Anyone know what level of authorization the application post installers have? Does KACE make them have runas admin or something or what?

I'm trying to install a VPN client which requires a trusted certificate to be installed prior to installing the app so it does not prompt the user to 'trust' the certificate during silent install. I'm using the following script in a 'application' post installer which will in theory install the certificate into the truststore prior to the application actually being installed so the driver certificate is already trusted.

My post installer is running:

start /wait certutil -addstore "TrustedPublisher" nortelvpncert.cer

However, it is failing to work . After this post install task I have the actuall install:

start /wait NortelVPNClient.msi /qb

however it is not working... Not sure if the trust store install is causing it to fail or the actual MSI as it hangs during the MSI install
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
Everything is run under the Administrator account created during Windows setup (which is the account set for auto-login for post-install).
Answered 03/08/2011 by: airwolf
Tenth Degree Black Belt

Please log in to comment
0
vtphilk,

Does the certificate get installed?

If it does than you know its a problem with the MSI.

Also are you running this all at once or is it 2 separate tasks?

One more thought... i usually install certs my certs in a .p7b format (doubt it matters but just in case)
Answered 03/08/2011 by: dchristian
Red Belt

Please log in to comment
0
Basically what I did was on a test machine installed the VPN client. When it asked to you want to trust I said "Always Trust". I then went to the certmgr.msc and exported the certificate from "Trusted Publishers" for the app to DER format.

Currently I have one post install application which I uploaded the exported DER file and run the certutil command. Then after that, I run the msi.

The certificate is NOT installed so I assume the problem is with certutil. I tried running (As the logged in admin) and found it needed a elevated command prompt to successfully import. So I'm trying to figure out howto get around this need for elevated command prompt or howto elevate the prompt the kace task runs from
Answered 03/08/2011 by: vtphilk
Orange Senior Belt

Please log in to comment
0
After playing around with this i don't think its an issue with the UAC.

I ran through one of these with a pause at the end and it said the store wasn't created.

To force creation, try calling certutil with a -f.
certutil -f -addstore "TrustedPublisher" nortelvpncert.cer
Answered 03/09/2011 by: dchristian
Red Belt

Please log in to comment
0
No joy on the -f. If I run the command in a normal command prompt I get:

"Administrator permissions are needed to use the selected options."

If i run the command prompt with 'runas admin' then it works fine.
Answered 03/09/2011 by: vtphilk
Orange Senior Belt

Please log in to comment
0
hmmm...

This is what i use to install virtual clone drive.

I do it as one post install task in the K2.

The cert, installer and bat file are all zipped up.

I call the bat file as the command text.

Here are the contents of that installer bat.
certutil -f -addstore "TrustedPublisher" cert.cer
SetupVirtualCloneDrive5450.exe /S /noreboot


i wonder if anybody has any ideas on whats different...
Answered 03/09/2011 by: dchristian
Red Belt

Please log in to comment
0
I am going to try and build a .bat and run in the .bat a certutil and then the MSI run line..

then in the post install task put :

start /wait installcontivity.bat

so that hopefully it will not try running any other installs because the contivity vpn really does not like other installs running in the background..

but this start /wait thing has not really been working for me..kace seems to just run more than one anyhow..
Answered 03/09/2011 by: vtphilk
Orange Senior Belt

Please log in to comment
0
vtphilk,

You wouldn't run a start /wait on a .bat file, that only works on .exe's

you would call a bat file

call installcontivity.bat
Answered 07/10/2011 by: cserrins
Red Belt

Please log in to comment
Answer this question or Comment on this question for clarity