PS App Deployment Toolkit: User Logged On / Off Deployment Types

I started using PSADT a year or two ago for my commonly updated applications. Flash, Java, Reader, etc.

One of the first issues I encountered was having a single deployment type. Per PSADT documentation, your deployment type should be deployed with “Allow users to view and interact with the program installation” ticked. Unfortunately, if you set “Logon Requirement” to “Whether or not a user is logged on”, this field greys out, unticked.

So, with this box unticked, PSADT proceeded in Noninteractive mode. Instantly closing Internet Explorer and whatever other apps I had specified. This didn’t make me (or anyone else) happy.

My workaround is quite simple. I have two identical deployment types with different User Experiences. Additionally, I have created a Global Condition to determine whether the workstation is currently in use or not (whether locally or via RDP). This Global Condition is set as a requirement on each Deployment Type.

You can create the Global Condition under Software Library -> Global Conditions. I named mine “Workstation in Use”. The discovery script is incredibly simple:

[bool](query user)

On your “User Logged On” deployment type, configure as such:
User Experience Tab
Installation Behavior: Install For System
Logon Requirement: Only when a user is logged on
Installation Program visibility: Normal
Tick the Allow users to view and interact box.
Requirements Tab
Add -> Custom -> Condition -> Workstation In Use -> Value -> Equals -> True

On your “User Logged Off” deployment type, configure as such:
User Experience Tab
Installation Behavior: Install For System
Logon Requirement: Only when no user is logged on
Installation Program visibility: Normal
The “Allow Users to View and Interact” will be greyed out automatically.
Requirements Tab
Add -> Custom -> Condition -> Workstation In Use -> Value -> Equals -> False

This setup will allow you to give your users the PSADT experience, but also leverage PSADT (in noninteractive mode) to perform installations while no users are logged into the system(s).

 

 

 

Deploying ccmcache location and size changes

I was working on some deployments today and discovered a large chunk of systems that have had ccmcache location set to c:\ccm\cache and size set to 250MB since I migrated to a Current Branch hierarchy.

I did not want to deploy something to all systems in the target collection for this deployment as the ccmexec service would have to cycle, and I’m not sure what would happen if an install were in progress when that happens. My other option would have been to create a collection with only the machines failing with the same “not enough temporary space is reserved” message, and deploy a fix app/package to it.

In the end, I had the list of clients with “not enough space reserved” and just ran the following from my system:

Invoke-Command -ComputerName PCNAMEHERE,ANOTHERPC,ANDANOTHER,YETANOTHER -ScriptBlock { $Cache = Get-WmiObject -Namespace 'ROOT\CCM\SoftMgmtAgent' -Class CacheConfig
$Cache.Location = 'C:\Windows\ccmcache'
$Cache.Size = '5120'
$Cache.Put()
Restart-Service -Name CcmExec }

In the future, I’ll probably look at spending some time creating a configuration item with this script utilized for remediation.

Securing Java Runtime without crippling clients.

One of the issues I’ve run into with patching Java Runtime is that for the last few years,  unsigned / self-signed applets are blocked by default. You can whitelist websites on a per-system basis, but I ran into the need to deploy this to a number of systems. This seems way more complex than it has to be. Here’s how I build the Java Enterprise Deployment Ruleset.

The easy parts….
1. Get a code signing certificate from an authority trusted by your client systems. You need to be able to export it with private key.
2. Install JDK
3. Export cert as PFX, save into programfiles\jdk\bin
4. Rename .PFX to .p12
5. Create ruleset.xml per http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html

The difficult stuff.. now it will probably be easier for you than it was for me.
1. Create a JAR with the ruleset.xml:

jar -cvf DeploymentRuleSet.jar ruleset.xml

2. Import your .p12 certificate into a Java keystore.

keytool -importkeystore -srckeystore whatever.p12 -srcstoretype pkcs12 -destkeystore signing.jks -deststoretype JKS

You will be prompted to create a keystore password, also prompted for the password you specified when you exported your cert.

3. Find the private key for your cert in the keystore (hint: it’s before the date in the 1 entry listed)

keytool -list -keystore signing.jks

You will be prompted for the keystore password as well as the password you specified when you exported your cert.

4. Sign the JAR you created.

jarsigner -verbose -keystore signing.jks -signedjar DeploymentRuleSet.jar DeploymentRuleSet.jar long-key-name-here

You will be prompted for the keystore password as well as the password you specified when you exported your cert.

The wrap-up…
1. Verify the JAR is signed OK

jarsigner -verify DeploymentRuleSet.jar

2. Test the DeploymentRuleSet locally
Copy DeploymentRuleSet.jar to C:\Windows\sun\java\deployment.
Check the “Configure Java” app, the Security Tab should display “view the Active  Deployment Rule Set”.
The resulting window should include the file’s contents as well as “DeploymentRuleSet.jar is valid”

3. Deploy the JAR to clients
The signed JAR should be placed in C:\Windows\sun\java\deployment on clients. I use GPO to achieve this. You could also create a PowerShell script to copy the file and an application in ConfigMgr with a detection method based on file and modified date. This would allow you to update the source content’s JAR, then update content on the deployment type, then update detection method… which would force clients to reevaluate the app.

Sample of what’s in ruleset.xml:

<rule>
<id location="http://whatever/Whatever"/>
<action permission="run"/>
</rule>

<rule>
<id/>
<action permission="default">
<message>
This application requires additional configuration to run.
Please submit an email to Help Desk.
</message>
</action>
</rule>