From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of Todd Hemsell
Sent: Saturday, May 23, 2009 11:24 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Automate SCCM Client Installation on Internet Only Clients (IBCM)
Have you had to deal with this before as a consultant? It seems like a problem without a solution.
I mean, really no way to automated install if it is loose on the internet.
It would b like saying I want an automated install to all the list members. I mean, if they never VPN in, how would you ever even find the IP of a machine? And if you did find the machine, you could not access them.
Only solution is a management one – Management says bring your laptop in within 30 days to have client installed.
Or a virus of course.. Virus writers seem to do many things quite easily that we struggle with on a daily basis.
I mean, why can a virus get 100% coverage and the best a hot fix can get is 80% ?
(last part tongue in cheek)
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of Troy Martin
Sent: Saturday, May 23, 2009 9:34 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Automate SCCM Client Installation on Internet Only Clients (IBCM)
Aaahh…good point/catch J
I was wrong about that. When an MSI is initiated by a user, it is executed under the privileges of the user…not LocalSystem. If LocalSystem was used by default when an MSI is installed, that would actually be a security risk.
Back to square 1…
Thanks Todd
Troy L. Martin | Senior Consultant | 1E |
Mobile: 678 898 6147 | US/Canada Toll Free: 1 866 592 4214
troy.martin@1e.com | www.1e.com
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of Todd Hemsell
Sent: Saturday, May 23, 2009 1:50 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Automate SCCM Client Installation on Internet Only Clients (IBCM)
But why is it running with more permissions than the user that launched the msi?
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of Troy Martin
Sent: Saturday, May 23, 2009 12:37 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Automate SCCM Client Installation on Internet Only Clients (IBCM)
The MSI I’m referring to is acting as a wrapper…starting the install process for everything else
MSI wrapper
· Install trusted root certificates
· Install computer’s Client Authentication cert
· Run/Execute ConfigMgr client installation
I’m thinking about the entire process…not just the ConfigMgr client install
Troy L. Martin | Senior Consultant | 1E |
Mobile: 678 898 6147 | US/Canada Toll Free: 1 866 592 4214
troy.martin@1e.com | www.1e.com
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of Todd Hemsell
Sent: Saturday, May 23, 2009 12:33 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Automate SCCM Client Installation on Internet Only Clients (IBCM)
Troy,
Curious about this part..
Since MSI’s run with elevated privileges, everything will be installed as LocalSystem, thereby avoiding the need for the user to be a local administrator.
You would have to deploy it as a GPO/MSI in order to get local system right? Also there is already a ccmsetup.msi file in the bin folder. Not sure if you have used it or not.
Or did I altogether miss what you were suggesting?
I read this question earlier and just thought… “It would suck to be a consultant and get asked to do this” To me is seems almost an unsolvable issue, at least for any automated methods.
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of Chris Duszynski
Sent: Friday, May 22, 2009 8:56 PM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Automate SCCM Client Installation on Internet Only Clients (IBCM)
I would run this as a VB script against a collection that is laptops only
on error resume next
' Create variables.
Dim newInternetBasedManagementPointFQDN
Dim client
newInternetBasedManagementPointFQDN = "<YOUR URL>"
' Create the client COM object.
Set client = CreateObject ("Microsoft.SMS.Client")
' Set the Internet-Based Management Point FQDN by calling the SetCurrentManagementPoint method.
client.SetInternetManagementPointFQDN newInternetBasedManagementPointFQDN
' Clear variables.
Set client = Nothing
Set internetBasedManagementPointFQDN = Nothing
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of Sean De Barra
Sent: Friday, May 22, 2009 1:23 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] Automate SCCM Client Installation on Internet Only Clients (IBCM)
Many thanks Troy, that’s plenty info to get me started .... I am firing up my MSI repackager as I am typing here ...
Thanks Again,
Sean.
2009/5/22 Troy Martin <Troy.Martin@1e.com>
This is a tough/real dilemma with IBCM.
My suggestion is to create an MSI installer that does the entire process for you. Create a secured website (e.g. HTTPS) allowing only Windows Authentication so that users accessing the website will be prompted for their Active Directory credentials. Once authenticated, they can then download and execute the MSI. Since MSI’s run with elevated privileges, everything will be installed as LocalSystem, thereby avoiding the need for the user to be a local administrator.
Everything is pretty standard, so no one should have any issue around security. One area of concern would be around controlling (or the lack of) the machines that the ConfigMgr client gets installed on. Ideally, you would only want this run on company owned computers…not home computers or others.
Just an idea that requires some further thought, planning and customization…I don’t know of any other methods being used to deploy to Internet-only clients, but it should work.
Troy L. Martin | Senior Consultant | 1E |
Mobile: 678 898 6147 | US/Canada Toll Free: 1 866 592 4214
troy.martin@1e.com | www.1e.com
Unfortunately not, I am looking at scripting to automate the install but I am afraid my vb skills are not up to the task. I need to automate the cert imports and the client install with the appropriate command line on clients who are not local admins ... not sure if this is possible, but I was hoping that someone here had encountered the same challenges and overcome them ...
Thanks,
Do they connect via VPN?
Hi,
I am just looking for pointers on how best to automatically deploy the SCCM Client and associated Certs to Internet Only clients once I have implement IBCM. I have a requirement where there are a significant proportion of clients that are rarely/never on the corporate network, but we still need to somehow configure these PC's/Laptops with the SCCM Client and Certs. The PC's/Laptops owners will not be local administrators either, so I was wondering if they was a way to automate the entire process through a script, creating an exe etc ..
Any advice would be appreciated.
Thanks,
Sean.
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of this email address. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
