How do you handle software installs?
All of our domain users have admin rights on every machine (excluding servers) in our organization.
Recently we've started batting around the idea of removing that access but then we have a situation pop up.
A new program installs itself the first time a user opens a document through it.
If we had the install files we'd be able to script it or automate it somehow, but in this case it comes through the internet on a case by case basis.
Without all users having admin rights, and without the domain admins having to sign on to every machine for this install to occur, how do you folks handle situations like this?
Answers (5)
We do on our 2nd net the following strategy:
there is a bunch of mandatory software which every user needs.
This is installed by default via MI.
For all the other software we use the software library.
If a user is needing add. software we create a MI/FS for that.
you can also create an software item to make the user admin temp. if he really needs this for one time.
But _NEVER_EVER_ give everyone admin rights even to their own PC forever!
Comments:
-
I guess the roadblock for me is finding all the switches and things we would need for our programs to be able to be installed automatically. We have alot of programs that have no entries on ITninja sadly.
So if a person doesn't have admin rights to their machine wouldn't that stop the software library from being able to install things under their login? - AFCUjstrick 10 years ago
We utilize the user portal. I'm fortunate enough where the users have to request software if it's not already packaged. We package it, add a new item in the user portal, and restrict by user label/machine label.
With SSO coming in 5.5 this process for the users should be even easier. They will not need to login a 2nd time.
Comments:
-
I'm assuming by "package" you mean script it or automate it right? Or do you actually use an honest to goodness packaging program? We have enough problems with our 400 users, I can't imagine what it would be like with as many as you have. - AFCUjstrick 10 years ago
-
Yes automate it whether it's msi or cmd file. It's not as bad as it sounds. Job security.
We do have those one offs where a certain department will buy some random printer (even though we're supposed to have standards). For those I just upload the exe to Kace, and let the users walk through the setup. No point in packaging items like that. Since we're a university we have about 28,000+ users in our Kbox. The process hasn't failed yet. - dugullett 10 years ago-
Oh you're a school? I didn't notice that in your profile. I just assumed you were a business of some kind. - AFCUjstrick 10 years ago
-
Hospital/University. We currently have 227 items in our software library. We don't really push software unless it's going to 1000+ machines.
For the most part we have some random medical app that goes on 20ish machines. We script it, and make it available to that user group (LDAP label). That way on the user end they only see what they need to see, and not a lot of clutter. - dugullett 10 years ago
-
Cool. Thanks for all the help and info. - AFCUjstrick 10 years ago
-
One more thing. If you do start going this route you may want to vote on this. We're currently using an exe created with AutoIT that lets users know when an install is finished. This would help though.
http://kace.uservoice.com/forums/82699-k1000/suggestions/1322901-user-portal-progress-bar-on-sofware-download-inst - dugullett 10 years ago
-
If I could bend your ear for a few more minutes...We always seem to have different results across our systems. For instance if we're installing something on all 400 machines, 30 of them won't do it.
Then the next time it'll be a different 30. It's not always 30 I'm just using that for an example.
Do you have to create multiple packages for different system models/scenarios? - AFCUjstrick 10 years ago-
Are you talking about software pushes (MIs)? So you're pushing multiple MIs and some machines get it on one check in, but will not get the other set until next check in? - dugullett 10 years ago
-
Some don't get it at all. They check in just fine but they never actually run the install.
I wish I had a better example for you but right now we're not trying to figure any mass installs out.
I don't use managed installs very often, usually scripting is where I spend my time. - AFCUjstrick 10 years ago-
I usually use MIs for software pushes. I save scripts for those little changes, and apps that need to be ran as a specific user. I guess it would depend on you verify, success, and remediation steps.
If you are using "offline scripts" pushing software from what I heard it's not actually recommended. I was in a class last year at the conference where that was being discussed. - dugullett 10 years ago
-
You were at the Konference? So was I. - AFCUjstrick 10 years ago
-
Yeah that advanced topics class they had was good. Lot's of good info. Are you using offline scripts as installs? From what they said in that class Kace uses what's called Konductor tasks. Using Online scripts utilizes these Konductor tasks which basically "conduct" the tasks in the Kbox. Offline tasks do not, and if they have dependencies there's no conducting when the software gets copied down and ran.
I would do your next install as a MI. See if that changes things. - dugullett 10 years ago
-
Yes I usually try offline first then switch to online if that doesn't work. Will do. Thanks again. - AFCUjstrick 10 years ago
-
Found a link that should explain the Konductor a little more. pg 7
https://www.kace.com/~/media/Files/Support/KACE-Konference/2012/2012_K1000%20Advanced%20Topics.ashx - dugullett 10 years ago
-
With 227 items in your software library are you running into storage issues? We have a physical Kbox 1000 and we are using a out 88% of the storage between patches, installs, and scripts. Are people Running the vm or physical box? We only have 886 clients, mostly macs running 10.6-10.8 and windows 7 64 bits - Jbr32 10 years ago
-
No storage issues at all. We're using patching as well. We have a physical box with 428 GB still available. We're not using the service desk piece, but I can't imagine that would take up that much more room. We have about 20,000 clients with a mix of PC, Mac, and Linux.
