The Vault Application Framework in the M-Files Cloud

This page refers to running Vault Application Framework applications within the M-Files Cloud infrastructure. These notes may not be applicable when running code within other cloud infrastructures, such as those provided by our partners.

Available cloud architectures

M-Files Cloud offers two distinct architectures: isolated (e.g. one environment per customer) or within a shared instance (e.g. many vaults/customers on one environment).

Feature Shared M-Files Cloud Isolated M-Files Cloud
Natively implemented as M-Files Multi-Server Mode Yes Yes
Can execute signed applications Yes Yes
Custom code requires validation to run Yes No

Code signing

Applications which are signed can be installed on shared M-Files instances without validation. First-party applications such as the M-Files Compliance Kit are provided as signed packages. Custom code can be signed by submitting it for validation.

Code validation

In order to maintain a high quality of service for customers within our Cloud infrastructure, code (vault applications and VBScripts) may need to be validated by M-Files before they can be run within some architectures of M-Files Cloud. It is important to note that the validation process focuses primarily on security concerns and does not provide a guarantee that the application will function as designed or expected.

Once an application has passed validation, a signed version of the code will be provided to the party who submitted the code. This signed application can then be installed into any vault within the M-Files Cloud. Third parties creating reusable applications that can be run in multiple vaults may consider validating their code package in order to receive a signed version that can easily be installed by clients into any vault.

Validation process

To request code validation, partners should open an Implementation Support Request using the Support Portal. Ensure that the Implementation Support Request contains a summary of the application you wish to be validated. If submitting an update to an already-validated application then please include a summary of changes. A member of the validation team will contact you and guide you through the process, including providing details on how to upload the application source code.

Rules of thumb

Cloud checklist

This checklist is provided for initial guidance only and details the common items that will be checked by the validation process. Adherence to this checklist does not ensure validation will be successful, but should reduce the time (and potential iterations) required.

If a vault application does not comply with the validation checklist then we will - where feasible - provide guidance on how to modify the application so that it will be compatible. It is your responsibility to implement these changes and to confirm that the application continues to work as expected.

This checklist is a living document and is periodically updated with feedback from our Cloud Operations and Product Development teams.

The validation team will check a number of items in the source code, including:

  1. Your application must be Multi-Server-Mode-compatible to run in M-Files Cloud. In order to ensure that vaults can be migrated to the newer infrastructure, all newly-submitted vault applications must be multi-server-mode compatible.
  2. The application must not attempt to modify any Windows-level settings.
  3. The application must not install any Windows applications or reboot the server.
  4. The application must not excessively use server resources, even in dedicated environments.
    1. Note that many cloud implementations use shared environments, so any intensive operation might be cause for concern.
  5. The application must not access the file system, aside from utilizing short-lived temporary files. Treat the filesystem as transient as changes will be lost as the host machine is upgraded/migrated.
    1. The application should not access the registry.
    2. Use temporary folders for storing temporary files (use the SysUtils class to obtain temporary files and folders).
    3. Temporary files, handles, and other resources must be properly disposed of.
    4. File operations (upload/download) using the M-Files API are typically restricted.
  6. The application must not attempt to access or modify any server-level settings in M-Files (login accounts, scheduled jobs, etc.).
  7. The application must not connect to arbitrary internet addresses. Connections to specific addresses may be allowed. Note that connections may be allowed where the network address is only configurable by the M-Files Cloud Ops teams - please contact support for more details. Items which must only be changeable by system administrators include:
    • URLs (e.g. full web addresses)
    • Network hosts (e.g. mail servers or other host names)
    • IP addresses
  8. If the application must send emails directly then it must use the customer’s own mail servers for doing so.
  9. The application must not attempt to establish separate connections to the vault.
  10. The application must not attempt to alter anything outside of the vault during the initialization routines.
  11. The application must not run input as code.
  12. Do not log errors to the Windows event log.
  13. Ensure that you are using the latest public VAF release. If you are using the VAF Extensions library then this should be the latest appropriate version.
  14. Logging should be undertaken using the M-Files Vault Application Logging Framework.

Vault Application Framework Licensing

Note that Vault Application Framework licensing has limitations when running within the M-Files Cloud infrastructure. This is because the license assigned to the M-Files server is generic with larger user limits than the specific license that the customer may have.

Specifically: