Check Client for APM Browser Components

Every administrator that has designed and configured a policy on the Access Policy Manager (APM) module knows that a lot of time and effort goes into making sure your users will be able to get the access they need.  A problem that I have run into before was letting a customer connect to our APM.  I didn’t control the customers client machine, the rights the user has on that machine and I cannot force them to install anything.

With APM an administrator can inspect the client machine before we let them have access to the resources that they are provisioned for but unfortunately there are cases where the components are not installed and will not ever be installed because of the IT policy on the client machine.  The tech tip below will allow you to query the browser to see if the component plug-ins are installed and if they are not then you can perform some other check or present different resources. 

Depending on how you deploy APM you might have the need to check to see if the client component plug-ins are installed on the user’s client machine before they will encounter a VPE action that requires the components to be installed. You would use this if for example you have a Registry Checker but you might have a user without admin rights or the plug-ins installed. If you use this code you can skip the registry checker and take them down a different branch in the VPE. This will allow you to assign a different group of resources or use different authentication methods, etc.


I have tested this workaround with FireFox, IE, Safari, and Chrome.

This will not stop the popup for updating components if they are already installed.

This will also not stop the popup if you have an action after this action that needs to use the browser components.

Instructions for 11.5.1, other version the lines numbers will change in the customization section.

This workaround requires the logon page to happen before the client side check actions.

VPE Changes

On the Logon Page add a new text box and name it "installercontrol" for both the post variable and session variable.

After the Logon Page add an "Empty" Action and name it "Check for Components". Add a branch rule named "Failed" with the following expression.


expr { [mcget {session.logon.last.installercontrol}] == 1 }

NOTE: The fallback branch will be the successful branch of the check meaning that the client has the components installed.

After these changes you need to apply the Access Policy.


Advanced Customization Changes

Click on Customization > Advanced and then switch the Edit Mode to Advanced.

Find your file that corresponds to the login page just created. In this example my login page is located under “Customization Settings” > “Access Profiles” > “/Common/ClientChecker” > “Access Policy” > “Logon Pages” > “Logon Page” > “”.

On line 402 insert the following code after the foreach loop opens.


if( $field_settings["name"] == "installercontrol" ) { continue; }

On line 451 insert the following code. Please make sure to insert the code in the correct place. There will be four close curly braces, this needs to go between 3 and 4.

  <td colspan=2 class="credentials_table_unified_cell" >
    function getF5CompVersion() {
        var f5_comp = navigator.plugins['F5 Networks Firepass Host Plugin'];
        if (f5_comp === undefined) {
            // f5_comp is not present
            document.write("<input type=\"hidden\" name=installercontrol value=\"1\">");
            return undefined;
        return f5_comp.version;
    function ActiveXorNot(progId) {
        try {
          return new ActiveXObject(progId);
        catch (ex) {
          document.write("<input type=\"hidden\" name=installercontrol value=\"1\">");
          return null;
    var ua = navigator.userAgent.toLowerCase();
    if (ua.indexOf('msie') != -1 ) {
      //alert ("MSIE");
    } else {
      //alert ("Chrome/FF/Safari");

Now you need to click "Save Draft" in the upper right hand corner and then save in the menu bar.

Apply the access policy

Now if you navigate to the APM with a client without the components installed they should follow the “Failed” path in the VPE. I hope this helps you if you need this type of functionality for your VPE.

Published Aug 13, 2014
Version 1.0

Was this article helpful?

1 Comment

  • Great article and step by step instructions. I did have to make one minor tweak to account for the change in userAgent string in IE 11 (Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)). My updated UA if statement is .... if (ua.indexOf('msie') != -1 || ua.indexOf('rv:11') != -1) {