Software Delivery: Best Practices Eric Garlepp

1. Software Delivery: Best Practices
UEMB210
5/10/2017
Eric Garlepp
Director Of Pre-Sales East

2. Agenda
§ Components
§ Software Distribution Components
§ Distribution Packages
§ To Package Or Not
§ Bundles
§ Content
§ Distribution Servers
§ Architecture
§ Delivery
§ Settings
§ Self-Organizing Multicast
§ Remote Devices
§ Rollout Projects
§ Sneak Peak

3. Components
What’s It All About?

4. Software Distribution Highlights
§ Vendor And Platform Agnostic
§ Enterprise Ready(100k+ Systems)
§ Project And Process Driven
§ SMB/UNC/URL Shares
§ Dynamic Bandwidth Throttling / Peer Downloading
§ Granular Reboot, Client, End-user Settings
§ Automated File/Software Distribution
§ Self-Electing / Self-Organizing Clients
§ Automatically Resumes When Reconnects
§ Byte-Level Checkpoint Restart
§ Self-Service

5. Software Distribution Task/Rollout Project
Software Distribution Components
Task/Agent SettingsSchedule
••Start time
••Frequenc
y
••Start on
…
••Time
Zone
Targets
••Devices
••Users
••Groups
••Queries
••Scopes
••LDAP
Distribution Packages/Bundles
Linux, WIN, MAC,
iOS, Android
Links, Docs,
Virtual, Actions
Task Type –
Delivery Method
Pre-Cache
Download
Options/WakeUp
Frequency
Distribution
(Agent) Settings
Portal Settings/
Workspace
Reboot Settings
Install OptionsPrimary File
Additional Files Return Codes
Dependent
Packages
Architecture
Content Replication/Preferred Servers
Branding and
Messaging

6. Distribution Packages
We Need To Deliver What?

7. Distribution Package Types
Bundles – Collection of any of the below packages
§ Linux – RPM Format. *Must be stored on Web
Share to work.
§ SWD - Do not use! Legacy packaging technology
§ Virtualized Applications – Deploy any vendors
technology. Can run from source
§ Macintosh – Won’t download directories.
§ Streamed – File must have an application on device
that can display it. NOT cached locally.
§ Link – Replaces legacy Launchpad Link tool
§ PowerShell – Make sure GPO is not disabling
running of it
§ Script Host - .JS or .VBS files. Allow combining
multiple languages into a single file
§ Store Application – Windows Store. Install or
Uninstall
§ MSI – Never repackage. MST to customize. If your
MSI package consists of multiple files, make sure
you add all of them in the Distribution package
dialog.

8. Actions…Admin Nirvana
§ Windows Actions package type (PowerShell)
§ 18 canned actions, 1 custom
§ Credentials for connecting to UNC shares are encrypted
§ PowerShell failure output is gathered and appended to the
sdclient log
§ Chained with error checking between each cmdlet
§ Supports macro expansion
§ (i.e. %LD_CLIENT_DIR%, %windir%).
§ Expanded at the client
§ Cmdlet preview
§ Custom ordering
§ Other package options allowed
§ Accounts
§ Additional files (bandwidth control)
§ Architecture options
§ Package metadata(self-service)

9. The Cardinal Rule of Distribution Packages
9
Do NOT
Repackage
Yes, technically there are exceptions. Usually because the installer doesn’t
have a silent or unattended installation option (Educational software).
Never repackage MSIs or MSI derivatives (MS Office)

10. Drawbacks and Concerns with Repackaging
1
§ Incomplete “capture”
§ Depending on the technology used, some files and options can be
missed and cause the application to not function properly later
§ Installers can be “smart”
§ They might skip things that aren’t needed, or behave differently based
on existing files or configuration(s)
§ Ex: Visual C++ Redistributable
§ “Unsupportable”
§ Using a non-standard installation method can put you in an
unsupportable state where the vendor won’t help with problems
§ Could cause problems with future updates and/or patches

11. When the Cardinal Rule Doesn’t Apply
§ Software without deployment options
§ The software doesn’t provide a way to install silently or unattended
§ Complain, then either repackage, cheat (look for MSIs) or write a wrapper
§ Internal Software - Tools built and used internally
§ Need special customization options
§ Sometimes the default settings aren’t right
§ In most cases, there are ways to set this during installation with answer files,
MSTs or other options
§ EXE’s not following these criteria:
§ The executable must not exit before the installation is complete.
§ The executable must return zero(0) for a successful installation.
§ Apple Software –
§ Pkgbuild
§ Packages - http://s.sudre.free.fr/Software/Packages/about.html

12. Return Codes… A Moment
§ When in doubt 0 (zero) means success. Anything else is failure
§ Some Vendors don’t stick with that so that is only partially true
§ HRESULT
§ This is a 32-bit number returned by a process. It includes,
Success/Fail, where it came from (Facility code) and an error code
§ Return codes are determined by the Software Vendor
§ So, if you aren’t sure what is success and failure, check with them
§ Ivanti tries to figure out what the return code means
§ We use a variety of available resources, however, it could be wrong
because a given vendor uses different values or codes
§ Mostly handled on the Core Server
§ The client only evaluates for Success/Fail

13. Bundles
§ Create bundles of SW packages to target multiple platforms
including mobile platforms instead of a standard package
§ True user targeting—independent of platform
§ Inter-package actions (bundle properties)
§ Inject reboot or continue on failure on a per package basis
§ Reboots occur after a 30 second timeout on the client
§ Select a package in the bundle, then inject the action
§ Inter-package actions are shown on the core for each machine status

14. DEMO

15. Software Content
§ Newly Released February 2017
§ https://community.ivanti.com/docs/DOC-43268

16. Distribution Servers:
How The Heck Do I Store Them For My Sites?

17. Architecture
§ 25k Nodes/100 Sites/5 Remote
Sites over 500 nodes
§ Physical Core/Clustered
SQL/Virtual Dark Core(DR)
§ Source Package Server – On
Core for CSA
§ Restricted via IP Range
§ Secondary Source(Physical)
§ Internal Environment
§ 2 - vCSA for Internet
§ 3 - vCSA for Cloud
Sites(<20Nodes)
§ 2 - vCSA for Dark Network
§ 5 – Virtual Preferred Servers in
sites over 500 nodes
§ Replicators not used
§ Heavily leverages Multicast(MDR)

18. Distribution Servers - Content Replication Features
§ Integrated with Endpoint Manager:
§ Content replication configuration is fully integrated into the Endpoint Manager Console with the Preferred
Server configuration
§ We can use existing Ivanti agent functionality and configuration
§ We can use existing file transfer technologies
§ Can enable Mirroring for hands off replication
§ Managed Replication:
§ Replication can be subjected to bandwidth throttling
§ Replication can resume from a checkpoint
§ Files are verified by hash to ensure they are up-to-date
§ Scheduled Replication:
§ Replication can be scheduled as needed
§ True “Maintenance Window” with max run time configuration
§ The “Big Red Button” allows administrators to immediately stop content replication if needed
§ Supported Devices:
§ Content replication can work with ANY UNC compatible device including NAS devices

19. Distribution Servers - Content Replication Parts
§ Source:
§ The source contains the files that will be replicated to Preferred Servers
§ Multiple independent sources can be used
§ Can be UNC or HTTP based
§ Preferred Servers (Targets):
§ Previous Preferred Server configuration continues
§ Can be linked with multiple sources
§ Protected write using a separate user account
§ Replicator:
§ Not required
§ Can be ANY Windows-based managed node
§ Does the work
§ Can manage multiple sources and multiple Preferred Servers
§ Configures bandwidth usage and scheduling
§ Replicator will hold all files in SDMCache for configured time

20. Distribution Servers – Regional Replication
§ Simple Replication
§ One Source
§ One Replicator
§ One Preferred Server
§ All Independent

21. Distribution Servers - Global Replication

22. Delivery:
How The Heck Do I Get My Packages Out To My Systems?

23. Settings - Urgency
§ Accelerated Push and Accelerated WOL
§ Doesn’t perform the discover steps, just sends the WOL packets and exits
§ Machines that woke up will not be shut down
§ Default accelerated push processes up to 241 targets concurrently from list
§ As the core discovers and communicates with target devices, it tells them what to
do and then moves onto the next targeted device without waiting for the job to
complete.
§ This discovery and communication process uses multiple processor cores and threads. Each device then
processes the job on its own and sends job status to the core server when necessary.

24. Settings - Efficiency
§ Skip targets that were previously successful (calculated at the
client, won’t download packages, saves on bandwidth)
§ Configured on the task properties
§ Status is displayed on the core for the machine

25. Settings – Agent Settings(Distribution and Patch)
§ Install options – Ignore Pending reboot during install, be careful with selecting
this option as it can cause your applications to have unexpected issues.
§ LDAP options – Allow LDAP resolution via CSA, important to select if you are
using LDAP targeting through policies and your remote users.
§ Kill Processes and Prevent Processes from running

26. Core
1
Task pushed to
all clients
Self-Organizing Multicast
What is this Self-Organizing Multicast you speak of?

27. MDR
2
Core
1
Task pushed to
all clients
Subnet
Multicast
Domain Rep.
(MDR)
Self-Organizing Multicast

28. Subnet
MDR
Core
1
Task pushed to
all clients
• Machines talk amongst themselves.
First machine to receive task
becomes MDR
• MDRs can no longer be specified
from the core as it does not handle
MDR selection
2
Self-Organizing Multicast

29. MDR
2
Core
1
Task pushed to
all clients
Subnet
3
Self-Organizing Multicast

30. MDR
2
Core
1
Task pushed to
all clients
Subnet
MDR begins file download from fastest resource:
• Peer
• Preferred server
• Source
3
Self-Organizing Multicast

31. Subnet
MDR
2
Core
1
Task pushed to
all clients
4
Other clients
wait for files
from MDR
12n …
3
Self-Organizing Multicast

32. Subnet
MDR
2
Core
1
Task pushed to
all clients
Other clients
wait for files
from MDR
12n …
3
• Once MDR downloads the first file, it multicasts
the file to its peers
• At the same time, the MDR downloads the
next file
4
Self-Organizing Multicast

33. Remote Devices
§ Delivering software to remote devices
dynamically through the vCSA/CSA
§ Remote AD Resolution? ldapwhoami.exe - If
ldapwhoami cannot connect to the AD, it will
attempt to go through the CSA to get LDAP
group information from the core
§ Required - Policy based delivery only…
Packages pulled by client based on a policy
§ Required – Core Server needs to be the Source
Distribution Server for packages and needs to
be setup as an URL

34. Rollout Projects
§ Rollout projects are a simplified completely automatic method(or
not) for managing vulnerability patching or software distribution.
§ A rollout project is a set of steps to automate deployment.
§ For each step, you can perform actions(such as a scheduled task), set criteria for when the
content should move to the next step (such as an 80% success rate), and send notification
emails. No skipping steps
§ Example Software Project
§ Step One
§ Action: A scheduled task that distributes the software package to a small group.
§ Exit criteria: An 80% success rate, meaning that the package cannot move to Step Two until the success rate has
been matched or exceeded.
§ Email: You get an email if the package is still in Step One after 2 weeks.
§ Step Two
§ Action: A scheduled task that distributes the software package to a larger group.
§ ***Content does not move to the next step as soon as it meets the exit criteria. It
moves to the next step after it has met the exit criteria AND the project processor runs
as a scheduled task.

35. DEMO

36. Sneak Peek

37. Sneak Peak - Portal Manager(Workspace-esqe)

38. Questions