Applications; Portable vs. Installed
-
Not making business decisions of course, but when it comes to human resources side. Nobody is immune
-
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
Why not utilize proper configuration management tool for that? Ansible for example works very well with Chocolatey. The above approach might sound cool, but to me it's more of a stone age way.
-
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
Why not utilize proper configuration management tool for that? Ansible for example works very well with Chocolatey. The above approach might sound cool, but to me it's more of a stone age way.
Not approved here. However i can use powershell all I want.
-
@jmoore said in Applications; Portable vs. Installed:
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
Why not utilize proper configuration management tool for that? Ansible for example works very well with Chocolatey. The above approach might sound cool, but to me it's more of a stone age way.
Not approved here. However i can use powershell all I want.
What? You have java, flash, silverlight, quicktime and adobe reader approved but configuration management tools are not? Wtf?
-
@marcinozga said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
Why not utilize proper configuration management tool for that? Ansible for example works very well with Chocolatey. The above approach might sound cool, but to me it's more of a stone age way.
Not approved here. However i can use powershell all I want.
What? You have java, flash, silverlight, quicktime and adobe reader approved but configuration management tools are not? Wtf?
lol, see that other thread about where Scott and I are discussing my work. That should explain things.
-
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
Why not utilize proper configuration management tool for that? Ansible for example works very well with Chocolatey. The above approach might sound cool, but to me it's more of a stone age way.
Ansible - I've heard of it,.. likely read a little about it,.. but in my State Gov environment - not likely permitted. PS - yes.
that said, this thread is more of a personal nature, could I learn Ansible... maybe. It becomes a point of how many hours in the day are there to do yet one more thing. I just don't have the time - not to mention - I've never gotten into some of the more serious scripting - especially PS.
-
@gjacobse said in Applications; Portable vs. Installed:
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
Why not utilize proper configuration management tool for that? Ansible for example works very well with Chocolatey. The above approach might sound cool, but to me it's more of a stone age way.
Ansible - I've heard of it,.. likely read a little about it,.. but in my State Gov environment - not likely permitted. PS - yes.
that said, this thread is more of a personal nature, could I learn Ansible... maybe. It becomes a point of how many hours in the day are there to do yet one more thing. I just don't have the time - not to mention - I've never gotten into some of the more serious scripting - especially PS.
Oh - and there is the - I'm only dealing with my computers,.. so is Ansible really worth it? Do I know what's involved in getting Ansible running - no - but I can read. And I likely will do some. But if it needs a server - then no. it's is definitely not worth it for me personally.
-
@gjacobse said in Applications; Portable vs. Installed:
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
Why not utilize proper configuration management tool for that? Ansible for example works very well with Chocolatey. The above approach might sound cool, but to me it's more of a stone age way.
Ansible - I've heard of it,.. likely read a little about it,.. but in my State Gov environment - not likely permitted. PS - yes.
that said, this thread is more of a personal nature, could I learn Ansible... maybe. It becomes a point of how many hours in the day are there to do yet one more thing. I just don't have the time - not to mention - I've never gotten into some of the more serious scripting - especially PS.
Ansible for example allows you to skip scripting step, its syntax is just yaml. I believe Salt is the same. Chef and Puppet are much harder to learn.
-
@gjacobse said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
Why not utilize proper configuration management tool for that? Ansible for example works very well with Chocolatey. The above approach might sound cool, but to me it's more of a stone age way.
Ansible - I've heard of it,.. likely read a little about it,.. but in my State Gov environment - not likely permitted. PS - yes.
that said, this thread is more of a personal nature, could I learn Ansible... maybe. It becomes a point of how many hours in the day are there to do yet one more thing. I just don't have the time - not to mention - I've never gotten into some of the more serious scripting - especially PS.
Oh - and there is the - I'm only dealing with my computers,.. so is Ansible really worth it? Do I know what's involved in getting Ansible running - no - but I can read. And I likely will do some. But if it needs a server - then no. it's is definitely not worth it for me personally.
Yes, it is worth learning even just to manage single computer. Say you pc dies, once you reload OS, you'll most likely spend hours installing software and configuring it to your liking. Ansible will allow you to fire up one command, and when it's done, your pc will be where you want it to be.
-
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
Why not utilize proper configuration management tool for that? Ansible for example works very well with Chocolatey. The above approach might sound cool, but to me it's more of a stone age way.
Ansible - I've heard of it,.. likely read a little about it,.. but in my State Gov environment - not likely permitted. PS - yes.
that said, this thread is more of a personal nature, could I learn Ansible... maybe. It becomes a point of how many hours in the day are there to do yet one more thing. I just don't have the time - not to mention - I've never gotten into some of the more serious scripting - especially PS.
Ansible for example allows you to skip scripting step, its syntax is just yaml. I believe Salt is the same. Chef and Puppet are much harder to learn.
Things I know about;
- yaml - no
- Chef - no
- Puppet - no
- simple batch - yes
- powershell - simple things - yes
Again - here it boils down to - these are things I just don't have the time to invest into
-
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
Why not utilize proper configuration management tool for that? Ansible for example works very well with Chocolatey. The above approach might sound cool, but to me it's more of a stone age way.
Ansible - I've heard of it,.. likely read a little about it,.. but in my State Gov environment - not likely permitted. PS - yes.
that said, this thread is more of a personal nature, could I learn Ansible... maybe. It becomes a point of how many hours in the day are there to do yet one more thing. I just don't have the time - not to mention - I've never gotten into some of the more serious scripting - especially PS.
