Applications; Portable vs. Installed
-
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
Why not utilize proper configuration management tool for that? Ansible for example works very well with Chocolatey. The above approach might sound cool, but to me it's more of a stone age way.
Ansible - I've heard of it,.. likely read a little about it,.. but in my State Gov environment - not likely permitted. PS - yes.
that said, this thread is more of a personal nature, could I learn Ansible... maybe. It becomes a point of how many hours in the day are there to do yet one more thing. I just don't have the time - not to mention - I've never gotten into some of the more serious scripting - especially PS.
Oh - and there is the - I'm only dealing with my computers,.. so is Ansible really worth it? Do I know what's involved in getting Ansible running - no - but I can read. And I likely will do some. But if it needs a server - then no. it's is definitely not worth it for me personally.
Yes, it is worth learning even just to manage single computer. Say you pc dies, once you reload OS, you'll most likely spend hours installing software and configuring it to your liking. Ansible will allow you to fire up one command, and when it's done, your pc will be where you want it to be.
I do that with Chocolatey - once the agent is install, I run one simple batch file, and 20 programs are installed. I started it on the replacement PC and walked away - came back three hours later since I was tied up doing other things - with it waiting for me to move on.
-
@gjacobse said in Applications; Portable vs. Installed:
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
Why not utilize proper configuration management tool for that? Ansible for example works very well with Chocolatey. The above approach might sound cool, but to me it's more of a stone age way.
Ansible - I've heard of it,.. likely read a little about it,.. but in my State Gov environment - not likely permitted. PS - yes.
that said, this thread is more of a personal nature, could I learn Ansible... maybe. It becomes a point of how many hours in the day are there to do yet one more thing. I just don't have the time - not to mention - I've never gotten into some of the more serious scripting - especially PS.
Ansible for example allows you to skip scripting step, its syntax is just yaml. I believe Salt is the same. Chef and Puppet are much harder to learn.
Things I know about;
- yaml - no
- Chef - no
- Puppet - no
- simple batch - yes
- powershell - simple things - yes
Again - here it boils down to - these are things I just don't have the time to invest into
Let me show you simple playbook
--- - hosts: intel tasks: - name: Install software win_chocolatey: name: "{{ item }}" state: latest ignore_checksums: yes force: yes with_items: - intel-dsa - intel-network-drivers-win10 - intel-rst-driver - intel-proset-drivers - intel-me-drivers - intel-graphics-driver failed_when: no tags: intel - hosts: dell tasks: - name: Install software win_chocolatey: name: dell-update state: latest failed_when: no tags: dell - hosts: nvidia tasks: - name: Install software win_chocolatey: name: "{{ item }}" state: latest with_items: - gforce-game-ready-driver - disable-nvidia-telemetry - geforce-experience failed_when: no tags: nvidia
That's yaml, simple key: value pairs. And there's so much more you can do that way, not just installing software.
-
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
A big question would be... why do you want to restrict binaries from users?
Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.
Does he? Because he's not restricting them in any way, and totally okay with all the portable apps delivered in the web browser, right? So he's totally okay with them. Just confused, I'd guess.
Well, I can't presume to know his mind but hes just trying to limit the damage that can be done i suppose. I am guessing that is what he is thinking.
Is this from a government requirement? The only way to do this is checksum all of your executables. Unless you are required to do this, you're insane.
-
As has been mentioned I'm sure above (I didn't read everything). The users can create scripts which would count as portable apps and run them. This really is not a road you want to go down unless you are forced to.
-
@stacksofplates said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
A big question would be... why do you want to restrict binaries from users?
Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.
Does he? Because he's not restricting them in any way, and totally okay with all the portable apps delivered in the web browser, right? So he's totally okay with them. Just confused, I'd guess.
Well, I can't presume to know his mind but hes just trying to limit the damage that can be done i suppose. I am guessing that is what he is thinking.
Is this from a government requirement? The only way to do this is checksum all of your executables. Unless you are required to do this, you're insane.
Yes we are a 2 year college and this is what I am told.
-
@jmoore said in Applications; Portable vs. Installed:
@stacksofplates said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
A big question would be... why do you want to restrict binaries from users?
Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.
Does he? Because he's not restricting them in any way, and totally okay with all the portable apps delivered in the web browser, right? So he's totally okay with them. Just confused, I'd guess.
Well, I can't presume to know his mind but hes just trying to limit the damage that can be done i suppose. I am guessing that is what he is thinking.
Is this from a government requirement? The only way to do this is checksum all of your executables. Unless you are required to do this, you're insane.
Yes we are a 2 year college and this is what I am told.
