/build/static/layout/Breadcrumb_cap_w.png

GPO deployment of Flash Player and Java JRE

Sorry for putting so much into one topic, but I thought this was better than creating two different topics. I'm in the process of trying to deploy Flash Player 10 and Java JRE 1.6 to approximately 500 computers on the university campus where I work. I've been looking through the different knowledge base articles here at appdeploy.com and I've picked up a few things, but most of the stuff in the articles seems to be geared towards using SMS (or something similar) rather than regular GPO deployment.

So far, I've managed to deploy the latest Flash Player (10.something) to a test machine using the Adobe provided MSI and it appears to be working just fine. I am however worried that whenever there's a new version, users will get the "Do you want to update?" prompt even though they don't have permissions to install software. Will they? If not, I will consider the Flash part of this problem solved. If regular users will get this prompt, I need to somehow disable it. I read in the package KB for Flash Player that you can create a file called mms.cfg and place it on all computers, but that's not an option for us (GPO, not SMS). Wouldn't it be possible to disable the autoupdater by creating an MST?

Next in line is Java. I haven't tried deploying Java via GPO, but I can imagine the autoupdater will be running here as well. Has anyone got any tips on how to disable it when deploying via GPO? The JRE seems to have something similar to the Flash Player called deployment.properties, but it is equally useless to us as mms.cfg is for Flash.

Any help on the subject would be much appreciated.

Is it just me or are the developers behind many of these common applications doing their very best to make life difficult for administrators? The concept of automatic updates is great, but when you have to jump through hoops to disable it, something is clearly wrong. If I was a Windows developer, I would make sure to provide my corporate users with an MSI as well as a couple of pre-created MST files with common features enabled/disabled.

Cheers,
Rickard

0 Comments   [ + ] Show comments

Answers (24)

Posted by: anonymous_9363 15 years ago
Red Belt
0
OK, but it seems that the MSI is a simple shell to a bunch of ZIP extractions and so on, and I can't imagine too much effort was extended to change that for your version. If you search for 'jqs' and come up with nothing, then my advice stands: rename the EXE or disable its start-up.
Posted by: Rickard Andersson 15 years ago
Senior Yellow Belt
0
I searched through the MSI and found something that might be of interest. In the CustomAction table, I found "UninstallJQS" with a target of "MSIUninstallJQS". In the InstallExecuteSequence, I found "UninstallJQS" with Condition set to MODE="U". Additionally, there are a few entries in the RemoveFile table, but I'm not sure they're of any interest.

Does this help me? If not, how would I rename the file? Do you mean rename it in the cab file (Data1.cab)?
Posted by: anonymous_9363 15 years ago
Red Belt
0
That's convenient! :)

I have no clue what that MODE property is about but I don't think there's any reason why you couldn't use a CA which calls that function in exactly the same way as the 'UninstallJQS' CA does.

Try creating a CA called, say, 'ForceUninstallJQS' as near the end of the Execute sequence as you can.and with more or less the same parameters except for the condition. Make the condition for 'ForceUninstallJQS' to be 'NOT Installed'.

See how that goes.
Posted by: Rickard Andersson 15 years ago
Senior Yellow Belt
0
Victory! At first, I was a bit confused by what you said, "as near the end of the Execute sequence as you can", but then I realized after getting MSI error 2762 that it needed to be placed before InstallFinalize in the sequence. So I did (right before InstallFinalize) and now it works beautifully. Everything works and the Quick Starter service is nowhere to be found. Thanks a bunch!

Now I'm moving on to trying to uninstall and/or replace any previous versions of the JRE that might be installed on the machine. I hope this is doable even though any previous versions will have been installed "manually" rather than via GPO.
Posted by: anonymous_9363 15 years ago
Red Belt
0
It's a good feeling when you achieve something like this for the first time, isn't it? I'm glad you worked out what I meant: I deliberately avoided spoon-feeding you the answer. Well done.

While on the subject of JRE, there are a few apps/set-up routines which will whine that they require an explicit version of JRE. That is, say your machine has 1.6.0_04 but the app wants 1.6.0_10. No-one really wants every JRE flavour ever created cluttering up their workstations so what I do is create 'ghosted' entries for the required flavour from teh flavour that I have. Indeed, I built a script to do it for me. So, it takes the junk under HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.6 and HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_04 and copies whatever it finds in there to (in my example) HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_10. I have yet to encounter any app which failed to work with my ghosted set-up.

The same principal can be applied to installation packages which insist on a specific JRE version before installing. Install the closest JRE you can find and just 'ghost' it.

Lastly, having said what I have about JREs cluttering up workstations, there's no harm in leaving the older versions. I guess you could use a rule-of-thumb that, if your workstations have, say, 1.4.0_01, 1.5.6_03 and 1.6.0_04 (these are made up versions, I have no idea if they exist!) and you're about to install 1.6.0_10, you'd leave 1.4 and 1.5 and just remove 1.6.
Posted by: Rickard Andersson 15 years ago
Senior Yellow Belt
0
We've come to the conclusion that we won't attempt to uninstall any existing JRE versions. In the few cases where computers already have the JRE, we'll uninstall it manually.

