Skip to main content

Umbrella Roaming Client: GPO and SCCM Deployment in Windows Server 2003/2008/2012

Matt Prytuluk
  • Updated
  • min read

Overview

 

This article explains how to perform a distributed deployment of the Cisco Umbrella roaming client for Windows from Windows Server 2003, 2008 and 2012 using a Group Policy Object (commonly known as a GPO). There are two different deployment options which are documented and supported by Cisco Umbrella.

The first type of install, Application Install, requires using a special tool SuperORCA to edit the installer and embed the parameters for installation within the installer itself. The second type of install, Scheduled Task, requires creating a batch script to pass the installation parameters to the installer upon execution.  

Before performing a distributed installation, we recommend reading about the optional customizations available at the time of installation.

Table of Contents

Application Install (Recommended) 

Scheduled Task

 

Application Install (Recommended) GPO or SCCM

 

Using SuperOrca, you can embed the organization-specific data into the .MSI file, which allows the Roaming Client to be distributed as a standalone install file, rather than need to factor in the OrgInfo.json file as described in the Scheduled Task method.

This article outlines how to create an MSI installer for the Roaming Client with the installation command line parameters embedded in the installer.   

 

Note:

For simplicity we recommend to use SuperORCA as per the instructions in this guide.  However, the Microsoft ORCA tool can also be used - the process is similar.  If using Microsoft ORCA you must go into  'Tools > Options > Database' and select "Copy Embedded streams during save as" for this process to work.

 

SuperORCA is a standalone MSI editor that's light weight and easy to use. If you prefer using Microsoft ORCA, the instructions are basically identical.

By following the steps below, you will have a ready-to-ship Roaming Client .MSI install file named Setup.msi that can be deployed as an application.

  1. Download and install SuperOrca.
  2. Download the Umbrella roaming client for Windows.
  3. Extract the .zip file to a folder.
  4. Open SuperORCA, then click File > Open and open the Setup.msi file inside the Umbrella roaming client extracted folder.

    opensetup.png

  5. Navigate to the "Property" table within ORCA, then click Table > Add Row.

    addrow.png

  6. Add the following Properties, one at a time:
    • ORG_ID
    • USER_ID
    • ORG_FINGERPRINT
    • HIDE_UI (optional, set value to 1 to deploy without tray icon)
    • HIDE_ARP (optional, set value to 1 to deploy hidden)
      • NOTE:  These fields are case sensitive.  Make sure they are all CAPS.

    The values for these properties are found inside the OrgInfo.json file that comes with the Umbrella roaming client in the .zip file you downloaded.

    addproperty.png

    Optionally, customize Umbrella roaming client behavior and appearance by adding optional values as described in Customizing the Umbrella Roaming Client.

    It should look like this after adding all three properties and their matching values:

    after.png

  7. Navigate to File > Save As and name the file Setup_new.msi. Do not save over the existing filename as this is very likely to corrupt the MSI file!
  8. Then rename Setup.msi to Setup_old.msi, and rename Setup_new.msi to Setup.msi
    The new Setup.msi file now contains the data from OrgInfo.json; thus, you will not need to specify this information during installation.
    Note: The .msi file must be named Setup.msi to work correctly.
  9. Deploy the Umbrella roaming client using your preferred deployment method, without worrying about the command-line based parameters and values needed with the GPO/command line method.
    A Microsoft article discusses using GPO to deploy applications, which is one way you can deploy this new .MSI file. This article (3rd party) may also help troubleshoot. 
    NOTE: Additional modifications to the .MSI beyond those outlined above are not supported and could break the installer.

If you see error 1274 when installing from a shared drive:

The GPO is applying before the network share comes up to the local machine. You're seeing the issue with asynchronous policy processing.

  1. In a GPO that applies to that computer, add the following setting:
    Computer Settings > Administrative Templates > System > Logon > Always wait for the network at computer startup and logon - Enabled

    After you set that (and allow the GPO to replicate if you're in a multi-DC environment), do a "gpupdate /force /boot" on the subject PC. It will reboot and you should see the software installation occur.

    The "Always wait for the network at computer startup and logon" slightly slows down the startup and logon because all GPO extensions are allowed to process, but the upside is that all GPO extensions are allowed to process.
  2. In a Group Policy applied to these workstations, navigate to Computer Configuration > Policies > Administrative Templates > System > Group Policy.
  3. Enable the Specify startup policy processing wait time. Set Amount of time to wait (in seconds): = 120

  

Scheduled Task (will not function on Windows Server 2012 or higher)

 

 

