Microsoft Active Directory Group Policy Objects (GPO) application deployment is a remote installation method used to install apps to multiple devices from a single, centralized platform. Apps can be installed in the background without disrupting users' workflows.
Employees added through Active Directory GPO will be able to use multiple devices and all gathered data will go to their accounts no matter which device is being used as long as they have signed in with their credentials.
While one would usually deploy software using a regular GPO Software installation method, sometimes it is simply not feasible. Here are some of the reasons this could be the case:
You are having remote devices connecting to VPN using some software
You don’t want to run all computers under the single Organization in Insightful
Slow network for remote site/office
In these scenarios, you can use Microsoft Active Directory GPO Scheduled task/PowerShell script to remotely deploy Insightful to your employees using company-managed devices. To do so, please follow these steps.
This process requires a few more steps than a regular GPO Software installation method but it is much more effective in today's remote environment.
It will install Insightful by running a scheduled PowerShell script based on the schedule you define. Even if the PowerShell script is run multiple times - it won’t be a problem as it checks if the installation is already present.
Requirements and preconditions
For our Scheduled task to succeed there are a few conditions that will need to be met. Triggers for the scheduled task should be set right, so that the scheduled task is executed while the computer is connected to the VPN and be connected long enough for the process to be finished.
General Steps
Obtain Insightful .msi file (installation file)
Place the Insightful .msi file on the network
Download and place PowerShell script on the network
Create GPO for Scheduled Task
Deploy GPO
Steps in Detail
1. Obtain Insightful .msi file
Go to Employees Dashboard.
Click on Add New Employee.
Select Company Computers.
Select Windows.
Installation in the form of .msi file will be downloaded on the device, commonly in the Downloads folder.
2. Place the Insightful .msi file on the network
Insightful .msi file has to be shared via network so that every device can pull it during the installation process.
Here are the steps to achieve this:
Create a folder where you will keep .msi files. We recommend creating this on the controller or on one of your data servers.
Right click on the folder, go to Properties and choose the Sharing tab. Click on Share, allow read permission for Everyone and then choose Advanced Sharing in the Sharing tab and check Share this folder.
Place the Insightful .msi file to the shared folder and save UNC path to the package.
3. Download and place PowerShell script on the network
Compared to the Software installation GPO, this version has one step in the middle, the PowerShell script, which is actually having a bit more control over the installation process. Just as the .msi file - it has to be shared via the network so that every computer can pull it.
To achieve this here are the steps:
Create a folder where you will keep scripts. We recommend creating this on the controller or on one of your data servers.
Right click on the folder, go to Properties and choose the Sharing tab. Click on Share, allow read permission for Everyone and then choose Advanced Sharing in the Sharing tab and check Share this folder.
Download the PowerShell script and place it to the shared folder and save UNC path to the script. You can download it via this link:
Right click on the script, click Edit, and once the editor is open, change UNC path on line 2, with your UNC path to the Insightful .msi file from Step 2 of this guide.
4. Create GPO for Scheduled Task
Open Group Policy Management and create a new GPO in your domain. You can choose any name, we’ve chosen Workpuls Scheduled Task.
Once the policy is created, find it, right click on it and choose Edit.
New window of the Group Policy Management Editor will pop-up. Under Computer Configuration navigate to the Scheduled Tasks, right click on it and choose New and then Scheduled Task (At least Windows 7).
Once the new window opens please follow the next steps for General tab:
Action: Replace
Account: NT AUTHORITY\System
Check: Run with highest privileges
Switch to the Triggers tab. You can improvise here but we recommend a daily schedule with automated hourly runs going further. For additional security you can add multiple triggers, like on Logon, or similar.
Switch to the Actions tab. We will be adding two actions. The first one is to ensure that PowerShell scripts can be executed and the scope of this action is only for the System user.
Program/script: powershell
Add arguments: Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser
While still on to the Actions tab, let's add another action
Program/script: powershell
Add arguments: past your UNC path to the script from Step 3 of this guide
Switch to the Settings tab. Please make sure everything is the same as on the image below
On the final tab, Common, please check the option to Remove item if no longer applied.
Click OK and close Group Policy Management window and your GPO should be ready
5. Deploy GPO
In the previous steps we have created the GPO. Now is the time to decide where you want to deploy it to. You have multiple options but two most common are Organization unit (OU) or Whole domain.
Both options can work, but we have decided to go with OU as the example:
Find the OU where you want to deploy it.
Right click on it and select Link and existing GPO and
Select the previously created GPO.
Opening the Task Scheduler as an Administrator will give you clear visibility into the created task, when it was executed and what is the result.
Tips & Tricks
Hosting files publicly
If you have the ability to host files publicly on the internet, it might be an even better option, since you won’t need to align with VPN connection but can rather be pulled whenever people are just connected to the internet. Please contact admin@insightful.io for more details.
Don't Edit GPOs
Editing GPOs is not something we recommend, if you come by the case when you need to do this, we recommend removing the previous policy and creating the new one, with a slightly different name.