Matrix42 UEM Software Deployment - Best Practices

Basic software distribution options with Matrix42 UEM

• Agent based with Empirum (Windows and macOS). Favorite software distribution solution and described in this document.
  • Extensive options to control user experience and re-packaging.
  • Possibility to distribute load via local depot servers.
  • Through the Matrix42 PackageCloud with very many pre-packaged installation packages, a quick start is possible.
• Per MDM layer of the operating system with Silverback (all OS).
  • No user control of installation.
  • Limited to MSI for Windows.
  • Strengths of MDM based management are the extensive configuration of restrictions and profiles as well as the fast processing.

General

Empirum software distribution is based on prepared software packages (Empirum packages) with their installation script and the UEM Agent installed on the computers. The control of how the software is presented to the user is done in the configuration of the UEM Agent and the properties of the package in the package library in interaction with the distribution options configured during assignment. Some of the use cases described contain multiple options, each offering specific benefits, and it depends on the situation which variant is appropriate. We recommend choosing the respective default variant if possible.
This description refers to Windows computers, most statements also apply to macOS computers.

Empirum Packages

The software to be installed is prepared for automated installation using the Matrix42 Package Wizard. The source can be MSI installations or other setup routines. Alternatively, ready-prepared applications can be obtained from the Matrix42 PackageCloud.

Installation Script

Each installation is controlled by an installation script (setup.inf). The UEM Agent calls this to install, re-install and uninstall with appropriate parameters. Some control options are configured in the script. For example, whether a possibly installed previous version should be automatically uninstalled before an installation, or whether a subsequent reboot should be dynamically detected or forced.

Important properties to control the installation:

• AskUnintallOld: Decides whether to automatically uninstall the package's predecessor before installing it.
• Reboot: Decides whether the package passes to the UEM Agent depending on the installation (files could not be overwritten or MSI passes a reboot parameter), or a default to reboot after installation. The UEM Agent usually collects reboots in an installation run and will request it at the end.
• Requirements section: Determines any requirements that may not exist at installation run time. Example to determine the minimum Windows version and .Net:
  [Requirements]
  %WINDOWSVERSION% >= "6.1.1"
  GetDotNetPatchLevel ("4.7 FULL") >= "2".
  If a defined requirement is not met, the installation is aborted with an error message and error log.

Package Properties

Each package is given configurations that are important for controlling the installation. Examples include the name and version, which the UEM Agent also uses to detect whether a package is already installed. Also, any dependency on another package and the allowed operating system versions are specified in the package properties. All package properties are stored in the SwDepot.dds file on the server and interpreted by the UEM Agent.

Important package properties to control installation:

• Vendor, name and version: controls by the value in "key" the detection if the software has already been installed.
• Revision: Automatically repeats the installation on increment (Depends on the "Renew" distribution option). 
• Operating System: The UEM Agent filters out the package if the computer's operating system is not selected. This setting is also set on the tab (folder) in Software Depot and may need to be adjusted as well.
• Sequence: If a package is specified, then it will be installed before this package if both are assigned. Basically, the UEM Agent uses the order in the software library (from top to bottom) if no order is dedicated. Sequences are not mandatory - if the priority package is not assigned, it is installed anyway.
• Dependencies: Controls which requirements must be met. For example, package A must be present, or package B must not be present. With the AND/OR classes the configuration can be simplified (all versions of the .Net package into one OR class). Dependencies are mandatory and are checked before an installation.
• Advanced conditions: Flexible checks that allow or disallow execution. Contrary to the "Requirements" section in the installation scripts, the check is done before execution.

