Until recently it has been possible to automate the installation of most software on a Windows computer using Group Policy. Group Policy is a standard component of a Windows domain and so there is no additional cost. Starting with version 11.2 Citrix no longer recommend using Group Policy to install the Citrix Online plug-in. Are they off their trolley?
Windows Installer
Microsoft introduced Windows Installer with Windows 2000 as the preferred method for installing software on Windows computers. Windows Installer is a service in Windows that provides the standard mechanisms for software installations. The vendor creates an installation package with an .msi file. The msi is a database that contains instructions and resources for Windows Installer. When the user runs the msi, Windows Installer performs the actions indicated for the package. The benefit for the user and the vendor is that there is a standard process for:
- identifying what is installed
- installing, repairing and removing an application
- updating an application with a patch or an upgrade
- performing custom steps (depending on the existing hardware or OS configuration, for example)
- managing the User Interface and silent installation
- and many other standard software installation processes: feature selection; rollback; logging; advertisement.
Windows Installer is now at Version 5.0 and most vendors have adapted their installations one way or another to use the Windows Installer service. Vendor installation packages have gradually evolved. In a first stage, many vendors adapted their existing installation routine simply to run as Custom Actions within the Windows Installer package. This defeated the object of using Windows Installer, since it could only have the most limited information about the package. But at least the basics of the installation worked in a standard way.
In a second stage, vendors have adapted their installation to be performed as a native Windows Installer package, with the properties and actions handled directly by Windows Installer. The vendor typically uses Custom Actions only for tasks that are not handled by the Windows Installer service.
Most vendors have continued to include an executable Setup with the installation package. This might typically perform a few pre-installation functions, and then run the msi. For example, the Setup might install .NET Framework 2.0 as a pre-requisite. The Setup can also customize the msi depending, for example, on the OS language, by generating a Transform (with an mst file extension). Provided you know what the Setup does, you can perform those tasks independently and just extract and run the msi directly.
Group Policy Software Installation
Who cares whether the installation is a Windows Installer msi or a non-Windows Setup, as long as it works? The answer is: Group Policy. Also starting with Windows 2000 Microsoft introduced Group Policy to control the configuration of computers in the Domain. Group Policy uses client side extensions to perform different types of actions defined in domain policies. One of these extensions is Software Installation. The Software Installation client side extension tells Windows Installer what installation actions to run.
- The Group Policy Software Installation policy knows whether it has run or not. It knows what users or computers it needs to run for. It knows not to run over a slow link. It can use a WMI filter to run on certain classes of computer and not others. Depending on the policy configuration it passes commands to Windows Installer to perform the installation, upgrade or removal of software.
- Windows Installer then performs those actions the same as if the command line were executed manually. It reports back to the client side extension whether the installation was successful. The client side extension reports back to the Group Policy service whether the policy has been completed successfully or not.
Group Policy is a standard component of Windows domains, and therefore there is no additional cost for using it to install software. Without Group Policy you need to use some kind of third party tool. Although technically you can run a script, this method does not provide the control of the installation that you have with Group Policy, unless you develop in effect your own custom client side extension. Group Policy Software Installation operates only on Windows Installer database (msi) and transform (mst) files. It does not operate on Setup (exe) files. So if the vendor package comes as a Setup, and does not unpack as an msi, it can not be installed by Group Policy Software Installation.
Many enterprises will already have a separate software installation tool, like SCCM or Altiris Software Delivery Solution. But if you do not, and you use Group Policy Software Installation, then you need an msi. Now that most vendors have adapted their installations to use Windows Installer, the great majority of products can be installed using Group Policy Software Installation:
- either directly
- or by extracting the msi from the Setup
- or by re-packaging older or simpler products using something like Wise Package Studio.
