Installing/Updating .Net application using Windows Installer on workstation that restricts any installation by group policy

dmeltz
dmeltz used Ask the Experts™
on
I have app developed in Visual Studio 2008 for internal corporate environment that my network admin has deployed.  I put some rudimentary application update mechanism that would automatically download a new msi file from server and launch the installation to update the exe and other associated files (installed in Program Files) as required.  However the end users' computers (XP Pro) are all locked down by group policy so that they receive a message that says they can't install any software when the msi file is started.  I am told to get an update out - the IT dept will need to login to everyone's workstation with an admin user.  Should there be some way I can "sign" my application (in conjunction with admin) so that the Window's group policy allows my application to update/install but still blocks everything else?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jorge PaulinoIT Pro/Developer
Top Expert 2008

Commented:
Why don't you use ClickOnce Deployment ?
http://msdn.microsoft.com/en-us/library/t71a733d(v=vs.80).aspx
Todd GerbertIT Consultant
Top Expert 2010

Commented:
ClickOnce is a good idea, it doesn't always fit your needs though.

I would re-build the MSI for the updated version of your application, your IT group should be able to deploy automatically via Group Policy (make sure the Upgrade Code is the same for each version of the MSI, and that the Product Code is different).  Or, if they really want to they can manually log into every workstation.  MSI's that have been "pushed" to users or computer via Group Policy will install with elevated rights, the only other way - to my knowledge - is to login as an administrator and run the install.

Is it possible for your application to run per-user (i.e. is it okay for each user to have a copy of the program installed in their profile directories, or does it absolutely need to be installed once in a common location, e.g. C:\Program Files)?
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

Top Expert 2011

Commented:
ClickOnce the best
Todd GerbertIT Consultant
Top Expert 2010

Commented:
ClickOnce is not the best. It can be a good option in some circumstances (and it seems like it might be a good idea in this particular case), but if you need to do something like control what directory your application is installed in then ClickOnce is no good.
Top Expert 2011

Commented:
ClickOnce the best solution for this question needs
Who asked about the advantage or disadvantage
Todd GerbertIT Consultant
Top Expert 2010

Commented:
I agree ClickOnce might very well work in this particular case, I just wanted to clarify that it is not always "the best." Plus, it might not work at all for the asker - what if his IT group wants to control which computers or users the application is distributed to using Group Policy? ClickOnce won't work in that situation.  To be honest, we haven't really been given enough information to say whether or not ClickOnce is a good idea or not.  What we do know is that an MSI-based installation will work for the asker, since that's what he's using now.

Author

Commented:
I have not used ClickOnce before but will look into its functionality.  It may work for me.  
I believe updates being pushed by Group Policy won't work in our case because employees who work out of the office for weeks (or months) on end with their laptops (which I was told prevents pushing apps if they don't login to the domain).  
Also based on the answers above (given my original question) can you confirm there is no way to "sign" an application so that group policy allows standard installation/updating with MSI on restricted computers?

Thanks for all the responses - this has been very helpful.
IT Consultant
Top Expert 2010
Commented:
>> can you confirm there is no way to "sign" an application so that group policy allows standard
I (tried) to answer that above - it sounds like it's not really Group Policy, it's just that you normally need to be an administrator to install software; this is the default out-of-the-box behavior of all versions of Windows.  There is no way to "sign" an MSI, you either need to login as an administrator and run the install, or push it via Group Policy. If your installation requires administrative privileges those are your only two options.

ClickOnce basically just copies all the files your program needs to run to a folder in the users' profile. Since users already are able to write files to their own profile directories this kinda circumvents the "administrator required" problem. The down-sides are that a separate copy of your program gets installed for each user that runs it (i.e. as opposed to one installation in C:\Program Files shared by all users); it's not much more than a file copy, so there's no installer to setup things like registry values for you ahead of time (you just need to take care of that in your application); and like any per-user installation there will be no administrative privileges so you won't be able to do things like write registry values under HKLM. The up-side is that it does a very good job versioning control and makes automatic updating of your application super-easy, so if you can work around the little caveats I mentioned (if any of them even apply) then you should definitely take advantage of ClickOnce.

You can also build MSI's that install on a per-user basis without requiring an administrator to run the install - these installs will write all the files to the users' profile directory, like ClickOnce, but you have the benefit of an installer running to setup the environment needed for your application to function, but there's no built-in mechanism for automatic updating like ClickOnce has.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial