Yesterday I got a call from a customer who needed some help configuring CAS settings for his application, and after finding the right one for his needs, he asked me how to easily configure all of their few thousands clients with the new settings.
Well… a quick research brought up the following article: “HOW TO: Build and Deploy a .NET Security Policy Deployment Package“; but the customer wanted to deploy only the new code group we created for the application, and not his entire “Machine” policy… the CAS administration console allows you to create a .msi deployment package for the entire Enterprise, Machine or User, but unfortunately not for a single Code Group.
The easiest way we found was to run the following command on the clients (through some automation mechanism the customer will identify depending on his needs):
caspol -machine -addgroup All_Code -site localhost FullTrust -name “code group name“
The above command will create a new code group at machine level, as child of the group “All_Code”, will use the “Site” membership condition and will set it to “localhost” granting “FullTrust”, and the new code group will be assigned whatever name you’ll set as the “–name” argument (this must be enclosed on double quotes); caspol.exe is part of the .NET Framework so you don’t need to have the SDK installed on the target machines. You can find other samples at Code Access Security Tool (caspol.exe) and How to: Add Code Groups Using Caspol.exe.
If you need to temporarily disable the policy change warning, have a look here: How To: Suppress policy change warning using caspol.exe.
Cheers