
that report?

I have an Access application for clients and have just upgraded to Access
2003. My test install workstation (WinXP, SP2) only contains the ACC 2003
runtime.

For my development testing, I have created a personal digital certificate.
The Access/Office Help indicates that these personal certificates can be
"shared" across development environments in an office, but the Security
Warning dialog that identifies the certificate has the check box for "Always
trust files from..." disabled.

The start-up messages are:
Security Warning: Unsafe Expressions are not blocked
Do you want to block unsafe expressions?

and

The following message which states that JET 4.0 Service Pack 8 needs to
be installed...
"<program path> may not be safe to open if it contains expressions ..."

Will these start-up JET messages be able to be turned off for my application
when released to my clients without the IT department playing with each
individual's workstation? SOme of these clients have over 100 users of the
same application.

Thanks,
Norm
 
P

Paul Overway

You need to do one of the following:

1. Buy a digital certificate...the personal one you created is only good
for your PC
2. Create a digital certificate on a certificate server at the
client's...if possible
3. Set macro securtity to low during installation of your app
 
N

NormR

Hi Paul,

Thanks for the reply. I am waiting for Verisign to "wake up Monday" to
purchase a Digital Certificate for my application. Once signed, do you know
if the JET security dialogs will also go away?

Norm
 
C

Chris Mills

Has anyone, anywhere, anytime, any planet, ever purchased a Digital
Certificate for Microsoft Access?

If so, we'd love to hear your experience.

Chris
 
B

Brendan Reynolds

I have a certificate. The problem I have with it is that the message that
users see the first time they open an app signed with the certificate,
before they have chosen to trust that certificate, is exactly the same as
the message they see when they open an unsigned app, except that it now has
your name in it. If you can go on site, do the installation, and trust the
certificate yourself, that may not be a problem. But if users will install
the application themselves, you have to think about the level of
sophistication of your users. Will they understand what the message is
telling them? Or will they only understand that they have seen your name,
and the words 'may be unsafe' and 'harm your computer' in the same context?
Personally, I have enough users in the second category that I will not use
the certificate. The only purpose of the certificate, as far as I am
concerned, is to avoid support calls from confused users. But the message
users see when the app is signed is as confusing as the one they see when it
is not, therefore for my purposes the certificate is useless.

--
Brendan Reynolds (MVP)
http://brenreyn.blogspot.com

The spammers and script-kiddies have succeeded in making it impossible for
me to use a real e-mail address in public newsgroups. E-mail replies to
this post will be deleted without being read. Any e-mail claiming to be
from brenreyn at indigo dot ie that is not digitally signed by me with a
GlobalSign digital certificate is a forgery and should be deleted without
being read. Follow-up questions should in general be posted to the
newsgroup, but if you have a good reason to send me e-mail, you'll find
a useable e-mail address at the URL above.
 
P

Paul Overway

If Jet SP8 is installed, yes. Otherwise, no...they'll keep getting the
warning until you or they install the update.
 
R

Rick Brandt

Paul Overway said:
If Jet SP8 is installed, yes. Otherwise, no...they'll keep getting the
warning until you or they install the update.

Do I remember correctly that the signed certificate also has to be replaced
every time you modify the app?
 
B

Brendan Reynolds

Well, the app has to be re-signed. Not quite the same thing as replacing the
certificate. As long as the app is re-signed with the same certificate, you
won't need to do anything extra on the target PC.

--
Brendan Reynolds (MVP)
http://brenreyn.blogspot.com

The spammers and script-kiddies have succeeded in making it impossible for
me to use a real e-mail address in public newsgroups. E-mail replies to
this post will be deleted without being read. Any e-mail claiming to be
from brenreyn at indigo dot ie that is not digitally signed by me with a
GlobalSign digital certificate is a forgery and should be deleted without
being read. Follow-up questions should in general be posted to the
newsgroup, but if you have a good reason to send me e-mail, you'll find
a useable e-mail address at the URL above.
 
C

Chris Mills

Ref: your other sub-thread reply. I'm only just now recovering from a stunned
silence, that you were not merely making an "Irish Joke" :)
(that the client still has to answer some stupid question, which IS stupid
because clients are not expected to be IT-geeks as you rightly point out)

On this issue, rested my next question (what I really wanted to know but was
too scared to ask)

Does that mean you can modify your app (as apps want) and re-sign it WITHOUT
having to pay
someone again and again?

(thinks...where's the limit to modifying an app...can I qualify my AppA and
AppB with a same purchased certificate? Is it a "signing authority" for a
given app, or for yours truly?)

Thanks
Chris
(doesn't matter to me at present, but I sure want to know what the future
holds, like if there's an asteroid with my name on it)

(I've been to Dublin. 1978. Even kissed the blarney stone, which is not in
Dublin of course)
 
P

Paul Overway

Signing authority is for the holder of the certificate...so, you can sign
any number of apps, any number of times....as long as the certificate is
still valid (2 years). So, you're ONLY paying $400 every 2 years for
something that still raises doubt in the user's mind.
 
B

Brendan Reynolds

Sorry for the delay in getting back to you, Chris, I was ill for a few days
last week. Paul has pretty much answered the question, anyway, yes you can
resign the same app or sign different apps with the same certificate. Prices
do vary a bit, last time I checked Thawte charged a lot less than VeriSign.

Somehow, 'security' all too often seems to mean asking the user a question
to which the user can not possibly know the answer. Take, for example, the
pop-up blocker installed as part of Windows XP SP2. 'Do you want to allow
this pop-up?' What possible answer can there be to such a question other
than: 'I dunno - is it a good pop-up or a bad pop-up?'

I'm not sure what the solution is, but I know this is not it! :-(

--
Brendan Reynolds (MVP)
http://brenreyn.blogspot.com

The spammers and script-kiddies have succeeded in making it impossible for
me to use a real e-mail address in public newsgroups. E-mail replies to
this post will be deleted without being read. Any e-mail claiming to be
from brenreyn at indigo dot ie that is not digitally signed by me with a
GlobalSign digital certificate is a forgery and should be deleted without
being read. Follow-up questions should in general be posted to the
newsgroup, but if you have a good reason to send me e-mail, you'll find
a useable e-mail address at the URL above.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top