In order to deploy the HEIMDAL Agent through an Active Directory GPO, you need the HEIMDAL Agent MSI Installer file with the Heimdal license key included (you can use the Orca software to embed the HEIMDAL license key in the MSI Installer. For more information on how to use Orca to add a license key in the MSI Installer click here).
1. Creating a Shared Folder
2. Creating a new GPO
3. Applying the GPO to the client machine
Creating a Shared Folder
1. Create a Shared Folder where the Heimdal MSI Installer will be placed.
2. Choose the people in your network you want to share this folder with and establish their permission level.
Creating a new GPO
1. On the Domain Controller, open Server Manager, click on Administrative Tools, and then on Group Policy Management.
2. Under the domain where you want to create the new GPO, select and right-click Group Policy Objects, choose New GPO and type the name of the new GPO:
3. Once created, select and right-click the newly-created GPO and open the Group Policy Management Editor. Here you can configure the deployment through Computer Configuration or through User Configuration:
a. For Computer Configuration select the following: Computer Configuration -> Policies -> Software Settings -> Software installation (right-click)/New Package)/Open and select the MSI Installer. In the Deploy Software window, choose the Assigned option (this way, the installation will run without user interaction) and press OK.
The deployment settings should look like in the snippet below:
Press OK and the GPO is now configured to install the HEIMDAL Agent.
b. For User Configuration select the following: User Configuration -> Policies -> Software Settings -> Software installation (right-click)/New Package)/Open and select the MSI Installer. In the Deploy Software window, chose the Assigned option (this way, the installation will run without user interaction) and press OK.
Select the “Heimdal” package, right-click on it, select Properties, and then the Deployment tab. Select the Assigned type for the Deployment type and choose to Install this application at logon. This way the users will have the HEIMDAL Agent installed at the next login.
After you press Apply and OK, the GPO will be configured to deploy and install the HEIMDAL Agent in your environment.
Applying the GPO to the client machine
On the client machine, you can force the appliance of the Group Policy Object by running the following line from Command Prompt:
gpupdate /force /boot /logoff
This should silently install the HEIMDAL Agent and you will be able to see it in Control Panel -> Programs and Features list after it gets installed.
IMPORTANT
Deploying the HEIMDAL Agent through GPO might come with certain issues depending on the way your environment is configured. If you choose to deploy the HEIMDAL Agent using Computer Configuration, you might need to use one of the following policies:
- Computer Settings -> Policies -> Administrative Templates -> System -> Logon -> Always wait for the network at computer startup and logon -> Enabled
- Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy -> Specify startup policy processing wait time
If the deployment does not work, you need to troubleshoot to see if the GPO is applying on the computer or if the application is throwing an error at installation. To see if the GPO is applying on the computer, open Command-Prompt and run gpresult /r to see the status of the policy deployment.
- If the GPO is not applying, check the GPO settings in the Group Policy Manager on your Domain Controller;
- If the GPO is applying on the computer but the HEIMDAL Agent is not getting installed, generate a GP Report from Command-Prompt running gpresult /h C:\GPReport.html (an HTML report will be generated on the C:\ drive). The installation of the HEIMDAL Agent could be affected by the permissions of the SYSTEM user on the shared folder where the HEIMDAL MSI Installer is located. If the GP Report says that installation source is not available, you need to check the permissions on the shared folder:
The shared folder might need you to enable inheritance on the shared folder: