News

Microsoft Releases Security Sandbox Tool for SharePoint

• By Kurt Mackie
• 10/24/2016

Microsoft recently unveiled new sandbox security capabilities for SharePoint Server.

The gallery is a SharePoint library that used to assure that code for SharePoint applications is trusted. It's designed for organizations that have built custom SharePoint applications for use with SharePoint Server products. Organizations running those servers will get the Managed Solutions Gallery as part of an October software update, according to an announcement this week at the Microsoft Tech Community. However, Microsoft's TechNet article on using the Managed Solutions Gallery describes it as being part of a "September Public Update."

Microsoft's announcement this week might have been missed because it was published in the Microsoft Tech Community, which is Microsoft's replacement for a Yammer-based technical support forum. Microsoft rolled out this new tech portal because the Yammer-based one wasn't considered to be search friendly. However, Microsoft Tech Community posts still seem somewhat obscure. For instance, a Google search still doesn't find them readily.

A Sandbox Alternative?
The new Managed Solutions Gallery seems to be an alternative to Microsoft's deprecated sandbox approach for running managed code in SharePoint applications.

Microsoft basically told organizations about two years ago to stop using the sandbox approach for SharePoint Online applications. In late July, it disabled the sandbox for SharePoint Online. This move meant that the sandbox was no longer available to run managed code, such as C# or Visual Basic, although it was still possible to run declarative or no-code solutions, such as JavaScript, with SharePoint Online applications.

Microsoft's removal of the sandbox for running managed code has meant a scramble of sorts for some organizations. They've needed to find where managed code was run for applications that were built perhaps years ago. For instance, the sandbox was once a popular way for SharePoint Server 2010 users to add application capabilities to InfoPath forms. The idea back then was to run custom code on the server to unburden the client, but Microsoft doesn't like this approach anymore for security reasons.

Support for finding such older sandbox applications is available using tools from both Microsoft and its partner Rencore. Microsoft's "transformation" guidance away from the sandbox approach can be found at this page.

Microsoft's New Guidance
This week, Microsoft introduced the Managed Solutions Gallery for SharePoint Server 2010, 2013 and 2016 and indicated that it had updated its "guidance for code-based sandbox solutions in SharePoint Server on premises." According to this new guidance, organizations "should allow only known and trusted code-based sandbox solutions to execute in their on-premises SharePoint farms." The Managed Solutions Gallery appears to be Microsoft's means for making that happen for its SharePoint Server customers.

The Managed Solutions Gallery will create a document library that defines which code gets trusted. The library is just accessible to SharePoint farm administrators or personnel with contribute authority. Code in SharePoint applications will only activate if it matches the version that exists in the Managed Solutions Gallery, according to the Microsoft Tech Community description.

IT pros will have to set up the Managed Solutions Gallery if they want to use it. The setup process requires running a few PowerShell cmdlets, according to the TechNet article.

InfoPath Support?
Even though the Managed Solutions Gallery is available to support SharePoint Server environments, it doesn't seem to be designed to work with InfoPath forms that contain code. At least that's what Microsoft seems to be saying in this support article. Possibly, the article is saying that InfoPath 2013 has to be used. It's not too clear.

Update 10/25: Microsoft MVP Doug Hemminger clarified in a Reddit AMA session today that the Managed Solutions Gallery will work with InfoPath 2013-built forms, so long as the forms do not contain custom code. Here's his reply to my question:

Yes, you can still use InfoPath 2013. You cannot, however, use custom code. To make sure that your Infopath forms don't use custom code, you can use the SharePoint Sandbox Scanner Tool. If you find that they do contain custom code, follow these steps to remove the custom code. 

In general, Microsoft now seems to be signaling that it is moving away from the sandbox server approach for running managed code in applications for SharePoint Server products, as well as for SharePoint Online (which is already deprecated). However, the Microsoft Tech Community article on the Managed Solutions Gallery didn't indicate use the word "deprecation," so the shift seems to more at the advisory level right now.

Ultimately, Microsoft's preferred approach for running managed code for SharePoint applications is to use its client-side add-ins model.