04-06-2020 11:47 AM - edited 04-09-2020 04:40 PM
Disclaimer: Yes, security fanatics may not approve of this (but, hey, they would probably never really approve of anything, anyway). However, for most pragmatists, this is a feasible solution with acceptable risk to an elevated credentials problem.
Cisco requires the user context for the execution of CiscoJabberSetup.msi to have local administrator privileges on the computer where it is to be installed:
This challenge has remained unchanged for many years, so it stands to reason that Cisco is not inclined to improve this installation/update approach. The usually recommended solution to apply software installation settings via a Group Policy Object (GPO) poses additional challenges:
Using a Powershell logon script GPO we can check all the boxes:
Step 1:
There are complex methods available to actually retrieve database parameter information directly from the MSI file. A much simpler method is to take advantage of Cisco's consistent use of the README_install.txt file that is part of the package. Simply searching for a pattern will get us the new version number.
Step 2:
The HKLM:\Software hive of the local registry contains a key with values for "DisplayName" and "DisplayVersion" for Cisco Jabber if it is already installed.
Step 3:
Match up the desired conditions for installation to proceed. In our case, we want an installation object with "DisplayName" equal to "Cisco Jabber" to exist. If it does exist then we want the "DisplayVersion" of that object to not be equal to the new version determined in Step 1 in order for the installation to proceed (upgrade only, no fresh install).
Step 4:
Securely storing an admin password for use on any computer in advance is the interesting part. The trick is to first create an encryption key, use that encryption key to convert the interactively retrieved password string and store it in a file, and finally to put that encrypted password file together with the key in your staging location.
Step 5:
Now the Windows Installer msiexec.exe can be launched with admin credentials. An added benefit is that we can avoid an Orca transform by providing multiple application arguments for the CiscoJabberSetup.msi file itself (in our case that's "CLEAR=1 LANGUAGE=1033 AUTOMATIC_SIGN_IN=true RESET_JABBER=1") and also for the msiexec.exe file (here we use "/passive /norestart").
Step 6:
Powershell starts a new process for this, so the script can exit without having to wait for the installation to complete.
Putting it all together:
Long-term use:
Simply overwrite your existing version of the CiscoJabberSetup.msi and README_install.txt files in your network share with the latest version you have obtained from Cisco. The next time users log on, the script will find mismatched versions and perform an upgrade. Take a quick peek at the new README_install.txt file to make sure that Cisco hasn't thrown a wrench into things - adjust the pattern and substring search (lines 17-18) if needed. This hasn't happened in a very long time but you never know.
As always, this is a best-effort document only - test and use at your own risk... free but no warranties.
I hope you find it helpful!
Matthias
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: