If you use IBM Notes, it is quite likely you also use plugins. Plugins are very useful things, allowing companies to make menu and content changes, or even context menu changes (right-click menus) in Notes. Building on plugins, widgets can also be created for use in the sidebar. Widgets can use multiple plugins to provide improved usability and presentation value to your Notes client desktop. In short, plugins are powerful little bits of functionality that can be centrally developed then deployed across a large number of users. But as with many things in the tech world, all this goodness comes with security concerns.
There are basically four ways to deploy plugins, each with their own good, bad, and ugly considerations. Policies can be set to control things like end users having the ability to install plugins, what types are permitted, and which sites are acceptable to use as an installation source. But it is important to have a plan to protect your environment, users and data by being aware of the security issues.
Use of an internally defined and controlled widget catalog tends to be the safest, and therefore the recommended way, for deploying plugins. A widget catalog is template based, so there is necessarily a consistency of content and expectations, and what gets placed in the catalog is controlled by authorized administrators.
A site database is sometimes used because of the ease of deployment on the administrator and developer side, but the trade-off is much more complexity on the end user side. This method tends to be more error prone due to end user mistakes.
MSI (Microsoft Installer) format
Plugins can be delivered in MSI packages to ease the burden on the end user during installation, at least for clients running a Windows platform, but the trade-off here is more complexity on the creation side. Still, most would agree the creation of the MSI is a one-time expense as opposed to extended effort by every end user. An unfortunate side effect can be malicious MSI files could be introduced, emailed around and happily installed on all your end user machines!
Add-on product like BCC's ClientGenie
BCC's ClientGenie takes into consideration these security concerns, but also can be used to automate the deployment of plugins, completely removing the exposure of end users either making mistakes or installing malicious code. This is in addition to a number of other features and functions ClientGenie brings to the table. More detail is provided in a webinar provided by BCC titled "Tips for Deploying Notes Plugins" which can be found at: https://www.youtube.com/watch?v=nj2fnqaiVEU&t=11s
First and foremost, never allow installation of unsigned plugins. Any legitimate creator will complete their plugin by digitally signing it. But beyond that, determine where you want your decision point to be for the questions "should I install this?" and "how should I install this?" The weakest point is with the end user, but that is often where the decision is left. The optimal decision point is with your policy makers, using a tool like ClientGenie to lock down and automate plugin management makes that goal achievable.
Need help with your Notes environment?