Office 2007 security using signed add-ins

["Fowler, Steve" <steve.fowler () OREGONSTATE EDU>]

Hello,

We've begun wide scale deployment of Office 2007 in our computing
environment.  Since beginning the process we've run into an issue
surrounding setting macro level security for add-ins.  In Microsoft's
trust security model only add-ins signed by a trusted publisher are
allowed to function.  We have at least three products that are used that
come with unsigned add-ins.  To attempt to get this corrected we've
addressed the security concern with the vendor and asked whether they
intend on providing a signed add-in.  I don't think we've gained much
traction so far.

I am curious how others are addressing this issue.

As a backup plan we have discovered that we can sign the add-ins with a
locally trusted cert and when the signed add-in and cert are deployed we
are able to have the product work.  This, of course, raises EULA issues
and requires processes that would have to be followed when updating the
application to a new version.

Thanks in advance
Steve Fowler
Systems Manager
Technology Support Services
Oregon State University