Thanks again for all the help, guys.
Posted by: anonymous_9363 15 years ago
Red Belt
0
Rickard, they will indeed get prompted unless you turn updating off. Follow the instructions here on AppDeploy (in various posts and possibly in the 'Package KB'), create an MST to contain your file and registry data and add it to your GPO. What may have foxed you is that you add MSTs using the 'Modifications' tab which is the penultimate tab on the GPO's 'Properties' dialog. I'm sure I could have come up with a more confusing method...say, by naming that tab 'Transforms' or something radical like that...

As for vendors providing MSIs, developers not assuming automatic updates and so on, yeh, dream on. A great many of vendors who *do* provide MSIs can't get them right anyway and their developers will continue to assume that their clients set-ups and access rights will match theirs. If they didn't, they'd be training chimps to do what we do.
Posted by: jimmyx 15 years ago
Purple Belt
0
Hi Rickard,
Hello from a fellow GPO only university packager (SCCM coming soon I hope)!!
If only life were that simple with vendors!...Could put us all out of a job though

Info on Flash can be found here http://itninja.com/link/adobe---player-licensing

Info on the Java updater here http://itninja.com/question/automatic-update---deployment.properties-problems-with-jre-1.6.0_05&mpage=1&key=&#33415

Hope that helps
Jimmy
Posted by: Rickard Andersson 15 years ago
Senior Yellow Belt
0
Thank you both for your comments. I'm still at a loss though.

VBScab: You mentioned that I could create an MST containing my file and registry data. I was under the impression that MSTs were just modifications to the tables in an MSI. Can I include the required mms.cfg file in an MST and have it place it in the correct directory? I thought these kinds of tricks were only possible using SMS/SCCM or something similar.

jimmyx: I have read through both links from beginning to end, but I can't find anyting that helps me. The Flash link has lots of information, but as far as I can see, nothing that discusses how to remove the autoupdate using an MST only. The Java topic discusses the deployment.properties file. The second post in the topic has a tip about using a bunch of arguments to msiexec, but how would I do that using GPO?

Edit: I would like to mention that app deployment isn't what I normally do at the university, so consider me a newbie :)
Posted by: nheim 15 years ago
10th Degree Black Belt
0
Hi Rickard,
See: http://itninja.com/question/how-do-you-roll-out-new-machines?4199
There, i have described, how to include a "mms.cfg" file with a transform.

And: http://www.appdeploy.com/packages/detail.asp?id=1048
+ http://itninja.com/link/download-here
+ http://itninja.com/question/how-do-you-roll-out-new-machines?4295
This should do the trick for Java.
Regards, Nick
Posted by: Rickard Andersson 15 years ago
Senior Yellow Belt
0
You're the man, nheim! I followed your instructions for creating the cab file and the transform and it works beautifully. I was however forced to change the cabinet from #Binary.config.cab to just config.cab in the Media table in order for it to work. If I understand things correctly, the # means that it's an internal cab file (which I believe it isn't since it isn't included in the MSI) and Binary means that it resides in the Binary table (which I don't believe it does either). Please correct me if I'm wrong. Anyway, with config.cab in the Media table, it installs fine.

I'm now going to try to tackle the Java JRE using a similar method. Thanks a bunch!
Posted by: anonymous_9363 15 years ago
Red Belt
0
Nick is indeed, as you say, the man. And you're right also in saying that the hash mark indicates an internal CAB. You can only have external CABs (or files) in a transform. Hopefully it follows that you'll need to ensure that CONFIG.CAB is hosted alongside your transform or the engine won't find it at install-time.
Posted by: nheim 15 years ago
10th Degree Black Belt
0
Hi Rickard,
good to read, that you did it.
The #Binary.config.cab entry is indeed wrong, it stem from an other MST, which we are using inhouse.
I have corrected the post.
For the actual JAVA versions, the properties should do all you need.
Regards, Nick
Posted by: Rickard Andersson 15 years ago
Senior Yellow Belt
0
Thanks again Nick and VBScab. I greatly appreciate the help you guys have given me.

I have indeed made sure that config.cab is located in the same folder as the transform.

I've begun to tackle Java now and I'm halfway there I think. By only modifying the Property table using Orca, I was able to disable the automatic update feature in Java. This is great news for me, but a bit confusing since it appears there are a lot of people having problems with it. I've deployed it to a test machine and logged in as both an administrator as well as a regular user and there's no trace of jusched.exe or anything added to the registry under (HKLM...\Run). When logged in as an administrator, the update tab is viewable and automatic updates appear to be enabled, but they're not.

It would appear I really don't need to deal with deployment.properties just to disable automatic updates. However, I noticed something in this configuration file that I would like to set for all clients and that's the maximum cache size (to maybe 20MB). We use roaming profiles and are constantly trying to keep the sizes of peoples profiles down. One culprit in the past has been the Java cache. Following a tip from Spartacus, I've created a deployment.config and a deployment.properties aimed for C:\Windows\Sun\Java\Deployment\. In order to deploy this file with the MSI, I looked at the instructions by Nick for Flash and tried to apply them to the two files I needed for Java. I created the cab file and fired up Orca, but I'm stuck on what to put into the Component table. In the Flash case, I added a row with the KeyPath set to mms_cfg, but now I have two files. Does that mean I need to add two rows to the Component table even though the two files are in the same cab? If not, what should I put in KeyPath?

Also, the directory in which I want the files placed don't seem to appear in the Directory table. How would I add an entry for C:\Windows\Sun\Java\Deployment\ to the Directory table?
Posted by: nheim 15 years ago
10th Degree Black Belt
0
Hi Rickard,
one component will do, as long as the the files go to the same directory.
Just point both entries in the file table to the same component and you are done (only one of it will serve as component-key).
Be aware, that you have to build the path in the directory table, by yourself.
You have to add 3 lines to the directory table like this:

Sun WindowsFolder Sun
Java Sun Java
Deployment Java Deployment

This entries are case sensitive!
Good luck!
Regards, Nick
Posted by: anonymous_9363 15 years ago
Red Belt
0
ORIGINAL: Rickard Andersson
By only modifying the Property table using Orca,
PLEASE tell me that you've done that via a transform...! :)
Posted by: Rickard Andersson 15 years ago
Senior Yellow Belt
0
Nick: Thanks, I'll give it a go.

VBScab: Don't worry, it's a transform :)

Edit: Hmm. I just removed the link to the policy object from the OU for my test computer (so it would uninstall the old Java package I made) and it hangs at "Removing managed software Java(TM) 6 Update 10...". I've enabled MSI logging and will see if I can determine what the problem is that way.
Posted by: AngelD 15 years ago
Red Belt
0
Verbose logging should help you to find the issue, my guessing is a running process holding the removal.

Using DevugView to connect remotely on the machine you're trying to uninstall on will show you the log in realtime. Easier then having to either check the log through \\client\c$\windows\temp\xxxxx.log.
Posted by: Rickard Andersson 15 years ago
Senior Yellow Belt
0
This is weird. Even though I've enabled MSI logging (voicewarmupx), no log is created in WINDOWS\Temp. The uninstall just sits there for a couple of hours and then the login screen pops up. It doesn't even write anything to the event log (no application management entries). It's as if the computer is in a trans. I can connect to it remotely with DebugView and with Windows own Computer Management (to check the event log), but there's nothing to read.

This might be a fluke, so I'm gonna try it on another test machine before I dig any deeper into what's going on.
Posted by: Rickard Andersson 15 years ago
Senior Yellow Belt
0
After some digging around, I think the culprit is jqs.exe. A quick search told me that this is the "Java(TM) Quick Starter Service". When MSI ultimately realizes that the uninstall isn't working and I get the login prompt, if I login as an administrator I get a popup from "Java installation" that claims that jqs.exe needs to be shutdown for installation to proceed. If I kill it, the uninstall completes.

I think I'm going to try to get rid of the quick start service completely instead of banging my head against the wall with this issue. Any pointers on how to disable it in the transform would be appreciated. I did go through the Property table, but I can't find anything that seems to fit. I also tried disabling it in the Java control panel and then looked at the per-user deployment.properties, but couldn't find anything.

I did find this piece of information, but I have no idea how to run "jqs.exe -unregister" in an mst.
Posted by: anonymous_9363 15 years ago
Red Belt
0
ORIGINAL: Rickard Andersson
Any pointers on how to disable it in the transform would be appreciated.
Unregistering the EXE wouldn't prevent it running. I'd simply stop it being installed. Find the component which installs it and either delete it or, more cleanly, set an impossible-to-meet condition, e.g. 0=1
Posted by: Rickard Andersson 15 years ago
Senior Yellow Belt
0
I've looked around in the MSI tables for anything that could possibly prevent the Quick Starter Service from being installed, but unfortunately, I just don't have the knowledge required. Haven't any of you guys run into this new service?
Posted by: anonymous_9363 15 years ago
Red Belt
0
I just looked at my current client's JRE v1.6.04 and you're right: there's nothing obvious there. Thus, i think you'll need to build a Custom Action to 'disable' the EXE. Normally in these cases, i fight shy of deleting the file - I'd rename it instead. Alternatively, you could find out how it gets auto-started (i.e. whether there's a shortcut in the 'Startup' folder or a regsitry entry in the Windows 'Run' key) and remove that.
Posted by: Rickard Andersson 15 years ago
Senior Yellow Belt
0
Thing is, I think the Quick Starter Service was added in 1.6_10, so you wouldn't find it in 1.6_04.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