How to bulk deploy the Automox agent using Windows Group Policy for devices that connect to company networks through a VPN.
Remote computers connecting to their company networks through a VPN presents a challenge for the most common GPO solutions. Many VPNs do not automatically connect at startup. Due to the way Startup scripts and GPO MSI installations policies are designed, they most likely will fail to apply for remote devices.
Here is an alternative method to use Active Directory GPOs to deploy the Automox agent for your remote users
The Challenge
We must distribute the file, and then the file must be installed with elevated rights. Preferably, this should be fully automated.
The Solution
We will leverage Group Policy preferences to distribute a customized MSI installer to each device, and then after it is in place, we will create a scheduled task to run the installation.
Prepare Your Installer
To reduce the number of places your Automox access key is stored, we will use the following document to Embed Your Access Key into the Automox MSI. This will keep it less distributed as it will not be listed in the Group Policy, and in the event logs.
After you modify the MSI file, store it in a location that is accessible to your target devices. This requires that you store this in your SYSVOL directory or set up a network share that is accessible to your devices
Create Your GPO
Distribute the File
Create a new GPO, and open the Group Policy Management Editor.
Navigate to Computer Configuration → Preferences → Windows Settings → Files
Right click Files and select New → File
From the General tab, update the following:
Source File(s):
\\YOUR_DOMAIN.COM\NETLOGON\Automox_Installer-latest.msi
Destination File:
C:\Windows\Temp\Automox_Installer-latest.msi
NOTE: Leave the rest of the General settings as default.
From the Common tab, select the checkbox for Remove this item when it is no longer applied. This will clean up the msi file when the policy is no longer applied.
Schedule the Installation
Create a new GPO, and open the Group Policy Management Editor.
Navigate to Computer Configuration → Preferences → Control Panel Settings → Scheduled Tasks
Right click Scheduled Tasks and select New → Scheduled Task (Windows 7 or later)
Click the General tab, update the following:
Select the Action: Replace
Enter a name and optional description.
Set the user account to
NT AUTHORITY\System
Run whether logged in or not and with the highest privileges.
Click the Triggers tab, start a new trigger and set the following:
Begin the task: At task creation/modification
Clear the checkbox Delay task for:
Select Stop task if it runs longer than: and set to 1 hour
Set the preferred activate time and select the checkbox
Set to Enabled
Click the Actions tab and start a program with these settings:
Program/script:
C:\Windows\System32\msiexec.exe
Add arguments:
/i "C:\Windows\Temp\Automox_Installer-latest.msi" /qn
Click the Conditions tab.
Select Start only if the following network connection is available: Any connection
Click the Settings tab and select the following:
Stop the task if it runs longer than: 1 hour
If the running task does not end when requested, force it to stop.
If the task is already running, then the following rule applies: Do not start a new instance.
Click the Common tab and select the following:
Remove the item when it is no longer applied.
Item-level targeting → click Targeting
In the Targeting Editor, click New Item → File Match.
For Match type, select File exists
In the Path field enter:
C:\Windows\Temp\Automox_Installer-latest.msi
After these values are set, assign the GPO to your desired audience.
Note: You should periodically update this deployment to use the latest Automox Installer. An outdated MSI file will not harm existing installations, but it is best to install the latest version when possible. The latest file downloads can be found here: Download Links for the Latest Automox Installers.
Alternative MSI Handling
If you prefer not to modify the MSI installer, you can use the original installer file, and replace the arguments (as described in Schedule the Installation → Step 6) with the following:
/i "C:\Windows\Temp\Automox_Installer-latest.msi" ACCESSKEY=YOUR_ORGANIZATION_KEY GROUP="Default Group/My Destination Group" /qn
Note: The GROUP parameter is optional and only used if your devices need to join a group other than the "Default" on their initial activation.
Comments
0 comments
Article is closed for comments.