Setting up Flash Global Security for Captivate

Over many years of watching the Adobe Captivate Forums I can tell you that NOT understanding Flash Global Security and how to configure it accounts for a disproportionately large number of Cp issues.  It is my firm belief that all Adobe Captivate e-learning professionals should have at least a basic understanding of this somewhat technical area and know how to set it up properly on the computer they or others will be using to develop Captivate content. 

Therefore, I’m taking this opportunity to provide a lengthy and detailed explanation about why Flash Global Security causes issues and how to set up your development environment so as to avoid a host of seemingly random problems during project development and testing of online courseware. Here's what you'll be saving yourself...

"It worked perfectly in Captivate's Preview! Why doesn't it work if published?"

This is a typical reaction seen countless times on the Adobe Captivate Forum. Many Cp authors are totally flummoxed when they can preview content inside Captivate and everything seems to work perfectly, but as soon as they publish to HTM/SWF format, and then try to play from their hard drive or LAN or CD ROM, the same content fails to work in one or more ways. 

In all too many cases, the reason for this seemingly bizarre behaviour is that Flash Global Security has not been configured properly on the end user's system. But adding to the complexity is that the Flash security gremlins only kick in and cause issues under certain specific circumstances.

This information is an excerpt from our e-books about troubleshooting and debugging Adobe Captivate. Buy the e-book to get the full story!...>

How Flash Global Security affects Captivate content

Here are some sample issues caused by not having Flash Global Security configured correctly:

  • You have interactive objects in your project file (e.g. buttons, click boxes, widgets, or Advanced Actions) that are set to open web URLs or other files. The interactivity works fine when previewed in Captivate, but fails to work after publishing to a local hard drive, LAN folder, USB stick, or CD ROM.
  • You want to have one course module automatically open another course module as the user completes it. This is known as 'daisy-chaining' and normally achieved by setting the Preference for Project > Start and End > Project End Option to either Open URL or Open Other Project. As above, it works in preview but not after publishing.
  • You have custom JavaScript code in your project or external files and this code must be run in order for certain functionality to work.  For example, you may have added JavaScript alerts to appear if the user incorrectly clicks an area of the screen. The code is flawless but refuses to work.
  • You want to use Captivate’s Email Reporting ‘feature’ to get learner quiz results without using an LMS.  However, clicking on the reporting button on the Quiz Results slide fails to do anything and no results are attached to your email.  Since this method of reporting relies on JavaScript, without Flash Global Security set up it does not work.
  • You added a print widget on a slide in your course to enable the user to print out their certificate.  But the print widget seems to do nothing.
  • You’re creating a simulation of software that uses right-mouse-click functionality. So you add click boxes or widgets set to trigger actions on right mouse click.  Unfortunately, right mouse click is unavailable by default in Flash content because it is reserved for Flash’s own right-click context menus.  Fortunately, a clever JavaScript programmer developed a workaround to enable right-click with Flash content, and this workaround is employed by Adobe Captivate. Unfortunately, the workaround requires yet more JavaScript code, and for this to be executed, Flash Global Security must trust the publish folder location. Fortunately, this doesn’t apply to content delivered via HTTP from a web server.  (Did you notice how nicely the unfortunately's and the fortunately's balanced each other out?)

This is by no means a complete list of issues, but as you can see, Flash Global Security disables some fairly essential functionality that most developers expect to work out-of-the-box.  

About Captivate’s Preview Mode

Every Captivate developer uses Preview mode, but most don’t understand what actually happens. When you hit F4 or Ctrl + ENTER in Captivate to preview a project you’re actually using a special version of the Flash Player that opens your project in a temporary folder location with full security permissions.  This means that in Preview mode Flash Global Security is never going to be an issue.

As a result, Captivate developers are often lulled into a false sense of security while previewing their creations, only to find the same project fails to perform as expected when published out to a folder on the same PC.  It’s not uncommon for newbie developers to spend hours or even days on this issue.  By the time they make it to the Adobe Captivate Forum for help, these users are often in an advanced state of frustration.

Another complication is that Flash Player in Internet Explorer uses an ActiveX plug-in while Flash Player in other browsers uses a different form of the same player.  So configuring Flash Player for IE doesn’t necessarily mean it will work properly for all others.  What's more, updating the Flash Player Active X version, does not update other incarnations of Flash Player that may also be present on your computer.

What about content running from a web server or LMS?

At last some good news! Flash Global Security is not a problem when running content from a web server. Since most LMSs are also delivering content via web servers, LMSs don’t usually present problems due to Flash Global Security either. 

So, why did Adobe implement Flash Global Security so strictly?