Are you downloading all patches, or just your patch labels? I know that made a huge difference for me when I changed that. - dugullett 10 years ago
-
My main drive is 217gb and I have 22gb free. I have 6.2k patches of which 1.7k is active. The rest are disabled or inactive. Under patch subscription I have the first four checkboxes checked; e.g. Security, application, non- security, and application. I also have a label for just critical patches.
Curios about the hard drive is a 217gb normal? - Jbr32 10 years ago-
I can't answer that one. Mine is 530gb.
Under patch subscription settings, under "Download Patches from labels" I have all of my labels selected. This way I'm only downloading what I need. My space used for my patches is 23.58 GB. - dugullett 10 years ago-
So for the patches are you saying you don't check off the first four checkboxes and just use labels instead? - Jbr32 10 years ago
-
We purchased our unit 4.2011. Not sure if when we purchased it makes a difference in regards to hard drives used. - Jbr32 10 years ago
-
I believe ours was purchased in early 2010 so it's very possible the hard drive size is based on time. - AFCUjstrick 10 years ago
-
My hard drive appears to be about that size as well. I have 28000 patches and only using 8 gigs for them. Our box doesn't seem to have any space issues right now. - AFCUjstrick 10 years ago
-
Ok perhaps we are doing something wrong when it comes to patching and labels. Can you describe what you are doing? - Jbr32 10 years ago
-
Honestly everything I know about patching I learned from Ron Colson who works at KACE. Fantastic guy who is very open to talking to anyone who will listen. ron_colson@kace.com is his email. - AFCUjstrick 10 years ago
-
Under patch download options I have it set to all subscribed patches and to delete unused patches after 2 days - Jbr32 10 years ago
-
I posted a pic of my setup. Take a look and let me know if you have questions. - dugullett 10 years ago
-
AFCUjstrick, thank you so much for the kind words. Jbr32, I'm here and willing to answer any questions you've got, especially about Patching (my favorite subject). First question from me: Are you upgraded to 5.4 SP1 (server AND agent)? Second question: Have you ever heard of KKEs (www.kace.com/kke)?
I've recently done a KKE series called Patching Week. I recommend you look them up and watch them. Should tell you everything you need to learn the basics. r2
Ron Colson
KACE Koach - ronco 10 years ago -
Ron - thanks for the offer! Yes I am running 5.4 SP1 (server and agent) and have heard of KKEs. I am going to watch the series on patching week to see if we can re-tune our patching. If I run into issues I will certainly reach out to you. Thanks again! - Jbr32 10 years ago
Do some research Standard Operating Environments (SOE). I'm managing about 500 desktops and laptops . When I came to the company there wasn't any great deal of control around the desktop environment which meant we had 30-50% success rate in deploying applications.
You really need to get to the point that you have a consistent and predictable environment so that teh production deployment opccurs the same way that you test it.
We restricted admin access to the smallest number of people and used Microsoft System Center Configuration Manager to do managed unattended deployments of both Windows and applications. I can now do deployments with 99%+ success rates.
Most applications have either command line switches to install the application or are MSI packages so they are usually pretty easy to deploy; now and then I have to turn to Powershell.
It takes some effort to convince people to change from having admin access and doing their own thing but the result is you can deploy applications faster and more consistently than you probably are now.
Comments:
-
Makes sense. - AFCUjstrick 10 years ago
Sorry about the new answer. I think it's easier to just post a pic. I'm doing software installers as well. Be careful when doing this.
"Everybodies an admin" is always a nightmare. Sure it speeds up users installing on demained, but like any other place I have every worked that have done the same, it actually creates more support calls and requires more time to discover issues. Like, "Why is this app missing a DLL or repairing every time its run, O, your running a Gaming Server from your pc, that explains it." Not to mention, if you ever get audited by a software vendor because you have 30 unlicensed copies of Acrobat...
I would say, that even if you are only able to run the Vendor's install with Unattended commandline parameters, and distribute via AD, you would have alot more control. Plus if they were advertised MSI's, the file association could trigger an install because they tried to run a certain file type. The fun part will be when you take the rights away.. That is when you discover what kinda crap your users had on their pcs. (post updates when you do, I'm sure you will have some entertaining stories)
Comments:
-
You speak sense. - AFCUjstrick 10 years ago