Lockdown Apps using Sandboxed Solutions

As most of you know by now, Apps have become the hot new thing in SharePoint development.  The benefits of using OAuth outweigh many of the drawbacks of refactoring your code to support it.  That being said, the moment you enable Apps in your farm, you will start to see people install them everywhere!  Unfortunately, there is no real way to lock down an app from being deployed to specific "Webs" once it has been installed using the out of box provided features of the App Model.  The only thing you can do is limit by specific users, or the web application level. 

As I was browsing the MSDN Forums, I came across this interesting post about a guy that wanted to lock down an App to only be available on one, and only one, web.  I thought…that sounds interesting, I think I can figure out how to do that!  And I did determine one way, but unfortunately, the method means you must own the App (or have the original app package) in the first place.  Here are the steps to enable this lock down (and works both on-prem and in O365):

  1. Create a sandboxed solution with an empty feature that is hidden (a hidden feature will prevent users from activating it and then installing the app)
  2. Record the feature ID that is created
  3. Create a SharePoint App 
  4. Open the AppManifest.xml file in the xml editor, add a AppPrerequisite for your feature:
    1. <AppPrerequisite ID="b9399dc0-1073-4cd9-877b-283faf4587d8" Type="Feature"/>
  5. Deploy and activate your sandboxed solution
  6. Deploy your App to your App Catalog
  7. Try to deploy your App to a web, you should be denied the ability because the feature is not activated
  8. Use the following REST call to activate your hidden feature:
    1. POST to http://siteurl/_api/web/features/Add:
    2. Where the json looks like this (featDefScope is an enum/Int32):
      1. {'featureId': 'b9399dc0-1073-4cd9-877b-283faf4587d8','force':'true','featdefScope':'2'}
  9. Try to deploy your App, it will deploy now!

So a couple of things to note here:

  • It would be nice to have some kind of ability to lockdown based on a web level
  • It would be great to have a side by side dual deployment of pre-req features for lock down (rather than the two step process of declarative sandboxed solution and an App package)

As it stands, Apps are just a free for all at the moment!


Leave a Reply