Thursday, 9 September 2010

Application deployment The Proper Way

After my yesterday's post on application deployment the ghetto way, i realized that i'd written this post on application deployment the proper on my other blog. This posting has been sitting as a draft for ever and ever amen, mostly because i hadn't checked it out if it really worked. So with that warning in mind - this might (not) work - here's my posting:

One Windows Server feature i've actually never seen deployed in the wild is programs installable over the network. Seeing how painless it is to publishing software on Active Directory, and how useful this thing can be, it's quite a surprise.

Here's how to do it.

  • For starters, you'll need an MSI file and a file share on an unc path (\servershare). Some installation packs come as .exe files, but this is not the solution for them. See my Ghetto file deployment posting for that. Some exe installers however have the option to emit msi packages. Check your friendly documentation.
  • Start the Group Policy Management from Start –> Administrative tools (or press the Windows key and type policy if you're lazy)
  • Create and link a new GPO under a relevant OU folder. This is going to be one for Users, so you might as well put it under an OU that handles users instead of putting it too high up in the tree.
  • Call your GPO Published Software and leave the Source Starter GPO to (none).
  • The Group Policy Management Editor pops up. Navigate to User Configuration –> Policies –> Software Settings –> Software Installation.
  • Right-click and go New –> Package. This will pop up a File Open dialog. Find and choose the installable MSI file using the UNC path.
  • Choose Deployment method: Published.
  • Click OK.

Distributing (“pushing”) software is just as easy. There are two ways. You can either assign software to a user or to a computer. If you assign it to a user, the software will installed when the user logs in and it’ll be available to that user only. If you assign it to a computer, the software will be installed when the computer boots on a network and will be available to all users.

To assign (push) software to users, just change the Deployment Method above to Assigned. To assign software to a computer (and all its users), do as above but edit Computer Configuration –> Policies –> Software installation instead of User Configuration –> etc. Also, you should link to that policy from an OU that is relevant to Computers.

One particularly useful use case comes to mind. On most typical networks, you'll want to have Adobe Flash and Reader installed. But especially Adobe Reader has been so shot full of security holes lately that you really don't want anybody on your network to be sitting around with an old Reader. And here's the twist. Application deployment this way also supports updates. If your software becomes updated, you can tell the deploying thing that this here is an update of the already installed software. Then you can force-feed the update to your users et voilá, you have just blasted out a Reader with new bugs to replace the one with old ones :). To emphasise, this paragraph sits firmly in the This Might (not) Work section. Oh, and Reader requires a boatload of switches to actually deploy silently. But the idea is there to catch.

Finally, be a little careful when assigning software. If you go on an assigning spree, you might end up with workstation software like on the servers. Having Office or F-Secure Client Security on a server will just make things go weird.

More info in the Microsoft KB.

Heck, i should have named my blog This Might (not) Work.