7.2 Using an MSI Package

You can run the installation program (setup.exe) in administrative mode to create a Windows Installer MSI package. The following sections explain how to create and distribute the MSI package.

7.2.1 Creating the MSI Package

  1. Copy the installation program, SSL certificate, and product license file to the machine you want to use to create the MSI package:

    1. Copy one of the following directories from the installation media to the target machine:

      • Windows 2000/XP Security Client: \Installs\CL

      • Windows Vista/7 Security Client: \Installs\CL_VISTA

    2. Copy the Management Service SSL certificate (ESM-MS.cer or the enterprise certificate) to the CL or CL_VISTA directory.

      If you are not using the Management Service (a non-directory service configuration), you can skip this step. In a non-directory service configuration, there is no Management Service for the Security Client to connect to and therefore no certificate.

    3. Copy the Novell license file (license.dat) to the CL or CL_VISTA directory.

      Without the license file, the Security Client is installed in 60-day evaluation mode. If the Security Client connects to a Management Service, you do not need to include the file; when it connects, it receives the license information from the Management Service. If you are not using the Management Service (a non-directory service configuration) or the Security Client does not connect to the Management Service within 60 days of installation, you need to include the license file with the installation program.

  2. Launch setup.exe using the following syntax:

    setup.exe /a /V"variables"

    For example:

    setup.exe /a /V"/qn /L*v c:\log.txt"

    The following table explains the available command line variables:

    Command Line Variable

    Description

    STDRV=stateful

    Applies only to the Windows 2000/XP Security Client.

    This option changes the default state of the NDIS driver from All Open to All Stateful. This permits all network traffic from boot time until the Security Client determines its location and applies the appropriate location policies.

    /qn

    Suppresses the typical MSI Installation process to perform a quiet installation. Forces an immediate reboot upon completion without user notification. Use the STRBR variable to stop a reboot.

    STRBR=ReallySuppress

    Does not reboot the machine after installation. The Security Client is not activated until the user (or another method) reboots the machine.

    STNMS=”MS Name”

    Changes the Management Service to which the Security Client connects.

    POLICYTYPE=0

    Instructs the Security Client to attempt to authenticate through the endpoint device’s Active Directory computer account to receive computer-based policies,

    The Security Client attempts to authenticate using the computer’s Active Directory domain credentials. If authentication fails, the Security Client displays a login prompt that allows the user to select a directory service (Active Directory or eDirectory) and specify credentials.

    POLICYTYPE=1

    Instructs the Security Client to attempt to authenticate through the user’s Windows login accout to receive user-based policies.

    The Security Client attempts to authenticate to Active Directory using the user’s Windows login credentials. If authentication fails, the Security Client displays a login prompt that allows the user to select a directory service (Active Directory or eDirectory) and specify credentials.

    POLICYTYPE=3

    Applies only to the Windows 2000/XP Security Client.

    Instructs the Security Client to attempt to authenticate through the user’s eDirectory user account (as supplied in the Novell Client) to receive user-based policies in Novell eDirectory. The Security Client receives its credentials from the Novell Client without prompting the user.

    In order for the Security Client to receive the user credentials from the Novell Client, the Novell Client must be a specific version. For details, see Novell TID 7005278.

    POLICYTYPE=4

    Applies only to the Windows 2000/XP Security Client.

    Instructs the Security Client to attempt to authenticate through the endpoint device’s eDirectory workstation account to receive computer-based policies. To use this option, Novell ZENworks 7 Desktop Management must be installed. For more information, see Section 2.2.4, Directory Services Requirements.

    STVA=”Adapter name”

    Adds a Virtual Adapter.

    Use this option to activate policy control over a virtual adapter

    STSESCANCEL=1

    Removes the Cancel button from the Enter Decryption Password dialog box. Removing the Cancel button forces the user to enter the decryption password.

    /L*v c:\log.txt

    Turns on logging.

