Local Security Handling (LSH)
IT security does not only relate to the operation of the network but also to mechanisms on the client side, referred to as Local Security. If a user does not have appropriate rights on the client, Windows will prevent the execution of an operation, e.g. the installation of an application.
DSM’s Solution Mechanism: Automatic Local Security Handling
Two capabilities offered by Ivanti DSM enable Local Security Handling:
- Use of a special service for the installation: DSM Runtime Service.
- Classification of the commands within a package into those commands that are to be executed under the user account (by the Installer), and those that are to be executed by the DSM Runtime Service.
All actions that are involved in the execution of a package and can only be executed with administrator rights are handled automatically by the DSM Runtime Service without the user receiving any additional rights even for a short period of time. Ivanti DSM achieves this by logically categorizing the commands required for an installation into user-related and computer-related commands. This categorization takes place automatically when the package is being created.
DSM Runtime Service
DSM uses the DSM Runtime Service as a special installation service which means that software can also be installed under a "normal user account". The DSM Runtime Service logs into the system under an account with administrative rights and thus makes it possible to exchange encrypted messages between the service level and user level while executing a package.
If the Installer running under the user account detects a command for which the user has no rights, it requests the assistance of the DSM Runtime Service. The Installer establishes a secure connection to the service (pipe) that is invisible to the user. Although the installation runs internally and is executed by more than one service, the package still executes "in one go".
Classification of Commands: Execute under User Account or via Service
A flag is used for each instruction within an eScript to define whether it can be executed with the rights of a "normal" user account or whether administrator rights are required (execution via service).
When you generate or interactively create a package, the individual commands are organized into the following classes:
User-related, execution under the user account,
(for more information on user-related and computer-related commands, see
below)
Computer-related, execution under the user account
Computer-related, execution via service
The fourth possible command classification user-related, execution via service 
is
only required in special cases, e.g. to copy the profile of a user into
an area where the user has no write access. This classification can only
be made manually.
You can check the classification of instructions in the
script window.