Pckgr
  • About Pckgr
    • Intro: What is Pckgr?
      • How Package Updates Work
      • PckgrBot
      • Homage to Winget
    • Applications Available
      • Request Application
    • Security of Pckgr
      • Microsoft Single Sign On
    • Pckgr Pricing Model
    • Feature Releases and Roadmap
      • Q1 2025 New Features Newsletter
  • Getting Started
    • Setting up your Dashboard
      • Signing Up
      • Managing Companies
      • Connecting Tenants
      • Adding Team Members
    • Creating Deployments
      • Application Library
        • Detect Applications from Intune with Pckgr
        • Application Status Tag
      • Repositories
        • Winget
        • Private Repository
          • Upgrading an Application to the Private Repository
        • MacOS
      • Deployment Settings
      • Application Management
  • Extra Features
    • Custom Applications
    • Cloning Intune Policies
  • INTEGRATIONS
    • Company Portal
    • Autopilot
    • Microsoft 365
  • Troubleshooting
    • Install Logs
    • Error Codes
    • Winget Issues
      • Winget Pre-Install
      • Winget CDN Issue
      • Repair Winget with PowerShell
    • Applications that Require to be Closed Before Updating
    • Frequently Asked Questions
  • SUPPORT
    • Pckgr ChatBot
    • Support Email
    • Delete your account
  • Policies
    • Privacy Policy
    • Terms of Service
Powered by GitBook
On this page
  • Granting Pckgr Permissions
  • Application Source: Winget
  • Application Packaging and Hosting
  • Website Hosting: Amazon Web Services
  • Pckgr's Private Repository
  • GDPR Alignment:
  • Code Signing
  1. About Pckgr

Security of Pckgr

Read about Pckgr's thorough security practices

Pckgr is a secure SaaS platform designed to facilitate the deployment of applications to Microsoft Intune while prioritizing security at every stage. By utilizing both Microsoft's Winget repository and its own private repository, Pckgr ensures that applications are sourced, stored, and delivered through verified, controlled, and secure channels. With a least-privilege access model and Azure-hosted infrastructure, Pckgr provides a reliable and secure solution for organizations managing application deployments at scale.

Granting Pckgr Permissions

Pckgr applies the principal of least privilege when requesting permissions to link Pckgr to their Intune tenant. This ensures only Pckgr only has access to the functionality it requires in order to deploy and update packages. It does not have any read/write access to your user accounts or data.

Application Source: Winget

Click to Read

All applications found on Pckgr are obtained using Microsoft Winget.

Microsoft Winget has measures in place to keep its repository of applications secure. These security measures will reduce the possibility of malicious software entering its database and by extension, to the target machine. Microsoft does this by vetting applications prior to becoming available on Winget with methods such as SHA256 Hash validation, static analysis and Smart Screen.

  • Smart Screen provides screening and highly personalized background checks on the Winget repository to ensure only secure and compliant applications are available on the Winget platform.

  • SHA256 Hash Validation provides a one way cryptographic signature, securing each Winget application, so as to minimise likelihood of malware occurrence.

  • Static Analysis is used to debug the application source code before it becomes available on Winget. The application will be examined by analysing it with a set of coding rules.

An additional benefit of using Microsoft's Winget repository is that it is widely used and trusted, so a possible issue would be identified and rectified very quickly. Each application pushed to Winget Repository must complete the installer validation testing using the Azure pipelines.

Application Packaging and Hosting

Click to Read

We ensure a secure application packaging and upload process by hosting all applications on servers hosted in Microsoft Azure, which are closed off from external access. These servers are regularly patched and do not have any third-party software installed.

The packages are hosted using an Azure Storage account that is only accessible to the uploading servers and Azure Functions responsible for delivery. We utilize premium tier Azure Functions for delivering the package to your Intune Tenant. This approach helps ensure that our packages are uploaded securely and delivered to our Intune Tenant in a controlled and protected environment.

Website Hosting: Amazon Web Services

Click to Read

Pckgr is hosted via Amazon Web Services (AWS).

  • AWS also has auditing capacity to monitor and detect activity and requests on the account.

  • AWS provides server-side encryption (with three key management options: SSE-KMS, SSE-C, SSE-S3) and also client-side encryption for data uploads.

  • AWS supports checksum algorithms (SHA-1, SHA-256, CRC32, or CRC32C) to examine data integrity on user uploads and downloads.

  • AWS provides Trusted Advisor. It has three related checks:

    • Logging configuration of Amazon S3 buckets

    • Security checks for Amazon storage buckets that have open access permissions

    • Fault tolerance checks for Amazon S3 buckets that don't have versioning enabled, or have versioning suspended

  • Amazon storage objects, buckets and related sub-resources are confidential, only the AWS account that created it can access it.

By using this premium database, Pckgr ensures security and maximum accessibility of the applications available.

Pckgr's Private Repository

Click to Read

Pckgr’s Private Repository ensures robust security by hosting all application installers on its private infrastructure within Microsoft Azure and AWS environments. These servers are isolated from external access, regularly patched, and protected with advanced encryption protocols, including server-side and client-side encryption, as well as integrity checks using SHA-1 and SHA-256 algorithms.

Each application undergoes comprehensive malware scanning and version validation during packaging to ensure the integrity and reliability of deployments. By removing dependencies on external vendor URLs, this repository mitigates risks associated with broken links or malicious updates.

Furthermore, access to hosted applications is controlled through secure delivery mechanisms like Azure Functions and Microsoft Delivery Optimization, providing a safe and efficient deployment experience while maintaining stringent compliance with data protection and privacy standards.

GDPR Alignment:

Pckgr is an Australian-based company and understands the importance of aligning with GDPR regulations for the benefit of our customers based in the EU and UK. While GDPR imposes strict requirements on organizations handling personal data, many of its provisions do not directly apply to Pckgr's services because Pckgr does not access, process, or store company data, focusing instead on application deployment management. Here is how Pckgr maintains a minimal data footprint:

Minimal Data Processing and Access

Pckgr does not collect or process any customer data beyond what is strictly necessary for the operation of its services. Specifically:

Application Management Only: Pckgr's core functionality is focused on deploying applications through Microsoft Intune and managing software updates. This process operates entirely within the customer's Intune environment, ensuring that Pckgr does not access, view, or store sensitive company data or end-user information.

No User Data Collection: Pckgr does not access employee or user data within the organizations using its platform. All operations are limited to managing application packages and deployment workflows, which are handled without requiring access to personal or sensitive information.

Use of GDPR-Compliant Third-Party Services

Pckgr leverages reputable third-party providers to handle ancillary functions such as billing, hosting, and analytics. These providers are independently GDPR-compliant, ensuring that all data processing on behalf of Pckgr adheres to regulatory standards:

Billing (Stripe): All payment data is securely processed by Stripe, a GDPR-compliant platform that employs advanced encryption and fraud monitoring. Pckgr does not store or access any payment details.

Hosting (Azure and AWS): Pckgr's application packages and infrastructure are hosted on Microsoft Azure and Amazon Web Services (AWS), both of which are GDPR-compliant and provide robust security measures, including encryption, access controls, and regular audits.

Analytics (Google Analytics): Website usage data is collected anonymously using cookies and is managed in compliance with GDPR requirements. Users have the option to control cookie settings directly from their browsers.

Customer Ownership of Data

Pckgr emphasizes customer ownership and control over all data:

No Data Storage: Pckgr does not store any customer data in its systems, aside from operational metadata necessary for service delivery, such as telemetry data for error tracking and subscription information.

Self-Contained Environments: All deployments and configurations occur within the customer’s Microsoft Intune environment, ensuring complete isolation from Pckgr’s systems.

Limited Applicability of GDPR

Because Pckgr does not handle personal or company data:

Data Subject Rights (Access, Deletion, Portability): GDPR rights, such as the right to access or delete personal data, are not typically applicable to Pckgr since no personal or sensitive customer data is processed or stored within its systems.

Data Breach Notifications: Pckgr’s limited data processing scope reduces the risk of data breaches. In the event of a breach affecting operational metadata (e.g., telemetry data), Pckgr would notify affected users within 72 hours, adhering to GDPR standards.

Privacy by Design and Default

Pckgr’s systems are built with privacy at their core:

Minimal Permissions: Pckgr operates on the principle of least privilege, only requiring the permissions necessary to deploy and manage applications within Intune.

No Processing of User Data: By design, Pckgr avoids any interaction with personal or sensitive user data.

Secure Infrastructure: All hosted data and services are encrypted, patched regularly, and monitored for unauthorized access.

Transparency and Accountability

While Pckgr’s GDPR obligations are limited, the company maintains transparency and accountability by:

  • Clearly communicating its data practices through a privacy policy.

  • Leveraging GDPR-compliant third-party processors for all datahandling needs.

  • Ensuring that any metadata collected, such as telemetry data, is processed securely and retained only as long as necessary for operational purposes.

Code Signing

Code signing is a security practice employed by our application to ensure the integrity and authenticity of the scripts used within it. This documentation section outlines the importance of code signing, its benefits, and provides instructions for downloading the public certificate associated with our code signing process.

What is Code Signing?

Code signing is the process of digitally signing executable scripts and software components to verify their authenticity and integrity. It involves using a digital certificate, which is essentially a unique electronic identity document, to sign the code. The digital signature serves as a stamp of approval, indicating that the code has not been tampered with or maliciously modified since it was signed.

The Benefits of Code Signing

By employing code signing, we enhance the security and trustworthiness of our application in the following ways:

  1. Authenticity: Code signing allows users to verify that the scripts they receive are indeed from our trusted source, as the digital signature can be traced back to our organization.

  2. Integrity: The digital signature acts as a tamper-evident seal. If the code has been altered in any way after signing, the signature verification process will fail, alerting users to potential tampering or unauthorized modifications.

  3. User Trust: Code signing fosters user confidence by assuring them that our application has undergone rigorous security measures. Users are more likely to trust and install software that has been properly code signed.

  4. Protection against Malware: Code signing helps protect users from downloading and executing malicious or unauthorized scripts. Most operating systems and security software systems will display a warning if the code is not signed or if the signature is invalid.

Downloading the Public Certificate

To facilitate the verification process and allow users to independently verify the authenticity of our signed code, we provide the public certificate used for code signing. Download the Public Certificate here:

Note: As we have changed our code singing to start using DigiCert, the following new Public Certificate must also be added as all new packages will be signed with this:

Adding the Certificate to Trusted Publishers Local Machine Certificate Store

To establish a higher level of trust and ensure a smooth verification process, you can add the downloaded public certificate to the Trusted Publishers local machine certificate store on your operating system. This step helps your system recognize the certificate as a trusted source for code signing.

Conclusion

Code signing plays a vital role in establishing trust and ensuring the integrity of our application's scripts. By employing this security measure, we aim to provide our users with reliable and secure software. If you have any further questions or concerns regarding code signing, please reach out to our support team for assistance.

PreviousRequest ApplicationNextMicrosoft Single Sign On

Last updated 1 month ago

2KB
PckgrCert.cer
2KB
Pckgr_Public.cer