Oh - and there is the - I'm only dealing with my computers,.. so is Ansible really worth it? Do I know what's involved in getting Ansible running - no - but I can read. And I likely will do some. But if it needs a server - then no. it's is definitely not worth it for me personally.
Yes, it is worth learning even just to manage single computer. Say you pc dies, once you reload OS, you'll most likely spend hours installing software and configuring it to your liking. Ansible will allow you to fire up one command, and when it's done, your pc will be where you want it to be.
I do that with Chocolatey - once the agent is install, I run one simple batch file, and 20 programs are installed. I started it on the replacement PC and walked away - came back three hours later since I was tied up doing other things - with it waiting for me to move on.
-
@gjacobse said in Applications; Portable vs. Installed:
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
Why not utilize proper configuration management tool for that? Ansible for example works very well with Chocolatey. The above approach might sound cool, but to me it's more of a stone age way.
Ansible - I've heard of it,.. likely read a little about it,.. but in my State Gov environment - not likely permitted. PS - yes.
that said, this thread is more of a personal nature, could I learn Ansible... maybe. It becomes a point of how many hours in the day are there to do yet one more thing. I just don't have the time - not to mention - I've never gotten into some of the more serious scripting - especially PS.
Ansible for example allows you to skip scripting step, its syntax is just yaml. I believe Salt is the same. Chef and Puppet are much harder to learn.
Things I know about;
- yaml - no
- Chef - no
- Puppet - no
- simple batch - yes
- powershell - simple things - yes
Again - here it boils down to - these are things I just don't have the time to invest into
Let me show you simple playbook
--- - hosts: intel tasks: - name: Install software win_chocolatey: name: "{{ item }}" state: latest ignore_checksums: yes force: yes with_items: - intel-dsa - intel-network-drivers-win10 - intel-rst-driver - intel-proset-drivers - intel-me-drivers - intel-graphics-driver failed_when: no tags: intel - hosts: dell tasks: - name: Install software win_chocolatey: name: dell-update state: latest failed_when: no tags: dell - hosts: nvidia tasks: - name: Install software win_chocolatey: name: "{{ item }}" state: latest with_items: - gforce-game-ready-driver - disable-nvidia-telemetry - geforce-experience failed_when: no tags: nvidia
That's yaml, simple key: value pairs. And there's so much more you can do that way, not just installing software.
-
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
A big question would be... why do you want to restrict binaries from users?
Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.
Does he? Because he's not restricting them in any way, and totally okay with all the portable apps delivered in the web browser, right? So he's totally okay with them. Just confused, I'd guess.
Well, I can't presume to know his mind but hes just trying to limit the damage that can be done i suppose. I am guessing that is what he is thinking.
Is this from a government requirement? The only way to do this is checksum all of your executables. Unless you are required to do this, you're insane.
-
As has been mentioned I'm sure above (I didn't read everything). The users can create scripts which would count as portable apps and run them. This really is not a road you want to go down unless you are forced to.
-
@stacksofplates said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
A big question would be... why do you want to restrict binaries from users?
Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.
Does he? Because he's not restricting them in any way, and totally okay with all the portable apps delivered in the web browser, right? So he's totally okay with them. Just confused, I'd guess.
Well, I can't presume to know his mind but hes just trying to limit the damage that can be done i suppose. I am guessing that is what he is thinking.
Is this from a government requirement? The only way to do this is checksum all of your executables. Unless you are required to do this, you're insane.
Yes we are a 2 year college and this is what I am told.
-
@jmoore said in Applications; Portable vs. Installed:
@stacksofplates said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
A big question would be... why do you want to restrict binaries from users?
Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.
Does he? Because he's not restricting them in any way, and totally okay with all the portable apps delivered in the web browser, right? So he's totally okay with them. Just confused, I'd guess.
Well, I can't presume to know his mind but hes just trying to limit the damage that can be done i suppose. I am guessing that is what he is thinking.
Is this from a government requirement? The only way to do this is checksum all of your executables. Unless you are required to do this, you're insane.
Yes we are a 2 year college and this is what I am told.
Wait you're told it's a government requirement? If so ask for the reference. Because if you aren't 100% required to do this, you are in for pain for no reason.
I worked for a DoD contractor and we fought tooth and nail to get an exception for that.
-
On Windows I can't help you at all. I mean there's tools like CyberArk but I don't know cost or manageability. On Linux
fapolicyd
can do whitelisting. -
@stacksofplates said in Applications; Portable vs. Installed:
On Windows I can't help you at all. I mean there's tools like CyberArk but I don't know cost or manageability. On Linux
fapolicyd
can do whitelisting.Yeah we are all Windows unfortunately.
-
@jmoore said in Applications; Portable vs. Installed:
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
Why not utilize proper configuration management tool for that? Ansible for example works very well with Chocolatey. The above approach might sound cool, but to me it's more of a stone age way.
Not approved here. However i can use powershell all I want.
That's suicide. Are you using group policy? That's config management. These people sound like they have no idea what's going on. I would make one million percent sure this is a real government requirement, more just something some admin thinks is one. There's no way a college needs this level of hardening.
-
@stacksofplates said in Applications; Portable vs. Installed:
These people sound like they have no idea what's going on.
That was pretty much the theme of my analysis. My take is that it seems like a combination of sys admin on a power trip combined with an overall lack of general knowledge of what they are telling him to do.