Problems
Rather ironically, having set the standard and provided the tools, Microsoft were the first major vendor to break ranks. Office 2007 has a Setup that runs a series of separate msi’s but it uses a Patch file (msp) instead of a Transform (mst) to customize the installation. Group Policy Software Installation cannot run a Patch file. If you want to customize the installation of Office 2007 (for example to select which components to install) you cannot use Group Policy. Microsoft simply recommend that you use their client management tool SCCM. But if you were quite happily proceeding with all your software installations using Group Policy, it was a bit of a shock to find that you can’t install Office 2007 that way. Fortunately there is a workaround that enables you to perform a standard installation without customization, and therefore with Group Policy. Here are the deployment options MS recommend for installing Office 2010. You will see that they don’t include Group Policy Software Installation.
Now (since Version 11.2) Citrix have taken a similar approach for the Citrix Online plug-ins, for similar reasons. The Citrix "client" now consists of several components or plug-ins:
- Web plug-in that provides the core XenApp ICA client functions and enables connection to a XenApp farm using a web browser (always required)
- Desktop Viewer that provides controls and preferences for a published desktop (optional)
- USB handler that controls what happens when you plug in a USB device during a session (optional)
- Program Neighborhood Agent (PNA) that reads a configuration from a XenApp Web Interface server and configures shortcuts in the Start menu for the published applications
- Single Sign-on that captures the user logon details and enables the PNA to pass them through to the Web Interface server (optional, for the PNA)
- HDX media stream for Flash Player for client side rendering of Flash content (optional)
Why so complicated? Citrix are trying to provide a client that works both for published applications (connection to a Terminal Server) and virtual desktops (connection to a Virtual Machine running a Windows client OS like Windows 7) based on a combination of plug-ins. This is Citrix making a big move to dominate the market for Virtual Machine-based desktops by adapting their ICA protocol and client services for connections to a remote VM.
Each plug-in is an msi. However Citrix have developed a custom setup controller called Trolley Express to control the running of the individual msi’s. Trolley Express does the following:
- manages the sequence of msi’s and their rollback in the event of failure
- manages upgrades and removal
- provides an overall log file, and a log for each msi
- passes the OS language to the individual msi’s
- passes command line parameters to the msi’s in a transform.
It’s not very much really. I don’t see anything here that could not have been developed as an msi wrapper with nested msi’s, or indeed as separate msi’s with component options. Here’s an extract from the log file to show what Trolley Express is doing.
But Citrix have gone much further than just using a custom setup. They have developed a whole proprietary client management system. The Merchandising Server acts as a client management server, and the Receiver acts as an agent performing the plug-in installation and configuration determined by the Server. This operates independently of Microsoft domains. You could run it on a campus and control the client on any computer connecting to a Citrix service. You can use it for the Citrix Access Gateway (SSL VPN) client as well as the XenApp server client. There is a receiver for Windows, Mac, iPad and Smart Phone.
Installation of the client with Group Policy is still possible, and it works faultlessly, but Citrix do not recommend it. They say:
"Citrix does not recommend extracting the .msi files in place of running the installer packages [an exe]. However, there might be times when you have to extract the plugin .msi files from CitrixOnlinePluginFull.exe manually, rather than running the installer package (for example, company policy prohibits using the .exe file). If you use the extracted .msi files for your installation, using the .exe installer package to upgrade or uninstall and reinstall might not work properly. The Administrative installation option available in some previous versions of the plugin is not supported with this release. To customize the online plugin installation, see ‘To configure and install the online plugin using the plugin installer and commandline parameters [only available for the .exe]’."
This seems a big jump, from an msi that can be installed by Group Policy, to a full client management system and no msi. But it is really the same way that other complex clients are managed: SCCM itself; Microsoft Forefront Client Security; McAfee ePolicy Orchestrator. They all use a server to install and configure the clients and agents. Citrix provide the Merchandising server as a virtual appliance, so you don’t even need an additional license for the OS or database.
In summary:
- You can install nearly everything on a Windows computer using Group Policy Software Installation, and it is a standard component of Windows domains with no extra cost
- First Office 2007 and now the Citrix Online Plug-in are not recommended for Group Policy installation – although they can be made to work
- Do you need to buy a software delivery tool after all? Nearly, but not quite. For Citrix you can use the Merchandising Server appliance.
I am all in favour of client management tools like SCCM and Altiris where you need them. But I also like to reduce costs where you don’t. For the moment you can still get by with Group Policy Software installation.