The 5 Commandments of Remote Software Deployment


MosesRemote software deployment is one of the holy grails of system administration. Like all holy grails, it’s usually just out of reach. The good news is that software deployment isn’t impossible, just difficult to get right. Before you embark on the quest to the Castle Aaargh, keep in mind these 5 commandments and break them at your peril. They will be helpful whether or not Admin Arsenal is your tool of choice. For more in-depth information on software deployment, you can check out our whitepaper Unplugging the Sneakernet: Remote Software Deployment for Windows.

I. Thou Shalt Know Thy Silent Option

This is, by far, the most important thing to know in order to install software remotely. An installer that is running remotely on another computer and pops up a window to ask a question will hang forever. Even if someone is sitting at the computer, due to security restrictions in Windows, they won’t be able to respond or click on a button. This is a difficult problem to diagnose, since there’s no way to tell the difference between an installer that is hung waiting for a file and an installer waiting for input. There are a number of ways to find out the silent option for any given installer. Some, but by no means all, of these are:

  • Get an MSI version. If you have an MSI version of the installer, the best silent option is /qn (you can see all MSI options by running msiexec.exe from a command line.) Many deployment tools, such as Admin Arsenal, have this silent option built in. Keep in mind that some MSI installers break this rule and prompt anyway, but they’re pretty rare.
  • Ask the developer. Many developers have documentation or support forums where this can be found.
  • Ask Google. Searching for things such as “Firefox silent install” can lead you right to the answer.
  • Ask the installer. Run the install with a parameter such as /? or -? or /help. A little trial and error may yield a dialog box or command line with some options.
  • Trial and error. Try some common silent options yourself and see if they keep any windows from appearing. Try things such as /q/s/silent/noui or /unattended may work.

There may not be a silent option. Unfortunately, remote installation is usually an afterthought, and sometimes a non-thought. In that case you can jump to commandment IV.

II. Thou Shalt Honor Thy User with No Reboot

Many application installations require a reboot of the computer to complete, usually to replace files which are in use. Since remote installations quite often happen when users are on the computer, this is more common than with standalone installations. Like with the silent option above, be sure to know about any options to prevent reboots. MSI has a couple of built-in options as do most installers with a silent option.

However, if you hate your users, this one doesn’t apply to you.

III. Thou Shalt Not Double-Hop without Thy Primary Token

The double-hop problem is quite well known to administrators of web servers, where it crops up most often. But it’s a good idea for you remote deployers to know about it, because it will probably bite you at one point or another. The problem is when credentials from one computer are used to access resources on another computer which then tries to use them to access resources on a third computer. The underlying details can get a bit complex, but suffice it to say that there will be times when your installer needs to get files off of a server but it can’t. This happens when the installer is running without a primary security token.

Windows has a concept of secondary or impersonated security tokens. These are used when you connect to another computer remotely. They allow you to access the files, registry, and programs on the target machine, but a secondary token cannot be used to access any other computer beyond that. There are two ways to get around it:  The first is using 
Kerberos and Delegation
 in Active Directory, but this requires changes at the domain level and may not work in your environment. The second is to always use a primay token by passing your user name and password to the computer where you’re running the installer. Most remote tools have this option, but keep in mind that some of them don’t encrypt this information. Admin Arsenal is one that encrypts.

IV. Thou Shalt Covet Thy Neighbors Repackager

A repackager is needed when an installer doesn’t have a silent option, or when you want to customize the application in a way that the installer doesn’t support remotely. The concept is quite simple: The program watches what the installer does and then duplicates it in an installer of its own. This installer can run silently and will be able to customize the application almost infinitely. It’s like making a clone with all of the uncooperative DNA removed.

There are a number of these products on the market, and for the most part they work quite well. Google for “Software Packager” to get an idea of what’s available.

V. Thou Shalt Not Deploy without Testing and Testing Again

Finally, it’s important to test, re-test, and test again. Remotely installing software can be a bit nerve-wracking. Without sitting at the console watching the install, there’s no way to say “oh, crap, that’s wrong, where’s the cancel button…. click click click!” Always test an installer in a limited environment before sending it out into the wild to stomp all over users’ files. Particularly if you’re using a tool that can push out to large groups of computers at the same time. I’ve been there, and it’s not fun cleaning up the mess.

There you have it, 5 commandments to bring you a long and angry-user-free life.