One of the main features that rest under the IntelliMirror umbrella of technologies is automated application deployment. The feature allows you to install applications for new employees, set up new computers for disaster recovery, or even upgrade applications all from a central location, quickly and automatically. In this Daily Drill Down, I’ll explain application deployment through IntelliMirror in detail, and then walk you through the process of setting it up.

Deploying applications with IntelliMirror
Before you can deploy applications with IntelliMirror, you need to decide how you want your users to receive applications. You can either publish or assign applications to your users. Assigning applications allows users to receive an application without having to provide any additional actions, such as going through an installation. Assigned applications will appear in the user’s Start menu and install on first use. Published applications are available to users but are installed through the Add/Remove Programs object in Control Panel.

Next, you should categorize the applications, and then match categories and individual applications to users and groups. This will help you develop the group policy structure for deploying the applications. For example, everyone might need certain applications, such as Outlook, while only the sales department needs a custom CRM application and only the engineering department needs a CAD application. With that knowledge in hand, you can create organizational units (OUs) in Active Directory (AD) for each department or user category, and then use those OUs to apply the group policy objects (GPOs) that will control application deployment.

Packaging applications for the Windows Installer
Through the Windows Installer, Windows 2000 automatically installs applications. The Installer reads an application package and installs the application based on the information it contains. The package can define the application installation options and might also include the applications files themselves.

In most cases, you’ll need to create custom application packages. However, you’ll create new packages for in-house applications and repackage existing Installer packages for third-party applications. So, it’s important that you decide which packaging application you will use. Several tools are available to help you package applications, including the following:

  • Veritas WinINSTALL LE—This version of WinINSTALL is included with Windows 2000 Server. You’ll find additional information about WinINSTALL on the Veritas site.
  • InstallShield—This offers several versions and the ability to install cross-platform from a single installation package. You’ll find more information about InstallShield on their Web site.
  • Wise Solutions—This offers several applications that enable you to create and modify installation packages.
  • Microsoft Visual Studio Installer—This component of Microsoft’s Visual Studio development environment enables you to create and manage Installer packages. You’ll find more information about Visual Studio Installer on Microsoft’s Web site.

Repackaging applications lets you create new Windows Installer packages, as well as modify existing ones. To create a new installation package through repackaging software, start with a clean system on which you’ve installed the OS but not other applications. The packaging software takes a snapshot of the system, including the system state data and files. Install the application, and then take a second snapshot. The packaging application builds the package by noting the difference between the two snapshots. When the user installs the application, the Installer applies the registry settings, files, and other changes introduced by the application.

Creating custom packages
Unfortunately, applications aren’t one of those one-size-fits-all deals. Many times, you have to customize applications to make them run properly on users’ workstations. You have a couple of options for customizing application installation: create transforms or ZAP files.

A transform is a set of exceptions to an existing package that the Installer applies when it installs the application. In the case of Microsoft Office, for example, you might create a transform that installs Word, Outlook, and Excel but excludes PowerPoint and Access. You can also use a transform to specify which optional components of a specific application should be installed, where the application is installed, and other options.

You’ll find transforms useful for creating multiple installation targets for a range of users. For example, you can create a single package for all users for a given application, and then use transforms to create custom installations of that application for specific users or groups, so if you were installing Microsoft Office and only one group needed PowerPoint, you could customize the install to only provide PowerPoint for that one group. In addition to performing custom application installations with transforms, you can also install OS updates and service packs. Transforms for applications are stored in MST files, and OS upgrades and service pack transforms are stored as MSP files. Keep in mind that both work in conjunction with Installer packages, not in place of them. So, you’ll need to create or obtain the Installer package first, and then create the transforms that will provide custom installations.

A ZAP file is an alternative to using a packaging application to create or customize application installations. A ZAP file is a text file that defines the application’s source files, setup executable, and other installation parameters. You can create the ZAP file and publish it to the AD instead of using a Windows Installer package. The application can then be installed through IntelliMirror, although with fewer options. For example, you can’t use ZAP files to install applications on first use, add or remove optional components, or perform application repair or removal. For that reason, Installer packages offer the best functionality and are the mechanism I recommend.

Packaging and repackaging applications is a complex process—particularly when you consider the range of applications available for that purpose—so I can’t really describe it in detail in this short article. Spend the time to evaluate the packaging applications you think will fit your needs, choose the one that offers the features you want, and then experiment with the program to get comfortable using it. I found Wise Solutions’ Wise for Windows the easiest program to use for general packaging, creating transforms, and capturing snapshot installations, but check out other applications to find the one that’s right for you.

Creating distribution shares
When you’re comfortable using your packaging application and have created the packages for the applications you want to deploy, you’re ready to start rolling out the applications. First, create the distribution shares from which the application will be installed. Choose server locations based on the number of applications to be supported, users who need access to the applications, security considerations, bandwidth issues, and other such issues specific to your domain and organization. A single share point works fine for smaller organizations, but larger ones will likely need multiple servers to handle larger number of users needing to access the shares.

Also, as the number of users and servers grows, look at availability issues. Consider using Microsoft’s Distributed File System (Dfs) to build a file system that is accessible to all users but also provides redundancy and replication of packages across the enterprise. Where you locate the application packages and structure access to the network shares is largely a function of your network structure and related requirements, not a function of your packaging application.

The final step in creating the distribution shares is copying the files to the share(s) and setting permissions on the folders to control access and provide security. Create separate folders in the share to contain applications and provide organization to your application distribution library. Then, copy the Installer packages and other files as needed to their respective folders.

Publishing and assigning applications
Use the Software Installation node of the Group Policy editor to configure policies for application deployment. You can open the editor through the Group Policy tab of the properties sheet for the container where you want to set the group policy. For example, let’s assume you’re going to deploy an application at the domain level. You’ll create a GPO and link it to the domain. Open the Active Directory Users And Computers console, right-click the domain, and choose Properties. Then, click the Group Policy tab.

You can modify the policies in an existing GPO or create a new one. For this example, let’s assume you’re creating a new GPO for publishing applications. Click New and then assign the name Application Deployment to the GPO. With the GPO selected, click Edit to open the Group Policy editor. Open the branch Computer Configuration | Software Settings | Software Installation if you want to deploy applications based on computer policy or User Configuration | Software Settings | Software Installation to deploy them based on user policy.

Setting global properties
You should set some global properties before adding any packages. For example, if you are publishing several applications, create categories to organize them. Using my previous example, you would create a category for your sales department and another for engineering.

Open the Computer Configuration | Software Settings | Software Installation branch to configure settings for applications deployed based on computer policy or the User Configuration | Software Settings | Software Installation branch to configure options for applications deployed based on user policy. Right-click the Software Installation node and choose Properties to view the Properties screen shown in Figure A.

Figure A
The Software Installation Properties screen controls settings for applications deployed based on computer policies.

Use the General tab to configure the following:

  • Default Package Location is the default location from which packages are deployed. Use a UNC path, such as \\servername\sharename, unless all users access the share from the same mapped drive letter.
  • New Packages sets the default method for adding new packages. You can choose publish or assign as the default mode, or you can have the console let you choose the deployment mode when you add a new package. Select the option Advanced Publish Or Assign if you generally use nondefault settings when adding a new package. With this option selected, the console automatically opens the properties screen for the package when you add it, enabling you to specify different settings. You can still make changes to any package even if you don’t use this option.
  • Installation User Interface Options allows you to choose the level of information you want the user to see during application installation.
  • Uninstall Applications When They Fall Out Of The Scope Of Management allows the application by default to be removed when the GPO no longer applies to the user.

Use the File Extensions page to specify how the Installer reacts when the user opens a document for which the application is not yet installed. Use the File Extensions page to prioritize the available packages in cases where more than one application can handle a particular document type. The application at the top of the list for a given file type is the one that will be installed by default if available.

The Categories page is the place to add categories for published applications. These categories sort the available applications when the user attempts to add applications through the Add/ Remove Programs object in Control Panel. Categories are handy for organizing applications when you need to deploy applications for several departments or different user groups. Categories apply to the domain, so you only need to define them once. You can also apply different categories to the Computer Configuration branch and the User Configuration branch.

Adding packages
After you set the global properties, you can begin adding packages. Right-click in the right pane, choose New, Package, and then specify the location of the Installer package. The path you specify becomes a part of the policy, so use a UNC path to ensure users can access the location to obtain the package and its files. After you specify the installation package file, the Group Policy editor displays a properties screen for the package. The General tab contains read-only information about the package such as version, publisher, and support information. You also specify the package name on this tab.

Use the Deployment page, shown in Figure B, to configure how the application is deployed and removed.

Figure B
The Deployment tab controls how IntelliMirror deploys the application.

This is where you choose between publishing and assigning the application.

You also set several other properties on this tab, such as:

  • Published deploys the application as published.
  • Assigned deploys the application as assigned.
  • Auto-Install This Application By File Extension Activation installs the application automatically when the user attempts to open a document type that requires the application.
  • Uninstall This Application When It Falls Outside Of The Scope Of Management removes the application from the user’s system when the GPO no longer applies to the user. For example, if you have an engineer who is moving from the engineering department to the sales department, you move his account from the engineering OU to the sales OU. IntelliMirror removes the applications defined in the GPO linked to the engineering OU that are not also contained in the sales OU. So, his CAD application goes away and his CRM application is installed.
  • Do Not Display This Package In The Add/Remove Programs Control Panel prevents the application from appearing in the Add/Remove Programs list.
  • Basic displays only basic installation information during application installation.
  • Maximum displays all setup information during application installation.
  • Advanced configures the application to ignore language when deploying and to remove previous versions of the application if they were not installed by a group policy-based installation.

From other tabs, you can perform such actions as:

  • Configuring update behavior for the package through the Updates tab—You can select existing packages that the current package will update and specify that the current package is a required upgrade for existing packages. For example, if you have users currently working with Microsoft Office 2000, you can create an upgrade package to force upgrades to Office XP. You can select packages from the current GPO to upgrade, or you can browse to a specific GPO.
  • Setting the category under which the application appears through the Categories tab—As explained previously, these categories sort the available applications to the user when he opens the Add/Remove Programs object to install an application. You can assign multiple categories to an application that has multiple uses.
  • Adding any transforms for the application through the Modifications tab—You can add and remove transforms, as well as change their priority.
  • Using the Security tab to apply permissions to the package to control deployment—The Authenticated Users group by default has Read permission on the object, which enables all authenticated users the ability to install the application if they fall under the scope of the GPO. If you prefer, you can explicitly control which users or groups can and cannot install the application by adding the user or group that you want to be able to install the application and granting them Read permission. Then, remove the Read permission from the Authenticated Users group. Then, users who can’t read the object will not be able to install the package. This lets you restrict access to an application on a per-group or even per-user basis.

In addition to configuring applications for deployment by users, you can also redeploy applications through the Group Policy editor. Right-click an application package and choose All Tasks, Redeploy Application. Redeploying an application in this way causes the application to be reinstalled on all systems where it is currently installed. This is a handy way to force an update or replace one version of an application with another if the application doesn’t support an incremental upgrade mechanism, which would allow you to apply the upgrades and patches without completely reinstalling the application.

After you finish customizing the group policy for the application, you’re nearly done. No project is complete without testing. Before you begin wide-scale application deployment through IntelliMirror, run through the installation process for each package and look for potential bugs in your system. Change package properties as needed to fix any minor problems. Also, take the time to review your GPOs and how you have applied them, paying special attention to potential security or licensing problems. After you’re sure everything works, you can start using IntelliMirror to help deploy applications to your users.