Trying to address an issue i am having with installations. I have an installer I want to run on a workstation using BigFix that is running on Windows 7.
The installer lives on a network share, null sessions are not permitted due to security regulations.
The user is logged on to the workstation as a user, and does not have privileges to run the installer on the workstation, but does have privileges to access the share.
Is there a way that BigFix can run the installer as System, but use the user’s credentials to access the installer?
I essentially need the network permissions of the user in order to access the installer, and the workstation privileges of the BigFix client to run it.
The only thing I can think of is copying the full installer from the network share using the users credentials locally, then running the installer as system, however this could potentially be incredibly slow. Not only is the installer over 2GB but it is not a single file, as it requires dozens of files to be present in the directory in order for it to execute. The end result would be several minutes of waiting before the user is presented with the install screen, which I find and unacceptable solution.
I guess I don’t understand what alternatives you have… if you have a 2GB installer, you will need to bring that 2GB to the local computer whether you run it from the share or copy it first…
In general, we recommend you package the 2GB files using the sw dist wizard and deploy it to the computer and run it (effectively skipping the share).
I am looking for a solution that I can run an installer as system or as a local administrator via passing credentials, while using the logged in users (non-admin) credentials to access a file share.
Null sessions are not allowed in my environment (giant security hole) and I’d prefer to not have to wait for the entire 2gb installer to download before launching.
I’ll use Word as a good example. If you just want just word to install out of the giant office installer, you log in as an administrator user, go to the network share, open the setup, it does not have to download the whole file before launching, and only the data for word is actually transferred over the network. With your solution. The entire 4gb office file has to download from BigFix while I sit there waiting for it with no progress bar, then eventually the installer will pop up, and run off the local copy. Then the 4gb office setup is living cached on the workstation for who knows how long.
I would love a way to run installers, which require system or an administrator, from my network share, using the user’s credentials to access the share.
If you used the normal software distribution mechanism, the file would be cached until the agent was restarted or until the next action ran.
I can’t think of a good way to use one set of credentials to access the file and another set to run the file (unless you first copy the file over with one set of credentials and then run it with another, but you said you didn’t want that). We don’t typically rely on shares since they have several downsides (no good “relay” abilities, the need credentials, they have no bandwidth throttling or checkpoint restart, etc.)
That’s a bit disappointing to hear, let me tell you a bit about what we’re trying to do with it, I think its a great idea maybe it could be integrated into future versions.
I have a bunch of fixlets built, office, adobe suite, etc. that all they do is call a “run as current user” and fire up an installer from a file share, with the appropriate answer file. The system is fantastic because I can say push office 2010 to the entire organization with 1 fixlet, and it all gets installed the same on every computer.
On top of that. I have an open action for every single installer fixlet as an offer. So the user, if he or she wants photoshop, they just have to fire up the bigfix support center and accept that offer. Again, every piece of software gets installed the same since we’re using answer files.
What we would have like to use it for, however deals with another project. We’re taking away admin rights on the workstations for all our users. We would have loved to been able to tell our users “everything in BigFix you can install without a tech having to come type the password.” However, to accomplish this, we would need to have the additional user functionality like i was describing in this thread. We will likely still do this with dozens of our smaller applications, however the big ones like office, will likely get left behind.
We specifically don’t recommend the approach you are using. BigFix distributes files using HTTP and local distribution relays that automatically cache files for you. This approach allows bandwidth throttling, checkpoint restart, reliable transport, and doesn’t require difficult management of credentials.
As far as I know, when you execute a file from a fileshare, it streams the file to your computer before it executes. So you have to use the same amount of bandwidth in either approach.
You could always use a runascurrentuser command to copy the file to the local computer and then execute it with SYSTEM privileges, but that would mean that you still need to store it on the computer during the installation.