admin adventure

the ongoing struggle: man vs machine

Java JRE Deployment via Group Policy

In this post I will detail my experience deploying Java Runtime Environment 7 update 4 to my mixed 32bit and 64bit environment.

My goals are:

  • Deploy 32bit and 64bit Java via a single GPO. Since I have previously deployed Java 6 update 29 to my PCs I will use my existing GPO titled “Oracle Java Runtime Env”.
  • Prior versions of Java will be removed before the new version is installed.

Step 1 – Obtain the Appropriate Files

This step is very important, as java is often bundled with additional software that we don’t wish to deploy in our enterprise environment.

Instead of going to java.com to download java, use the oracle site, as these files are suited to enterprise deployment.

I used http://www.oracle.com/technetwork/java/javase/downloads/index.html

Make sure you download both the 32bit and 64bit offline versions of the JRE.

http://download.oracle.com/otn-pub/java/jdk/7u4-b22/jre-7u4-windows-i586.exe

http://download.oracle.com/otn-pub/java/jdk/7u4-b22/jre-7u4-windows-x64.exe

 

Step 2 – Extract the MSI

To extract the MSI package from the exe file downloaded above:-

Double-click the exe file and leave the installation window open.

Whilst the window is still open, go to the following location and copy the files to your staging area.

c:\users\%username%\AppData\LocalLow\Sun\Java\jre1.7.0_04\

Repeat for the 64bit exe file. The path will be

c:\users\%username%\AppData\LocalLow\Sun\Java\jre1.7.0_04_x64\

Step 3 – Generate the Transform (MST) file to Customise the Install

Auto Update is a great idea for home users, but can cause problems or annoyance for enterprises.

In enterprise networks, your everyday users should not be Administrators of their local machines. Administrator privileges are required to install java updates. java will helpfully advise your users that an update is available, and prompt them to install it. Users will be unable to install the update and may be regularly prompted regarding it.

This is annoying to your users, and you will quickly begin to see helpdesk requests to update java. The better solution is to deploy updates through Group Policy, once you have tested the update in your environment. Consequently, you will want to disable the auto update function.

We will also make changes to the MSI to configure Java with settings appropriate to our environment.

Java_settings

  1. Open up the MSI file in Orca
  2. Click Transform>New Transform
  3. Scroll down the left hand tables window and click the “Property” Table.
  4. In the right hand window, edit the values for the properties you wish to change.

orca java

5. When you have finished making changes, go to Transform>Generate Transform
6. Save the transform file in the same location as the MSI file.
7. Close Orca
8. Repeat for the 64bit MSI file.

 

Step 4 – Add the Package and Transform to Group Policy

1. Open Group Policy Management Console, right-click the existing GPO and select Edit.
2. Under Computer Configuration>Software Settings>Software installation, Right click on the blank right-hand window and select New>Package.
3. Select the 32-bit package. I like to ensure that a UNC path to the package is used, but it is up to you.
4. Select the “Advanced” option and click OK. The package properties window will appear.
5. Change the name of the package to distinguish that it is 32bit. I used “Oracle Java 7 u4 x32 – Deployed”.
6. Click the Deployment Tab>Advanced and check the option “Make this 32-bit X86 application available to Win64 machines”. This is because both the 32 and 64bit editions will be installed on 64bit PCs. In this way, the user can use either the 32 or 64bit editions of IE and still have full java functionality.
7. On the same screen, I usually check “Ignore language when deploying this package”. This prevents differences between US English and Australian English from preventing the install from occurring, but this is a personal preference.
8. On the upgrades tab, clear anything that has been added to the list, then click add, and select all versions of java previously distributed by Group Policy that you wish to upgrade. I choose the option to uninstall the previous versions, rather than attempt an upgrade.

javaupgrades

9. Click the modifications tab and add in the MST file you generated with ORCA.
10. Click OK.

Repeat the above process from step 4 part d for the 64bit package with the following changes.

  • Make sure you name the package to distinguish that it’s 64bit
  • Do not check the option to “Make this 32-bit X86 application available to Win64 machines”.  It will not be available.
  • On the upgrades tab, the 32bit version may be listed. Group Policy has incorrectly assumed that we wish to upgrade the 32bit package with the 64bit package. This is not the case. Remove any entries on the upgrade tab, and add entries only applicable to 64bit upgrades.

Note: Group Policy is intelligent enough to not deploy the 64bit package to 32bit machines.

Congratulations, you are now deploying Java

Useful Links

Java download location
http://www.oracle.com/technetwork/java/javase/downloads/index.html

Adobe Flash Player 11 Deployment via Group Policy

As of version 11, adobe have released both 32bit and 64bit versions of flash player. This will be a relief to many as IE 64-bit will now be supported.

Now we will need to deploy Flash 11 via GPO. Our goals are

  • Deploy 32bit and 64bit Flash Player using a single GPO. The version I am deploying is 11.2.202.235.
  • This GPO will be dedicated to flash player deployment, so title it appropriately.
  • Prior versions of flash player will be removed before the new version is installed.

 

Step 1 – Sign the Enterprise Distribution Agreement and Obtain the Appropriate Files

Adobe require you to register to redistribute the software. Registration only takes a couple of minutes, however it can take up to 3 business days to be approved.

http://www.adobe.com/products/players/fpsh_distribution1.html

Once approved, and email will be sent with download links for the enterprise distribution files. Make sure that you download both 32bit and 64bit msi files.

I ended up with the following files

install_flash_player_11_active_x_32bit

install_flash_player_11_active_x_64bit

Step 2 – Define the Strategy

Unlike some of the other software that I deploy, I am not going to modify the msi file with orca, nor create a transform file. This is because prior versions of the package have been known to break if modified.

Flash 11 comes in both 32 and 64 bit variants.

The 32bit variant is only designed for 32bit operating systems. It is not to be installed on 64bit operating systems.

The 64bit variant is only designed for 64bit operating systems. This package includes both 32 and 64 bit versions of flash, to allow 32 bit browsers to operate with flash support on a 64bit operating system. This package must not be installed

As we are going to be managing both 32 and 64bit clients we will need to be careful about the group policy options that we set to prevent the wrong install from occurring.

Step 3 – Setup Shared Directory.

You probably already have a network share for software deployment. If you don’t, you will need to create a share that allows the everyone group read access. Only Administrators should have higher permissions to this share.

Step 4 – Group Policy Work

If you have not deployed flash player previously, you will need to follow the below steps in their entirety to create a new GPO. If you have deployed flash player previously, and need to upgrade to a new version, treat the below as refresher, and make sure you read the upgrading section at the end of the post.

a. Create a new Group Policy Object For Flash Player by opening the Group Policy Management Console, Right-clicking on the OU you want the policy linked to, and selecting “Create and Link a GPO here”.

b. Enter a name for the GPO. Do not include version numbers in the name, as you will use this same GPO to deploy upgrades.

c. Right-click the newly created GPO and select edit. The Group Policy Object Editor Opens.

d. Under Computer Configuration>Software Settings>Software installation, Right click on the blank right-hand window and select New>Package.

e. Select the 32-bit package. I like to ensure that a UNC path to the package is used, but it is up to you.

f. Select the “Assigned” option and click OK. The new package will appear.

g. Right-Click the package and select Properties.

h. Change the name of the package to distinguish that it is 32bit. I used “Adobe Flash Player ActiveX 11.2.202.235 x32 – Deployed”

i. Click the Deployment Tab>Advanced and uncheck the option “Make this 32-bit X86 application available to Win64 machines”. We have a different package for the 64bit operating systems.

j. On the same screen, I usually check “Ignore language when deploying this package”. This prevents differences between US English and Australian English from preventing the install from occurring, but this is a personal preference.

k. Ignore the upgrades tab for now as this is the first deployment. When you deploy future versions of Flash you will need this tab. Upgrades will be covered at the end of this post. Click OK on the Advanced Deployment Options Window and the Main Properties Window.

l. Congratulations, you are now deploying Flash Player 32bit.

32_success

Repeat the above process from step 4 part d for the 64bit package with the following changes.

  • Make sure you name the package to distinguish that it’s 64bit
  • Do not check the option to “Make this 32-bit X86 application available to Win64 machines”.  It will not be available.
  • On the upgrades tab, the 32bit version may be listed. Group Policy has incorrectly assumed that we wish to upgrade the 32bit package with the 64bit package. This is not the case. Remove any entries on the upgrade tab.

Congratulations, you are now deploying the 64bit package.

Note: Group Policy is intelligent enough to not deploy the 64bit package to 32bit machines.

How to Disable Adobe Flash Auto Update settings (Optional)

Auto Update is a great idea for home users, but can cause problems or annoyance for enterprises.

In enterprise networks, your everyday users should not be Administrators of their local machines. Administrator privileges are required to install flash player updates. Flash will helpfully advise your users that an update is available, and prompt them to install it. Users will be unable to install the update and may be regularly prompted regarding it.

This is annoying to your users, and you will quickly begin to see helpdesk requests to update flash. The better solution is to deploy updates through Group Policy, once you have tested the update in your environment. Consequently, you will want to disable the auto update messages.

Adobe have provided a method to achieve this. What you need to do is place a configuration file on each machine that tells Flash to disable automatic updates.

The  required location for this file are:.

%systemroot%\System32\Macromed\Flash – 32-Bit version of Flash

%systemroot%\SysWOW64\Macromed\Flash – 64 Bit version of Flash 11

The file needs to be placed in both locations for 64bit installs, as both variants are installed.

The file is a simple text file with a line that reads

AutoUpdateDisable=1

I save this file with the file name mms.cfg in the same folder I used to store the msi files. I can then use Group Policy Preferences (Server 2008) or a startup script to copy the file to the correct destination locations.

 

Upgrading

When it comes time to update the flash player to a new version, add the new package as above, to the same GPO. On the upgrading tab, remove any entries already in the list, then click add.

Select which version/s you with to be upgraded by the new package. Be very careful that new 32bit packages upgrade the old 32bit packages, and new 64bit packages upgrade the old 64bit packages.

Remember to set the appropriate group policy options for the new packages, just as you did for the old packages.

Usefull Links

Flash Player Configure Auto Update
http://helpx.adobe.com/flash-player/kb/administration-configure-auto-update-notification.html#main_Administrator_configuration_of_auto_update_notification_and_background_update_process

Comments

Please Feel free to comment, ask questions or point out inaccuracies in the information. Through your assistance, I can try to make this post as helpful as possible.