Application deployment and management consumes a huge portion of your IT staff’s time. Distributing software to users to install on their own machines doesn’t give administrators much control over what is actually installed and can lead to an avalanche of support calls. Such practice also makes upgrades hard to regulate. Thus, most organizations prefer a centralized approach to deploying applications. In Windows 2000, a collection of multiple features called IntelliMirror allows administrators to centrally and automatically deploy applications and updates to users. With the various features of IntelliMirror, administrators can control user data and settings and can ultimately build an integrated user- and application-management framework. This Daily Drill Down will outline what you need to know about how IntelliMirror can help manage applications.
This Daily Drill Down provides the background information necessary to understand how IntelliMirror can help you manage applications. After you have a basic understanding of how IntelliMirror works, you can get down to the business of using it. We’ll be covering that in upcoming Daily Drill Downs.
IntelliMirror can save you time and money
Just imagine: Your company has decided to roll out Office XP to 500 desktops. Some users still have Office 97, others have Office 2000, and some have no Office applications installed. The accounting department needs Excel, sales needs Excel and PowerPoint, engineering needs Access, and everyone needs Word and Outlook. Half your users have trouble using their computers, much less installing applications. You must get it all installed and working with a minimal amount of disruption, and you don’t have enough IT staffers to get the job done. It’s going to be a long, lonely month. Now, throw in your roaming users who need their applications available from different locations, and your nightmare just got worse.
Or did it?
With IntelliMirror, you can create custom installation packages, define which users should receive specific applications, and then automatically deploy those applications just by having users log on. Based on group policies that you define, you can install applications to users’ computers, apply application updates, repair an installation, or remove applications. For example, you might deploy Outlook to everyone in the organization but deploy special-purpose applications only to those departments or users that need it, which would also reduce licensing costs. What’s more, automating application deployment makes it easy to support roaming users who need their applications to follow them. When Jane logs on from her main workstation, the software she needs automatically installs. When she logs on from a secondary computer down the hall, those same applications automatically install if they’re not already available. As a system administrator, you need to worry only about setting the group policies that make those applications available to Jane. IntelliMirror takes care of deploying them when needed.
The savings in administration alone makes IntelliMirror a very important tool. Controlling application installation typically means fewer support calls from frustrated users who can’t get the applications they need. It also means tighter control over licensing, piracy, and related issues.
Through IntelliMirror, you can broadcast software updates automatically, giving you the same benefit as when deploying an application. A good example is your organization’s antivirus software. You don’t have to rely on your users to perform manual antivirus updates or rely on their antivirus applications to automatically download updates. Instead, you can deploy updates through IntelliMirror or use a combination of techniques. For example, you might configure the users’ systems to download updates once a week from the antivirus vendor, and then use IntelliMirror to deploy interim updates when a new virus hits mid-week.
How can I deploy applications with IntelliMirror?
You have two primary methods for deploying applications through IntelliMirror: publish or assign. Publishing applications makes them available to the user for installation but they won’t appear as if they’re already installed—in other words, they won’t show up in a user’s Start | Programs menu. Instead, the applications are available through the Add/Remove Programs object in the user’s Control Panel. A user can install the application just like a local application. The Add/Remove Programs item displays a list of available applications, and the user simply chooses which application to install. To make application selection even easier for your users, you can optionally organize the applications by category. So, you might create categories for each department or application type. This makes it easier for users to locate the software they need when multiple applications are available.
In contrast, assigned applications will show up in the user’s Start menu as if they were already installed. When a user logs on, the WinLogon process calls the Application Management extension to group policy, which advertises the application(s) in the user’s registry and in the Start menu or on the desktop. The user installs the application simply by opening the application’s icon. After double-clicking the icon, the application installs itself, performing an on-demand or just-in-time installation depending on the choices you’ve made.
Choosing whether to assign or publish an application to make it available to users in part depends on the application itself. All applications a user explicitly needs to get his job done should be assigned; secondary applications the user doesn’t need but might choose to use can be published. In addition, required applications, such as virus scanners, should be assigned.
You should also consider how you will notify users and educate them about application availability when deciding between publishing and assigning. If you assign applications, you don’t have to tell users the applications are available, the applications show up on the users’ desktops and in their Start menus. When you publish applications, however, you need a means of telling users that the applications are available. You can do so through e-mail, an intranet, or simply by informing users to look in the Add/Remove Programs object when they need an application they don’t already have installed.
IntelliMirror takes advantage of two key Windows 2000 components to provide application deployment services: group policies and the Windows Installer. Group policies allow you to set the rules by which applications are distributed and managed. The Windows Installer is the mechanism you use to prepare the applications for distribution. So, application deployment through IntelliMirror doesn’t just happen. You must create or modify the software installation packages, structure the Active Directory so you can apply group policies for applications to meet your users’ needs, and build the group policy objects. Windows 2000 is a requirement on the client side, because of the reliance on group policies; however, there are alternatives to IntelliMirror for application deployment, such as System Management Server (SMS). I’ll examine these and other issues in upcoming articles about IntelliMirror.
