Various methods of deploying the Altiris Agent
|Article:HOWTO4476|||||Created: 2006-08-02|||||Updated: 2006-08-29|||||Article URL http://www.symantec.com/docs/HOWTO4476|
What is the best way to deploy the Altiris Agent?
Various Methods of Deploying the Altiris Agent
The discussion continues as to the best way to deploy the Altiris Agent. This topic has been of special concern for computers running Microsoft Windows XP* that have not joined a Microsoft Domain as “Simple File Sharing” is enabled on these computers by default. This setting does not allow one to push the Altiris Agent onto such a computer and, in a small business/remote office environment, it is often not desirable or practical to deploy a computer, then send a technician on-site or require the computer owner to change this “Simple File Sharing” setting in order to push the Altiris agent to the computer.
As with most things, there is no single “best method” that covers every situation. Each deployment situation is unique with its own set of requirements and limitations. As a result, this article will not try to address the “best” method; rather, this article hopes to discuss various methods that can be used to install the Altiris agent without sending a technician on-site or requiring knowledge of the operating system by a computer’s end user. Also, it will touch on planning for future deployment of the Altiris agent. This way those managing the Altiris Notification Server implementation can choose what methods might be best for their specific environment.
Planning an Altiris Agent Deployment
When planning an Altiris agent deployment, there are at least two groups of computers to consider: the computer already deployed and in service, and those that will be deployed in the future. Although those computers that are already in service tend to be the computers of most concern, those that are yet to be deployed should not be overlooked. With a little planning, the future deployment of “Altiris Ready” computers will save considerable time and effort, especially when using such solutions as Asset Management and/or where tracking computer assets are important. The idea of a computer reporting in as soon as it connects to the network allows such tracking to occur.
In many environments, computers are “built” with a corporate software image or at least a standard base list of software before the computer is deployed to the end user. This is sometimes done by the IT group using such tools as Altiris DS or Ghost, and it may be contracted out, or sometimes it is even installed at the OEM factory before shipment to the end user. No matter the method, adding the Altiris image to this build can save considerable time and effort. The Altiris Agent can be completely preinstalled, placed in a directory with a “Run Once” operating system directive, or it can be installed by using the various scripting mechanisms available. If it is undesirable to add the Altiris Agent to the build, and a “Push” deployment is still considered the best way to install the Altiris Agent, then changing the image to disable the Simple File Sharing option should be included so that future intervention by either a technician or computer end user is not needed.
Building Computers from Scratch
If a computer image is not being utilized in a business environment, computers will need to be built from scratch by either a technician or end user.
If utilizing a technician, he or she is already working on the computer and thus bypasses the purpose of this article (the purpose again being not requiring a technician’s intervention or limiting the end users required computer knowledge). The technician could manually install the agent, disable Simple File Sharing, or utilize the methods discussed for end-user building as a procedural process of building the computer.
Having the end user build the computer also by-passes the purpose of this article. A script (electronic or printed) is probably utilized to help the end user, and this script could be modified to include the installation of the Altiris Agent or disabling Simple File Sharing. Disabling Simple File Sharing could be accomplished via the normal operating system GUI, or by running a simple executable that changes the registry setting.
The ability of the agent to be “Pulled” as well as “Pushed” should also be considered.
Using the “Push” or the “Pull” for in-service computers
Most people think of pushing the Agent when deploying a Notification Server environment. This is relatively simple, requires no outside intervention, and can be automated for after hours deployment. Although this is probably the method most commonly used for deploying the agent to computers already in service, it is not the only method available.
The mechanism used by the push is actually contacting the client computer and initiating a pull that requests the agent from the Notification Server. This is where Simple File Sharing setting comes in and why it is required to be disabled for a push. With Simple File Sharing enabled, the client computer still has the ability to initiate this request itself.
As a result, there are various ways to pull the agent from the Notification Server that would allow Simple File Sharing to be enabled and still install the Altiris Agent. For example:
- By utilizing e-mail, either a simple script can be e-mailed to an end user, or a Web link can be sent such that by clicking on the link or running the script, the agent can be pulled. This would require no knowledge on the end user's part, other than how to open e-mail and how to click on a link. (Instructions to do so could be included in the e-mail if needed).
- A Webpage can be set up so that by clicking a link, the Altiris Agent can be delivered to the end user. No knowledge other than how to browse a Web page and click a link would be needed. (Again instructions on how to click the link and other instructions could be included on the page.)
- If no end user intervention is desired with Simple File Sharing enabled, utilizing such tools as PSTools (found on http://www.SystemInternals.com) one should be able to remotely connect access a remote computer and initiate an Altiris Agent pull.
If a push installation is still desired, Simple File Sharing will need to be disabled. To do so without knowledge of the operating system or technician intervention, a simple executable can be delivered via website or email that resets this registry setting. A sample .VB script and executable are attached to this article.
Although Simple File Sharing must be disabled to push the Altiris agent, alternate methods to pull the Altiris agent allow Simple File Sharing to remain enabled. Also, simple scripts or executables are available to change the Registry to disable Simple File Sharing without going through the standard interface. Finally, planning future deployment of the Altiris Agent on new computers can make Simple File Sharing setting irrelevant.
Article URL http://www.symantec.com/docs/HOWTO4476