The ActionScript 3 (AS3 for short) programming language is actually powerful and versatile enough to do almost anything, and in the wrong (or devious) hands could be used to cause havoc. Adobe decided they’d better take some precautions against Flash being used maliciously to take control of an end-user’s system and do something inappropriate (like delete files or plant viruses).  So they implemented security known as 'sandboxing' to prevent what is known as 'cross-domain' activity.  This is like placing a Flash SWF file in its own walled domain, making it impossible to access files on the other side of the wall in another domain. 

Want to know more about sandboxing? There are in fact a number of different types of sandboxes used for Flash content.  Space doesn’t allow us to go into all the technical information. If technical detail is your thing, check out the ActionScript 3 help file info about Security Sandboxes. 

The bad news for Captivate developers is that Flash can consider the HTM file from another course module sitting in the same parent folder as belonging to another ‘domain’ and steadfastly refuse to launch it via a perfectly valid link. Now that you're familiar with this particular Captivate gremlin, let's explain what to do about it.

Configuring Adobe Flash Player Security

Anytime you play a Flash SWF file on your computer you’re actually using the Adobe Flash Player application, either as a standalone player, or as a browser plug-in. To configure the Flash Player application you need to use a configuration utility called Flash Player Settings Manager.  How this utility works for you depends largely on which version of Flash Player you are currently running.

Flash Player version 10.2 or earlier

If your computer runs Flash Player version 10.2 or earlier, you access this utility via the internet on the Adobe website. 

  1. Click this link to open Adobe Flash Player Settings Manager.
  2. Once you have the Settings Manager open you’ll find there are several sections. Select the link to Global Security Settings
  3. Next you just need to tell Flash Player about folders or drives that can be trusted to run Flash content without limitations.  Select Always Allow (so that you don’t keep getting asked for approval every time you want to run some content).
  4. From the Edit locations drop down menu, select Add location
  5. In the Trust this Location dialog, click the Browse for folder button and select the drive or folder where you’ll be publishing Captivate content for testing purposes.  
  6. Click the Confirm button so that the new trusted location is now shown in the Global Security Settings panel.  If necessary, you can add more trusted locations for other drives or folders.  It's less hassle to trust a high level folder or even an entire drive than just trusting individual files.  In the example below, you can see I've trusted the folder on my D: drive where I keep all of my projects.  Doing so means that I'll only have to trust another location if I decided to use some other location for development work.
  7. After you add trusted locations, the settings do not take effect until after relaunching the local SWF or FLV content, refreshing the browser (F5), or restarting Flash Player. 

Flash Player 10.3 or later

If your computer runs Flash Player version 10.3 or later, you have a local Flash Player Settings Manager application that is accessed via the Windows Control Panel.  Here's how to achieve the same result as the example above:

  1. Open Control Panel and click the Flash Player icon.
  2. When the Flash Player Settings Manager opens, click the Advanced tab and scroll down until you can click the Trusted Location Settings button.
  3. In the Trusted Locations dialog, click the Add... button and browse to select the drive or folder you want to configure as a trusted location from which to play Flash content.
  4. Click Confirm then Close to complete the task.
  5. Be aware that after you add trusted locations, the settings may not take effect until you relaunch the local SWF or FLV content, refresh the browser (F5), or restart Flash Player player. 

WARNING!  Don’t use LAN drives as trusted locations

So can you specify a LAN drive as a trusted location and store your project files and output there? Technically the answer is: Yes you can, but don't do it. If you want fewer issues with Captivate, especially if you want no issues with corrupted projects, you should ONLY work on Captivate project files stored locally on your PC drive/s. This also applies to publishing out to local drives.  When you publish a project file, Captivate remembers the publish target locations for all cached projects.  If you publish to a LAN drive, Captivate will try to find that LAN location each time you launch the app.  This can lead to slow start-up times, and can even cause Captivate to stop responding altogether if the remote location is not accessible. 

The bottom line is: Even though Flash Global Security will allow you to assign a LAN drive as a trusted location, the recommendation is that you DO NOT publish Captivate content directly to that location, but rather publish to some local hard drive folder first, and then afterward copy/paste to the LAN drive.  This helps keep Captivate running happily because everything it needs is always available locally.

Delivering Captivate content via LAN, USB or CD ROM

They say "ignorance is bliss" but in my experience whoever said this wasn’t talking about being ignorant about something that would potentially cause a project to fail dismally.  Even long-time Captivate users are often completely ignorant about Flash Global Security, which means there’s no chance at all that your boss or client company will understand how this issue can torpedo their well-intentioned plans to deliver e-learning content via the corporate network LAN, or CD ROMs. 

For any organisation to deliver Captivate SWF/HTM output from a corporate LAN or CD ROMs would require that ALL end-users would need to configure the source folders in their own Flash Global Security settings as per the instructions above.  In all my years of creating e-learning courses with Flash and Captivate I have NEVER seen a company willing to go this route.  The technical support costs and backlash from dissatisfied end-users would likely be immense.

So, if you’re engaged in creating Captivate course content and become aware it may NOT be delivered via web servers, you need to IMMEDIATELY inform the relevant parties about Flash Player Global Security and how it may partially or even completely block their content from working.

So, are there any solutions that enable LAN-delivered Captivate content? Yes there are, but be aware that each solution offered below has a downside.

Configuring Flash Global Security across an entire user group

Many companies use mapped LAN drives that everyone in the company has access to. If the IP address or mapped drive name is the same for all users, technically, it IS possible to have your IT department deploy a Flash configuration file to trust that location for all users in the company domain. The details about how to do this can be found (after some diligent searching) on the Adobe website.  

This is good news in one sense because at least it gives you a possible solution to a problem that plagues many Captivate developers.  However, the bad news is that your IT department may steadfastly refuse to share your enthusiasm for this solution.  The truth is that IT departments are paid to keep things secure and prevent the network from breaking. They usually know from bitter personal experience that any change to a currently stable and smooth-running system carries a high likelihood of rendering it unstable and error prone for which they will invariably get the blame. So, the IT gods may see your request for changes to the current configuration as non-essential and even potentially risky.  Any request that has the word 'security' somewhere in the heading will raise alarm bells in techiedom.  You will usually be told by all parties from management and IT to "find another way".

Using hyperlinks in HTM files to launch Captivate content

Since Flash Global Security would prevent one Captivate SWF from being able to call another SWF on a LAN drive, USB Flash Drive, or CD ROM, in many cases the only way you would be able to deliver a Captivate course involving multiple modules would be to set up an HTM file to act as a menu page and launch each Captivate module from a link on this menu.  In practice I have done this many times for clients that stipulated "the same content must be available from the company LMS (a web server) as well as from the company LAN and CD ROM (for users in remote locations that may not have internet or LAN access)".

Running Captivate content from CD ROMs

Again this is another common customer requirement where Flash Global Security can interfere because the CD ROM drive must be added as a trusted location. There are three possible solutions:

  1. Require all users to configure their own Flash Global Security settings to trust the CD ROM drive.  This would usually require supplying lengthy instructions in the form of a video tutorial or step-by-step quick-reference guide document (with lots of screenshots).  I’ve never personally seen this option get implemented because it was deemed too onerous for end-users.
  2. Have the IT department deploy Flash Player configuration files that trust the CD ROM drive on all end user PCs.  Even if you CAN persuade your IT department to do this, one tricky problem to get around is that the CD ROM drive isn’t always set as the D: drive on all PCs.  If a computer has multiple hard drives, the CD ROM might be configured as an E, F, or G drive. So the automatically deployed security configuration file might not be able to determine the correct drive letter to trust, and some users still won’t be able run the content.   In many corporate locked-down SOE situations, it’s actually quite rare to encounter this issue because most PCs and laptops conform to very tight specifications.  
  3. If your end user PC configuration is an unknown quantity because you are delivering content via CD-ROM to the general public, then you cannot use either of the above options. Your next best solution is to use a product such as Server2Go.  This is essentially a light-weight web server that runs without any installation to the local PC or server.  This means you can load it onto a CD -OM or USB stick and play your Captivate content from it just as you would from a web server running over the internet.  Since, as stated previously, Flash Global Security is not an issue for content running over HTTP (internet or localhost), your content should be fully functional without end-users required to do anything more than place the CD-ROM in their drive and allow it to launch normally. 

WARNING: Don’t use Server2Go on a network LAN 

The Server2Go solution mentioned above is fine for CD-ROM or USB delivered courseware but is not an ideal solution for a corporate LAN.  This is due to the fact that the web server application is an EXE file that needs to be launched by the course participant.  This can be arranged automatically when using a CD ROM course by setting up the Autorun files to launch the EXE when the disc is loaded into the PC’s CD-ROM drive.  On a USB-delivered course, you would need to supply instructions to the user about which file they needed to execute in order to play the course.

However, in a corporate LAN environment, there are usually safeguards such as anti-virus software and security restrictions that would normally prevent users from executing programs on the network.  Even if your network DOES permit this, if you have a lot of users executing Server2Go at the same time, it could significantly bog down the LAN server CPU, causing it to crash and inviting the ire of your local IT gods.  Use with care.

What else can you do?

In addition to the information above, I would also recommend you read the related post about Setting up your PC to work with Adobe Captivate, as those suggestions will also help ensure you experience fewer issues when using Captivate.


Join more than 2500 other Adobe Captivate users just like yourself and receive regular troubleshooting tips, illustrated tutorials, technical information, and creative solutions to real-world e-learning development issues. (See an example here.) Click the button below to join our community.  It's completely FREE!