Windows 2003

 
  1. Download the Umbrella roaming client for Windows and extract the .zip file

  2. Open Active Directory Users and Computers: Start > All Programs > Administrative Tools.

  3. Right-click the domain at the top level and choose Properties.

    properties.png

  4. Decide whether to utilize an existing GPO or create a new one, 'Edit' the desired GPO.

    gpo.png

  5. In the Group Policy Object Editor, navigate to Computer Configuration > Windows Settings > Scripts.

  6. On the right-hand side, select Startup.

  7. In the Startup Properties dialog box, click Show Files.

    showfiles.png

  8. In the window that opens, right-click and choose New > Text Document and name the file InstallUmbrella.bat.

    txt.png

  9. Right-click the InstallUmbrella.bat file and choose Edit.

    edit.png

  10. Populate the file with the following data, replacing the ORG_ID, ORG_Fingerprint and USER_ID with the values found in the OrgInfo.json file (included in the .zip file downloaded from the dashboard). Save the file when you're done.
    @ECHO OFF
    REM --- Checking for an existing installation of the Umbrella Roaming Client
    IF EXIST "C:\ProgramData\OpenDNS\ERC\OrgInfo.json" goto _End
    IF EXIST "C:\Documents and Settings\All Users\Application Data\OpenDNS\ERC\OrgInfo.json" goto _End
    REM --- Deploying… 
    msiexec /i "\\SERVER\Setup.msi" /qn ORG_ID=12345 ORG_FINGERPRINT=1234567890abcdefghijklmnopqrstuvw USER_ID=1234567
    REM --- End of Umbrella Roaming Client Deployment script
    :_End

    Note: \\SERVER\ should be replaced with the full network path to the Setup.msi file. Please make sure the share name is correct and the client computers have sufficient permissions access to the share.

  11. In the Startup Properties dialog box, click Add.

  12. In the 'Add a Script' dialog box, click Browse, select the file InstallUmbrella.bat and click Open

  13. Click OK > Apply > OK.

    This script will run on every subsequent start-up unless you remove it after the initial deployment. The script checks to ensure that the Umbrella roaming client is present and if it is, it will not be reinstalled. However, if the Umbrella roaming client was removed or does not exist, it will install it. It is safe to leave the startup script permanently in place to easily deploy to new computers joining the domain. 

    addascript.png 

 

Windows 2008

  

This article outlines the steps required to use a GPO to deploy to Windows 7 (and above) from Windows Server 2008 to do so immediately. Depending on your network, you may take steps different than those outlined to deploy to different sets of clients, such as Windows XP. 

  1. Download the Umbrella roaming client for Windows.
  2. Extract the .zip file to a folder.

The Setup.msi and OrgInfo.json files found in the Umbrella roaming client .zip file need to be copied to all target computers or placed in a network share (a UNC Path) accessible by the target computers. To share the file on your network, use the File and Storage Services role/settings or a Network Share Item to make the Setup.msi and OrgInfo.json files accessible.

To use the File and Storage Services role, add the role to the server if not already installed. Then select File Services > Share and Storage Management and from the right side, select Provision Share and share the MSI file.

Once you've placed the Setup.msi file on a network share (UNC Path) accessible by target computers (or distributed the Setup.msi file to all remote computers directly), proceed with creating the GPO.

In the Group Policy Management Console (gpmc.msc):

  1. Decide whether to utilize an existing GPO or create a new one.
  2. Right-click the chosen GPO and choose Edit. The Group Policy Management Editor (gpme) for your GPO opens.

    gpomanager.png

In the Group Policy Management Editor (gpme):

  1. Create a new Immediate Task (%GPO Name% > Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks).
  2. In the Action tab, choose Immediate Task (At Least Windows 7). If you'd like to schedule it instead, choose Scheduled Task (At Least Windows 7) and set your schedule. Next, you'll be taken to tabs outlining how to setup the task.

    newimtask.png
On the General tab:
  1. Enter a task name to identify the task easily.
  2. Click Change User or Group to select the DOMAIN\Administrator or equivalent level account that will be used When running the task.
  3. Select Run whether user is logged on or not.
  4. Check Run with highest privileges.
  5. Set Configure for to Windows 7.

    Egon.png 

 On the Actions tab:

  1. Click New.
  2. Set Action to Start a program.
  3. Under Program/script add:  
    msiexec.exe
  4. Under Add Arguments (optional) specify /i (install), then replace Share_location with the network location (UNC path) of the Setup.msi and OrgInfo.json files. (If copied to the local machine, provide the local path). For the purpose of this example screenshot, the location of the files is a server named "egon" on a share called "Share". Then specify /qn which means the end user will not be prompted to complete the installation. Remember that both Setup.msi and OrgInfo.json must be in the folder in question.
  5. /i \\ServerName\Share_Name\Setup.msi /qn
    This is also where you would want to add any Optional Parameters to change the default behavior of the Umbrella roaming client (to hide the User Interface and/or hide the Roaming Client from Add/Remove Programs).  
  6. Use exactly the same location of the Setup.msi file and OrgInfo.json file in the Start In (optional) field. If the same location is not utilized here, the installation will fail. Click OK.

    newaction.png

On the Common tab:

  1. Check Apply once and do not reapply.

    donotreapply.png
  2. Depending on your network and personal preferences, check any remaining options in remaining three tabs: Conditions, Settings, and Common. 
  3. Click OK to complete and save the task.
Force an immediate group policy update by issuing the following command on the Domain Controller's command prompt:
gpupdate /force

Once the update reaches the endpoint computers, they should begin to take action to pull down the Setup.msi/OrgInfo.json from the network share and run it according to the specified switches given earlier. 

Was this article helpful?

8 out of 11 found this helpful
Have more questions? Submit a request

Related articles