Thursday 9 September 2010

Application deployment The Proper Way

After my yesterday's post on application deployment the ghetto way, i realized that i'd written this post on application deployment the proper on my other blog. This posting has been sitting as a draft for ever and ever amen, mostly because i hadn't checked it out if it really worked. So with that warning in mind - this might (not) work - here's my posting:

One Windows Server feature i've actually never seen deployed in the wild is programs installable over the network. Seeing how painless it is to publishing software on Active Directory, and how useful this thing can be, it's quite a surprise.

Here's how to do it.

  • For starters, you'll need an MSI file and a file share on an unc path (\servershare). Some installation packs come as .exe files, but this is not the solution for them. See my Ghetto file deployment posting for that. Some exe installers however have the option to emit msi packages. Check your friendly documentation.
  • Start the Group Policy Management from Start –> Administrative tools (or press the Windows key and type policy if you're lazy)
  • Create and link a new GPO under a relevant OU folder. This is going to be one for Users, so you might as well put it under an OU that handles users instead of putting it too high up in the tree.
  • Call your GPO Published Software and leave the Source Starter GPO to (none).
  • The Group Policy Management Editor pops up. Navigate to User Configuration –> Policies –> Software Settings –> Software Installation.
  • Right-click and go New –> Package. This will pop up a File Open dialog. Find and choose the installable MSI file using the UNC path.
  • Choose Deployment method: Published.
  • Click OK.

Distributing (“pushing”) software is just as easy. There are two ways. You can either assign software to a user or to a computer. If you assign it to a user, the software will installed when the user logs in and it’ll be available to that user only. If you assign it to a computer, the software will be installed when the computer boots on a network and will be available to all users.

To assign (push) software to users, just change the Deployment Method above to Assigned. To assign software to a computer (and all its users), do as above but edit Computer Configuration –> Policies –> Software installation instead of User Configuration –> etc. Also, you should link to that policy from an OU that is relevant to Computers.

One particularly useful use case comes to mind. On most typical networks, you'll want to have Adobe Flash and Reader installed. But especially Adobe Reader has been so shot full of security holes lately that you really don't want anybody on your network to be sitting around with an old Reader. And here's the twist. Application deployment this way also supports updates. If your software becomes updated, you can tell the deploying thing that this here is an update of the already installed software. Then you can force-feed the update to your users et voilá, you have just blasted out a Reader with new bugs to replace the one with old ones :). To emphasise, this paragraph sits firmly in the This Might (not) Work section. Oh, and Reader requires a boatload of switches to actually deploy silently. But the idea is there to catch.

Finally, be a little careful when assigning software. If you go on an assigning spree, you might end up with workstation software like on the servers. Having Office or F-Secure Client Security on a server will just make things go weird.

More info in the Microsoft KB.

Heck, i should have named my blog This Might (not) Work.

Wednesday 8 September 2010

Ghetto application deployment with Zap files

I discovered a painfully simple (and only slightly inelegant) way of deploying software in a Windows Active Directory environment, namely Zap files. While you'd usually want to deploy an .msi file, you use Zap files when you want to deploy an .exe file.

Big fat caveat -- The installation will run on the user's rights, so s/he must have software installation privileges on the computer s/he's running, or the installer must have admin credentials baked in somehow. On a secure network, you don't let your users install stuff on their computers.

And with that said, here's how to do it. Windows Server 2008 recommended.

1. Create a file share if you don't already have one. Use Share and Storage Management from Administrative tools or Server management to do it The Right Way [0]. To be Really Swanky, use DFS to publish the share on a domain scope instead of on server scope. In this example, i'll be more ghetto and shall call the share \fileserverInstall and i shall call the fictional package to install agent.exe

2. Put your agent.exe file somewhere within the share created above; for the sake of this example, in \fileserverInstallagent.exe

3. Create a text file agent.zap (you can create it as agent.txt and rename it to dot-zap later) and place it in another share, or the same if you don't believe in security by obscurity, or don't have a compulsive manner in keeping things in neat little boxes. Here's what you'll put in the agent.zap file

[Application]FriendlyName = "The Agent"SetupCommand = "\FileserverInstallagent.exe /any /switches"

Wikipedia tells me there are loads of other commands, but this will do for the Ghetto Installation we're doing now. Anyway, the [Application] row must be written like that, in verbatim. The next row is what's going to be shown to the users when they want to install the file. And the SetupCommand shall point to the UNC path where the installer resides. Any command switches can be put after the executable name within.

4. Open Group Policy editor. Browse to your users' folder (or where-ever you want to apply the deployment). As i'm on Small Business Server, that would be around ...My BusinessUsers. YMMV. Right-click to Create a GPO in this domain and link it here. Call it Published Software (since eventually you'll put more published software here).

5. Under User Configuration / Policies / Software Settings / Software Installation, right-click New / Package. Navigate to where your .zap file is, make sure the file type selector is .ZAP (and learn that .zap stands for ZAW down-level Application Package) and select it. Click OK. Select Published to force the installer down your users' throats(generally a bad call) or Advanced to modify the settings and under the Advanced tab on the next dialog box, unselect Auto-install this application not to force feed the app.

6. Showtime. Log on as a user on a workstation. Open Control Panel. If you're on Win7, find the option "Get Software". If you're on an earlier incarnation of the ubiquitous desktop operating environment, go Add/Remove Programs or the like and choose Install published software. You should now see The Agent listed there! Yay presto!

And that's about the size of it on a space like this. Experiment and write about your experiences in the comments below!

[0] Also known as The One Microsoft Way :)