I’m a dictator. If I say you can only use MES, I mean it.
Is there a way to force this? Answer is probably over my head if there is.
Edit: I know you can just delete all traces of the shortcut to the full version. I do that a lot. But computers move around and roles change, etc. Also, default install is everything, and sometimes we forget that step. I’m looking for a more centralized (dictator-ish) solution.
Does menu security on the desktop client overlap with MES security?
You could use a Active Directory Group Policy to handle the shortcuts. If someone is in a group, allow both shortcuts, if not in that group, only have the MES shortcut. Then you don’t have to forget, it changes as users log in to different machines, and nothing to remember to set.
Really? I will pass that along! Thank you.
Menu item security is respected by MES.
Menu folder security is obliterated with MES. Any direct link ignores the folder security. Open with, Dashboard actions menu, etc.
Why, what were you thinking?
I want the same security, just different licenses used.
Just make the 1st level menus (Sales Mngmnt, Service Mngmnt, …) disabled. Underlying menu items are still enabled.
For example I made a group (“Disallow all”), and set the security for Sales Mngmnt, Service Mngmnt, Production Mngmnt, Material Mngmnt, Financial Mngmnt, and Executive Analysis, by adding group “Disallow All” to their respective Disallow lists.
Now users belonging to Group “Disallow All”, see:
If I launch a dashboard in Custom DashBoards, that has a P/N field, I can still open Part Maint or Part Tracker. Even though those menu items are in a sub-folder, of an excluded folder.
Here’s what my test user sees when using the desktop client (after I’ve added their group to the Disallow list of all 1st level menus).
No sub-menus show for any site.
Here’s the same user on the same computer, with MES launched:
And you can see that the menu item on MES can be launched.
I think your thought is the same as one I had, which is make the full Epicor (not MES) useless for them.
What I tested was similar, but I just set the user’s “Client Start Menu ID” to an empty folder I made (pic below). So the menu opens to nothingness.
Problem is that my users still have links on their home pages to screens. And useful BAQ tiles. I’m not quite a jerk enough to go and delete all that. I guess I have to commit if I really want to be a dictator.
I guess I should have asked if MES and office were XOR (exclusively or’d). Or if some users need to switch back and forth.
Also, on the idea of having a AD policy to cleanup the shortcuts, every time, there’s nothing stopping a user from editing the target of the shortcut, and removing the /MES switch.
People usually don’t, but I like the option (if they can use the full).
I use both myself. I do development in full Epicor, of course, but launch Production MES if someone calls with a question. I’ve got it tweaked with what I need.
Well, that’s true… 
It could cause all sorts of other issues. But you could have the client run as a remote desktop app, and limit which apps (which client is launched) via the login to the RD Server.
Like Citrix? Or RDP?
Yes. But that’s really going to extremes.
Well, yes, that’s pounding a nail with a sledgehammer.
You did get my curiosity because we did talk about the published app idea for another reason.
Published App is a good solution if you already have things in place or other reasons to go there. User couldn’t edit the shortcut; I think you can publish apps based on groups. Good idea!
On the shortcut - I think you can put the shortcut in the “public” or “all users” desktop and then the user has to have admin rights to change it. Doesn’t stop them from seeing the shortcut properties and making one of their own on their desktop, but it is a start. As with most security, if a person is savvy enough, there are ways around things.
So here’s a dumb idea.
For people you DON’T WANT using the desktop client, don’t give them an Epicor UserID. Just give them an Employee ID and create a generic UserID that has no main menu access (which if they use to open the desktop client will show no entries).
Well, no, these are office employees and it’s more than just stock MES stuff. It’s set up to allow PO entry and all sorts of things where it should be a real user logged in, for tracking.
But I did not think of that. I’ll keep that one in mind for kiosks and such.