    Use to activate logging at installation. If it is not done now, you must do it through the Security Client’s Diagnostics tools. See Using the Security Client Diagnostic Tools in the ZENworks Endpoint Security Management 4.1 Administration Guide).

  3. Complete the MSI package creation, using information from the following table. Each row of the table corresponds to one of the installation program screens that requires input.

    Installation Prompt

    Explanation

    Uninstall Password

    You can require a password to be entered when attempting to uninstall the Security Client. We recommend that you require an uninstall password and only distribute the password if necessary. This ensures that the machine’s user does not uninstall the Security Client to bypass security enforcement.

    If you want an uninstall password, select Require an uninstall password and then enter the password. Otherwise, select Do not require an uninstall password.

    Centrally Managed or Unmanaged

    A centrally managed Security Client is one that connects to the Management Service and Policy Distribution Service to receive its security policies. If this Security Client installation is centrally managed, select Managed through ESM servers.

    An unmanaged Security Client is one that receives its policies as export files from the standalone Management Console (no Management Service and Policy Distribution Service). If this Security Client installation is unmanaged, select Not connected to ESM servers (policies received as files).

    ESM Management Server

    This page is displayed only if the Security Client is centrally managed.

    Specify the fully qualified domain name (FQDN) for the server running the Management Service:

    Directory Service Configuration

    This page is displayed only if the Security Client is centrally managed and you are installing on Windows 2000 or Windows XP.

    Select the directory service (Microsoft Active Directory or Novell eDirectory) in which your user or computer account resides. This directory service will be used to assign security policies to you through the user or computer account.

    Policy Type (User or Computer/Workstation)

    This page is displayed only if the Security Client is centrally managed.

    Security policies can be published to users or computers. The Security Client needs to know which method you are using. Select the appropriate option (User Based Policy or Computer/Workstation Based Policy).

    If you selected Novell eDirectory as your directory service, you should only use Computer/Workstation based policies if the following conditions exist:

    • Your organization has Novell ZENworks 7 Desktop Management installed so that the eDirectory schema is extended to support Workstation objects.

    • Your computer has the ZENworks 7 Desktop Management Agent installed and is registered as a workstation in Novell eDirectory.

    Email/Web Notification

    If you want to receive e-mail notification if the installation fails on a machine, specify an e-mail address.

    If you want to want to post installation status (failed and successful) to a Web server, specify the Web server name.

    Network Location

    Specify the location for the created MSI package. Typically, this is a network location that users have access to. If necessary, you can specify a local directory and then move the MSI package to whatever location you plan to use for distribution of the package.

  4. If you haven’t done so already, click Install to create the MSI package.

    The MSI package, which is created in the location you specified, includes two components:

    • The ZENworks Security Client.msi file, which includes the installation settings and information.

    • The resource folders (Binaries, MSSoap, program files, System, and System32) that contain the installation files.

    If you move the MSI package, you need to move both components.

7.2.2 Adding a Policy to the MSI Package

The Security Client is installed with a default policy, referred to as the resource policy. The resource policy is in effect until the Security Client receives a distributed policy. This occurs when the client connects to the ZENworks services or when you export a policy file from the standalone Management Console and manually distribute it to the client.

If you want to apply a distributed policy immediately, you can include it in the MSI package. As soon as the Security Client starts after installation, the distributed policy is applied.

  1. In the Management Console, create the policy you want to distribute with the MSI package (see Security Policies in the ZENworks Endpoint Security Management 4.1 Administration Guide for details).

  2. Export the policy, then rename the policy to policy.sen..

    The policy must be named policy.sen in order for the Security Client to accept it.

  3. Copy the policy.sen and the setup.sen files to the MSI package’s program files\Novell\ZENworks Security Client folder.

    The two new policy files replace the existing policy.sen and setup.sen files.

7.2.3 Distributing the MSI Package

If you don’t already have a method for distributing software to machines, here are some possibilities: