[SOLVED] Self-service targeting on Linux

Questions about WAPT Packaging / Requests and help regarding Wapt packages.
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Answer
User avatar
Robocop
Messages: 5
Registration: February 2, 2026 - 5:07 PM

February 12, 2026 - 2:34 PM

Hello everyone,

Infrastructure description:
Debian 12 server
joined to AD (via Winbind)
tis-waptserver 2.6.1.17705-092e11fc-amd64
WAPT server and WAPT repository

Client 1 Debian 13
outside AD (local account)
tis-waptagent 2.6.1.17705-092e11fc-amd64
tis-waptagent-gui 2.6.1.17705-092e11fc-amd64

Client 2 Debian 13
joined to AD (via Winbind)
tis-waptagent 2.6.1.17705-092e11fc-amd64
tis-waptagent-gui 2.6.1.17705-092e11fc-amd64

In the private repository I have I have four Linux applications, as well as a "self-service" package in which two of these applications are deployed via the "user" group (a local group present on "Client1" which contains my local user).
This self-service package is only applied to "Client1".
In the "self-service" GUI of "Client1", I can see the two applications deployed via the self-service package, and only those two.
However, on "Client2", although neither the self-service package nor any of the applications are deployed via the console, the "self-service" GUI sees all four applications present in the repository. Is this normal?

Both clients have the certificate that signed the four packages.

:geek:
Last edited by Robocop on Feb 12, 2026 - 6:14 PM, edited 1 time.
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

February 12, 2026 - 2:42 PM

Robocop wrote: Feb 12, 2026 - 2:34 PM However, on "Client 2", although neither the self-service nor any of the applications are deployed via the console, the "self-service" GUI sees the 4 applications present on the repository, is this normal?

Is the user a member of root, sudo, or wheel?

Simon
High
User avatar
Robocop
Messages: 5
Registration: February 2, 2026 - 5:07 PM

February 12, 2026 - 2:47 PM

Yes, it is.
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

February 12, 2026 - 2:51 PM

https://www.wapt.fr/fr/doc/wapt-create- ... es-package

To enable package filtering for local administrators, set the following parameter in the WAPT configuration: waptservice_admin_filter = True.

This ensures that local administrators only see packages they are explicitly authorized to install.


However, an admin is an admin; technically, they can change the waptservice_admin_filter parameter themselves. Therefore, this is purely for display purposes and not for security.
High
User avatar
Robocop
Messages: 5
Registration: February 2, 2026 - 5:07 PM

February 12, 2026 - 2:59 PM

Perfect, thank you.
Out of curiosity, is the behavior the same on Windows? Will a user who is a member of BUILTIN\Administrators see all the packages?

So, the only way to prevent a package (for example, one subject to a license) from running on an admin's machine would be to use a dedicated certificate?
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

February 12, 2026 - 3:12 PM

Robocop wrote: Feb 12, 2026 - 2:59 PM Out of curiosity, is the behavior the same on Windows? Will a user who is a member of BUILTIN\Administrators see all the packages?
Yes
Robocop wrote: Feb 12, 2026 - 2:59 PM So the only solution to prevent the execution of a package (for example, one subject to a license) on an admin's machine would be to use a dedicated certificate?
No, that's not a solution either, since it won't prevent the admin from downloading the package and launching a manual installation themselves (since they are an admin). An admin is an admin

So the best thing to do is to encrypt sensitive data:

https://www.wapt.fr/fr/doc/wapt-create- ... se-feature

With this system, even the admin of a workstation cannot retrieve the encrypted data if the packet is not destined for that machine.
High
Answer

Return to “WAPT Packages”


  • To go further with WAPT