Wait you're told it's a government requirement? If so ask for the reference. Because if you aren't 100% required to do this, you are in for pain for no reason.
I worked for a DoD contractor and we fought tooth and nail to get an exception for that.
-
On Windows I can't help you at all. I mean there's tools like CyberArk but I don't know cost or manageability. On Linux
fapolicyd
can do whitelisting. -
@stacksofplates said in Applications; Portable vs. Installed:
On Windows I can't help you at all. I mean there's tools like CyberArk but I don't know cost or manageability. On Linux
fapolicyd
can do whitelisting.Yeah we are all Windows unfortunately.
-
@jmoore said in Applications; Portable vs. Installed:
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
Why not utilize proper configuration management tool for that? Ansible for example works very well with Chocolatey. The above approach might sound cool, but to me it's more of a stone age way.
Not approved here. However i can use powershell all I want.
That's suicide. Are you using group policy? That's config management. These people sound like they have no idea what's going on. I would make one million percent sure this is a real government requirement, more just something some admin thinks is one. There's no way a college needs this level of hardening.
-
@stacksofplates said in Applications; Portable vs. Installed:
These people sound like they have no idea what's going on.
That was pretty much the theme of my analysis. My take is that it seems like a combination of sys admin on a power trip combined with an overall lack of general knowledge of what they are telling him to do.
-
@stacksofplates said in Applications; Portable vs. Installed:
I would make one million percent sure this is a real government requirement, more just something some admin thinks is one.
I'm pretty confident that it is made up. Made up to the point of not being really plausible, hence made up by someone that didn't know enough to know what was even plausible as a requirement.
-
@scottalanmiller said in Applications; Portable vs. Installed:
@stacksofplates said in Applications; Portable vs. Installed:
I would make one million percent sure this is a real government requirement, more just something some admin thinks is one.
I'm pretty confident that it is made up. Made up to the point of not being really plausible, hence made up by someone that didn't know enough to know what was even plausible as a requirement.
Yeah I mean you can do it but you will pay for it for the rest of the time you work there. Especially if config management is "not approved".
-
Can you imagine adding/changing sha256 sums Everytime someone gets a new application or needs to run a script. And doing it by hand every single time. That would be your job day in and day out.
-
@stacksofplates said in Applications; Portable vs. Installed:
Can you imagine adding/changing sha256 sums Everytime someone gets a new application or needs to run a script. And doing it by hand every single time. That would be your job day in and day out.
And needing to do it for every new patch to every application. Eek.
-
@scottalanmiller said in Applications; Portable vs. Installed:
@stacksofplates said in Applications; Portable vs. Installed:
Can you imagine adding/changing sha256 sums Everytime someone gets a new application or needs to run a script. And doing it by hand every single time. That would be your job day in and day out.
And needing to do it for every new patch to every application. Eek.
Yup anytime there's an update to anything you would have to fix it.
-
@stacksofplates said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
@stacksofplates said in Applications; Portable vs. Installed:
Can you imagine adding/changing sha256 sums Everytime someone gets a new application or needs to run a script. And doing it by hand every single time. That would be your job day in and day out.
And needing to do it for every new patch to every application. Eek.
Yup anytime there's an update to anything you would have to fix it.
Yeah, including system updates, chocolatey updates, manual updates, apps like Chrome that update themselves. And anything on a "per user" basis might update at different times.
-
@stacksofplates said in Applications; Portable vs. Installed:
Can you imagine adding/changing sha256 sums Everytime someone gets a new application or needs to run a script. And doing it by hand every single time. That would be your job day in and day out.
It's probably not possible if change management isn't available. But you can do this with SCCM.
-
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Back in the days at my old job, we used Sophos to control those type of apps.
-
@black3dynamite said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Back in the days at my old job, we used Sophos to control those type of apps.
Sophos does so much hardware these days, I begin to forget that they used to be a desktop agent.
-
@jmoore said in Applications; Portable vs. Installed:
@stacksofplates said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
A big question would be... why do you want to restrict binaries from users?
Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.
Does he? Because he's not restricting them in any way, and totally okay with all the portable apps delivered in the web browser, right? So he's totally okay with them. Just confused, I'd guess.
Well, I can't presume to know his mind but hes just trying to limit the damage that can be done i suppose. I am guessing that is what he is thinking.
Is this from a government requirement? The only way to do this is checksum all of your executables. Unless you are required to do this, you're insane.
Yes we are a 2 year college and this is what I am told.
That's a lot to deal with for a 2 year college. I can understand the annoyances of accreditation and also following like FERPA requirements.