7. Distribution Package Types
Bundles – Collection of any of the below packages
§ Linux – RPM Format. *Must be stored on Web
Share to work.
§ SWD - Do not use! Legacy packaging technology
§ Virtualized Applications – Deploy any vendors
technology. Can run from source
§ Macintosh – Won’t download directories.
§ Streamed – File must have an application on device
that can display it. NOT cached locally.
§ Link – Replaces legacy Launchpad Link tool
§ PowerShell – Make sure GPO is not disabling
running of it
§ Script Host - .JS or .VBS files. Allow combining
multiple languages into a single file
§ Store Application – Windows Store. Install or
Uninstall
§ MSI – Never repackage. MST to customize. If your
MSI package consists of multiple files, make sure
you add all of them in the Distribution package
dialog.
8. Actions…Admin Nirvana
§ Windows Actions package type (PowerShell)
§ 18 canned actions, 1 custom
§ Credentials for connecting to UNC shares are encrypted
§ PowerShell failure output is gathered and appended to the
sdclient log
§ Chained with error checking between each cmdlet
§ Supports macro expansion
§ (i.e. %LD_CLIENT_DIR%, %windir%).
§ Expanded at the client
§ Cmdlet preview
§ Custom ordering
§ Other package options allowed
§ Accounts
§ Additional files (bandwidth control)
§ Architecture options
§ Package metadata(self-service)
9. The Cardinal Rule of Distribution Packages
9
Do NOT
Repackage
Yes, technically there are exceptions. Usually because the installer doesn’t
have a silent or unattended installation option (Educational software).
Never repackage MSIs or MSI derivatives (MS Office)
10. Drawbacks and Concerns with Repackaging
1
§ Incomplete “capture”
§ Depending on the technology used, some files and options can be
missed and cause the application to not function properly later
§ Installers can be “smart”
§ They might skip things that aren’t needed, or behave differently based
on existing files or configuration(s)
§ Ex: Visual C++ Redistributable
§ “Unsupportable”
§ Using a non-standard installation method can put you in an
unsupportable state where the vendor won’t help with problems
§ Could cause problems with future updates and/or patches
11. When the Cardinal Rule Doesn’t Apply
§ Software without deployment options
§ The software doesn’t provide a way to install silently or unattended
§ Complain, then either repackage, cheat (look for MSIs) or write a wrapper
§ Internal Software - Tools built and used internally
§ Need special customization options
§ Sometimes the default settings aren’t right
§ In most cases, there are ways to set this during installation with answer files,
MSTs or other options
§ EXE’s not following these criteria:
§ The executable must not exit before the installation is complete.
§ The executable must return zero(0) for a successful installation.
§ Apple Software –
§ Pkgbuild
§ Packages - http://s.sudre.free.fr/Software/Packages/about.html
12. Return Codes… A Moment
§ When in doubt 0 (zero) means success. Anything else is failure
§ Some Vendors don’t stick with that so that is only partially true
§ HRESULT
§ This is a 32-bit number returned by a process. It includes,
Success/Fail, where it came from (Facility code) and an error code
§ Return codes are determined by the Software Vendor
§ So, if you aren’t sure what is success and failure, check with them
§ Ivanti tries to figure out what the return code means
§ We use a variety of available resources, however, it could be wrong
because a given vendor uses different values or codes
§ Mostly handled on the Core Server
§ The client only evaluates for Success/Fail
13. Bundles
§ Create bundles of SW packages to target multiple platforms
including mobile platforms instead of a standard package
§ True user targeting—independent of platform
§ Inter-package actions (bundle properties)
§ Inject reboot or continue on failure on a per package basis
§ Reboots occur after a 30 second timeout on the client
§ Select a package in the bundle, then inject the action
§ Inter-package actions are shown on the core for each machine status
17. Architecture
§ 25k Nodes/100 Sites/5 Remote
Sites over 500 nodes
§ Physical Core/Clustered
SQL/Virtual Dark Core(DR)
§ Source Package Server – On
Core for CSA
§ Restricted via IP Range
§ Secondary Source(Physical)
§ Internal Environment
§ 2 - vCSA for Internet
§ 3 - vCSA for Cloud
Sites(<20Nodes)
§ 2 - vCSA for Dark Network
§ 5 – Virtual Preferred Servers in
sites over 500 nodes
§ Replicators not used
§ Heavily leverages Multicast(MDR)
18. Distribution Servers - Content Replication Features
§ Integrated with Endpoint Manager:
§ Content replication configuration is fully integrated into the Endpoint Manager Console with the Preferred
Server configuration
§ We can use existing Ivanti agent functionality and configuration
§ We can use existing file transfer technologies
§ Can enable Mirroring for hands off replication
§ Managed Replication:
§ Replication can be subjected to bandwidth throttling
§ Replication can resume from a checkpoint
§ Files are verified by hash to ensure they are up-to-date
§ Scheduled Replication:
§ Replication can be scheduled as needed
§ True “Maintenance Window” with max run time configuration
§ The “Big Red Button” allows administrators to immediately stop content replication if needed
§ Supported Devices:
§ Content replication can work with ANY UNC compatible device including NAS devices
19. Distribution Servers - Content Replication Parts
§ Source:
§ The source contains the files that will be replicated to Preferred Servers
§ Multiple independent sources can be used
§ Can be UNC or HTTP based
§ Preferred Servers (Targets):
§ Previous Preferred Server configuration continues
§ Can be linked with multiple sources
§ Protected write using a separate user account
§ Replicator:
§ Not required
§ Can be ANY Windows-based managed node
§ Does the work
§ Can manage multiple sources and multiple Preferred Servers
§ Configures bandwidth usage and scheduling
§ Replicator will hold all files in SDMCache for configured time
20. Distribution Servers – Regional Replication
§ Simple Replication
§ One Source
§ One Replicator
§ One Preferred Server
§ All Independent
23. Settings - Urgency
§ Accelerated Push and Accelerated WOL
§ Doesn’t perform the discover steps, just sends the WOL packets and exits
§ Machines that woke up will not be shut down
§ Default accelerated push processes up to 241 targets concurrently from list
§ As the core discovers and communicates with target devices, it tells them what to
do and then moves onto the next targeted device without waiting for the job to
complete.
§ This discovery and communication process uses multiple processor cores and threads. Each device then
processes the job on its own and sends job status to the core server when necessary.
24. Settings - Efficiency
§ Skip targets that were previously successful (calculated at the
client, won’t download packages, saves on bandwidth)
§ Configured on the task properties
§ Status is displayed on the core for the machine
25. Settings – Agent Settings(Distribution and Patch)
§ Install options – Ignore Pending reboot during install, be careful with selecting
this option as it can cause your applications to have unexpected issues.
§ LDAP options – Allow LDAP resolution via CSA, important to select if you are
using LDAP targeting through policies and your remote users.
§ Kill Processes and Prevent Processes from running
26. Core
1
Task pushed to
all clients
Self-Organizing Multicast
What is this Self-Organizing Multicast you speak of?
28. Subnet
MDR
Core
1
Task pushed to
all clients
• Machines talk amongst themselves.
First machine to receive task
becomes MDR
• MDRs can no longer be specified
from the core as it does not handle
MDR selection
2
Self-Organizing Multicast
32. Subnet
MDR
2
Core
1
Task pushed to
all clients
Other clients
wait for files
from MDR
12n …
3
• Once MDR downloads the first file, it multicasts
the file to its peers
• At the same time, the MDR downloads the
next file
4
Self-Organizing Multicast
33. Remote Devices
§ Delivering software to remote devices
dynamically through the vCSA/CSA
§ Remote AD Resolution? ldapwhoami.exe - If
ldapwhoami cannot connect to the AD, it will
attempt to go through the CSA to get LDAP
group information from the core
§ Required - Policy based delivery only…
Packages pulled by client based on a policy
§ Required – Core Server needs to be the Source
Distribution Server for packages and needs to
be setup as an URL
34. Rollout Projects
§ Rollout projects are a simplified completely automatic method(or
not) for managing vulnerability patching or software distribution.
§ A rollout project is a set of steps to automate deployment.
§ For each step, you can perform actions(such as a scheduled task), set criteria for when the
content should move to the next step (such as an 80% success rate), and send notification
emails. No skipping steps
§ Example Software Project
§ Step One
§ Action: A scheduled task that distributes the software package to a small group.
§ Exit criteria: An 80% success rate, meaning that the package cannot move to Step Two until the success rate has
been matched or exceeded.
§ Email: You get an email if the package is still in Step One after 2 weeks.
§ Step Two
§ Action: A scheduled task that distributes the software package to a larger group.
§ ***Content does not move to the next step as soon as it meets the exit criteria. It
moves to the next step after it has met the exit criteria AND the project processor runs
as a scheduled task.