5

Q1. Are there any method to distribute excel office add-in(w/ office.js) in privately? (Will office.js add-in also be distributed like VSTO's .exe OR .xla/.xlam macro files with password?)

Q2. If I run office add-in server(node.js) on my on-premise server, What will have to be distributed to the end-users? (I want to hide the core source logic unlike VBA macro.)

I am now developing an excel office add-in. But there seems to be some limitation to deploy to the end-users in my company.(We are now testing environment for pilot, and using office 365 but it is restricted by IT's policy)

When I refer to the official documentation below, the docs says that the way to deploy add-in in privately are Microsoft 365 admin center OR SharePoint catalog.(AppSource is publicly for everyone.)

refer. https://learn.microsoft.com/en-us/office/dev/add-ins/publish/publish

However, it seems that it have to use Microsoft's services or components like SharePoint or admin center. I don't want to use these items because I want to flexibly cope with various environments.

I have also read the article as below.

refer. How to distribute private office add-ins?

But the reply thread seems that the writer couldn't get the appropriate answer what I also want to know.

I want to know the other ways to distribute excel office add-in(w/ office.js) without unveiling my core source logic and what is the minimum materials I have to provide to the end-users(i.g. manifest or something).

Jay
  • 63
  • 4

1 Answers1

2

Typically, as you have already know, you need to host the add-in's source code on the web server anywhere. The manifest file just refers to the place where the sources are stored. And the single file which should be provided to be able to side-load add-ins locally is the manifest file. Everything else is hosted under your control.

Due to the nature of the web technology you can't hide the source code from users. The add-in acts like a regular web page. The best what you could do is to obfuscate your code.

Eugene Astafiev
  • 47,483
  • 3
  • 24
  • 45
  • 1
    And to add, you can also move your logic if obfuscation isn't enough to your server side, but in this case given you're deploying internally, that doesn't seem like it will be an issue. You can use the Yo Office tooling which will help minify the code when you build it. For the public options, I'd suggest the Centralized Deployment option via Admin Center. – Keyur Patel - MSFT Mar 08 '21 at 17:46
  • @KeyurPatel-MSFT As I understand, no matter where you move the code, it is loaded locally on the client and run by Outlook (the hosted web browser). Please correct me if I am wrong. – Eugene Astafiev Mar 08 '21 at 20:12
  • @EugeneAstafiev Thanks for the replies. I misunderstood like users can only access to the web server(front-end layer) and cannot fully understand the server-side operation(back-end layer) because it runs with node.js. So I thought there might be exists some codes like what function is called or operated with office.js in server-side code.(Therefore users can only infer that what it could be running in blackbox.) – Jay Mar 09 '21 at 04:57
  • 1
    @EugeneAstafiev To sum up, although the single manifest file is only provided to the user(Not the node.js files and javascript sources), users can access to the source code because it is based on client-side javascript not relying node.js back-end logic. If my understanding is wrong, please correct me. Thanks :) – Jay Mar 09 '21 at 04:57
  • @KeyurPatel-MSFT Thank you for the comments. Our deploying environment is internal but I want to keep the source code hidden. Would you please give the more details about how I can move my logic to my server side? I am a little bit confuesd since the replies written by EugeneAstafiev seem that the code can be accessed by anyone. – Jay Mar 09 '21 at 07:06
  • 1
    Your addin code in javascript will be public but not really readable. To hide your code completely, move it to a server side and make a call to it simply via a fetch / xmlhttprequest. That way you custom logic is stored on service and code is not exposed. For example you could host custom logic in an Azure Function... – Keyur Patel - MSFT Mar 09 '21 at 07:10