Managing user data and settings with IntelliMirror
Another very important application of IntelliMirror is in managing user data, which typically means redirecting users’ folders to the network so they are available from any location. For example, when Joe logs on from his workstation, he sees his documents in his My Documents folder. If he logs on from a computer down the hall, he still sees those same documents.
Redirecting user folders in this way serves two main purposes. First, by placing the folders on a network server, you make them available from any location, which supports your roaming users. Second, because the files are located on a server, they can be easily backed up and recovered. Doing so also reduces user downtime during a system failure. If Joe’s workstation suddenly dies, his documents are not lost along with it. In fact, if you’ve adequately planned and implemented both folder redirection and application deployment through IntelliMirror, you can plant a new computer on Joe’s desk with only Windows 2000 on it, and he need only log on to regain access to all of his applications and documents.
When you redirect a folder such as My Documents to a network location, the user doesn’t see any real change. He can open My Documents from his desktop and work with his documents as if they were local. This is an improvement over the way Windows 2000 normally handles folders that are part of a roaming profile. For example, users with roaming profiles and no folder redirection have their My Documents folders replicated to their computers when they log on. This can generate a large amount of network traffic and considerably slow down the logon process. When you set up folder redirection, however, the folders and their contents remain on the server rather than being copied across the network at logon.
As with application deployment through IntelliMirror, folder redirection relies on group policies. Through a GPO, you can redirect the user’s Application Data, Desktop, My Documents, My Pictures, and Start Menu folders. You can redirect all users to a common server share or redirect them to servers based on security group membership. For example, you might redirect folders for members of the support group to the Support server and for the sales department to the Sales server.
Offline folders can also improve data availability and decrease downtime. The offline folder feature in Windows 2000 works by downloading to a hidden cache the contents of any folder that is configured for offline availability. Suppose you have a folder of shared specifications and other common documents on a server, and a group or all of your users need access to those documents on a regular basis. Marking the folder for offline use copies the folder’s contents to each user’s local cache. A user can continue working with a document even if the server goes down, because he or she is working from a local copy. When the server comes back online, any changes are synchronized with the server.
You can configure offline folders manually without the use of group policy, although doing so requires each user to configure offline folders on an individual basis. Through group policy, you can automate and centralize control over offline folder assignment and configuration. In addition to specifying which folders should be made available offline, you can also specify policy settings that prevent users from changing offline folder settings, specify synchronization options, set logging levels, and apply other restrictions.
You can also use IntelliMirror to configure users’ working environment settings such as desktop properties. You can control such settings as screen savers and wallpaper, as well as security, language, and application settings and user scripts. By controlling these properties through group policy, you maintain a high degree of control over user settings and you can reapply them when necessary.
For example, when Joe’s computer dies and he receives a new one, all of his desktop and other working environment settings can be applied through group policy when he logs on. The alternative is to let Joe spend hours reconfiguring his system or provide someone from your IT staff to do it. Neither is a particularly appealing option when you consider the ease with which the settings can be reapplied through group policy. Also, using group policy in this way makes it easy to support roaming users, giving them the same working environment regardless of logon location.
IntelliMirror’s relationship with Active Directory and group policies
Making effective use of IntelliMirror for application deployment and managing user data and settings requires group policy. While you can apply some aspects of IntelliMirror’s capabilities through local settings, group policy allows you to incorporate IntelliMirror across the enterprise with little effort after the initial planning and configuration. You simply create the group policy objects, apply policy settings, and then let IntelliMirror do its thing.
Because IntelliMirror requires group policies, you must have Active Directory structured to support the types of tasks you want to accomplish through IntelliMirror. For example, you might need to restructure your domains to incorporate additional organizational units so you can apply user settings or deploy applications. The reliance on group policy also means your client workstations must be running Windows 2000 or Windows XP.
In addition, some features rely on others. You can use folder redirection by itself, but it’s likely you will also need to apply disk quotas—another feature of Windows 2000—to prevent users from filling up servers with MP3, AVI, and other nonessential files. As you begin to evaluate IntelliMirror and how you can use it to simplify administration, reduce support costs, and provide a better computing experience for your users, take one task or goal at a time and determine which other features you’ll need to implement.
Managing applications for your users can take a lot of time, and as applications become more complex, it doesn’t look like the job is going to get any easier. IntelliMirror can help you distribute and manage applications on your user’s workstations from the comfort of your servers. However, using IntelliMirror can be nearly as complicated as the applications themselves. Once you understand IntelliMirror and how it can distribute applications, you can start planning to use it in your organization.