Distribution Commands

In the assignments (UEM App or Empirum Management Console), among other things, you can set options that control whether a package should be installed or uninstalled, or whether the user gets a chance to postpone the installation. Each computer's deployment commands are stored in a file named <computername>.ddc on the server and interpreted by the UEM Agent. The file contains all assigned packages with their deployment options.
Important distribution commands to control the installation:

• Install/Uninstall: The agent performs appropriate action if all checks indicate that it is necessary.
• Update: The installation is automatically repeated in case of an increased package revision.
• Always Enforce: The agent will re-do the installation on every check run (polling). Should only be needed very rarely.
• User can postpone: The user can postpone the software until the end date is reached. However, if another assigned software can no longer be postponed, the package will be installed as well.
• Optional (un-)installation: The user can postpone the software until the end date is reached. There is no forced installation if another software can no longer be moved. Ideal for Windows feature updates with multiple reboots. Once the end date is reached, the package is treated as a normally assigned package.
• Scheduler: The installation can take place at a predefined date. The user is only offered this from the start time, whereby the package is already loaded in advance into the local cache of the computer. Repeat installations are also possible. Repeat installations are forcibly performed without prompting before any other packages. 
• Hide: The user does not get to see this package even if the user query is enabled in the agent configuration. These packages are always installed before all other packages. 

UEM Agent Configuration

The UEM Agent receives all necessary information via the configuration file (Agent Template.xml) to connect to the appropriate Empirum server. In addition, it is controlled when software may be installed (maintenance time window) and whether the user is shown installation jobs and may postpone them. Basically, if the user is not logged in, the UEM Agent installs all packages waiting to be installed without prompting. A delay after computer startup can be configured. Installations are usually divided into the machine and user parts. User parts are installed or post-installed only when the user is logged in, provided that the machine-specific installation has already been performed previously.

A package is to be installed with user information.

The users should be offered the installation several days for installation before the installation is done automatically. Example: Adobe Reader is postponed for 7 days by the user and on the next day it cannot be postponed and is therefore installed.

Necessary settings and process:

• In the Agent Template the option "Show user request" is enabled.
  EMC > Configuration > Software Management > Empirum Agent > AgentUI
  
• The distribution options of the package are set to Install and User can postpone
  EMC > Management > Administration > right mouse click on a software package > distribution options.
  
• The computer is assigned and activated in the assignment group or a configuration group.
• The user is logged in.
• The user gets an installation prompt during the next UEM Agent check run (polling) and can postpone. If a package is assigned for installation at the same time but can no longer be postponed, then the Adobe package is also installed in this installation run. Alternative is to use "Optional installation" instead of "Postponable", then the package will be installed only after the set time has elapsed.

A package should be installed repeatedly without disturbing the users.

Example: Every day an inventory of all computers should take place, regardless of whether a user is logged in.

Necessary settings and procedure:

• The distribution options of the package are set to Install, Update with the Hide option.
  
• The scheduler in the deployment options is set to once per day, with the option „Perform overdue job / installation".
  
• The package is installed daily in the background after the next UEM Agent check run after the set time (here 00:00). The user is not shown an installation dialog. If no user is logged in, only "System Maintenance" is displayed in the installation status instead of the package name.

A package should not be installed if another package or .Net is not installed on the computer.

Example: Paint.net should be installed only if .Net is installed.

Necessary settings and procedure:

A package should always be installed after another specified package 

Example: Notepad++ plugins should always be installed after the Notepad++ package.

• Default variant: The installation order is always set via the order in the depot. Thus a software package, which is arranged further above, is installed before a software package arranged further down, if both are assigned. If only the software package arranged further down is assigned, this is installed. Even if an error occurs during the installation of the first software package, the second software package is installed.
• The order can be specified independently of the arrangement, also in the properties of the package. Also here no obligation exists that the software to be installed before must be assigned and/or installed.
• If a dependency is defined to a package, then this must be installed before the package. If it is not assigned, an error message occurs and the package is not installed.

A package should uninstall a possibly installed same package with lower version before installation. 

Example: Adobe Reader 16.0 should uninstall Adobe Reader 15.0 before installation.

Default procedure: In the package script, the "AskUnintallOld=1" option is set and only the new package is assigned. The UEM Agent starts the installation and the installation script will uninstall any predecessor.
Optionally, the predecessor package can be assigned with the Uninstall distribution option in addition to the new package. The UEM Agent will uninstall the older package and then install the new one.

A package is to be installed in two different versions 

Example: Office 14.0 should be installed in parallel with Office 16.0.

• Standard procedure: The previous package is already installed. In the package script, the option "AskUnintallOld=0" is set and the new and the old package are assigned. The agent starts the installation of the newer package in addition to the older package. Important: If the previous package is not yet installed, only the new package will be installed.
• Alternatively, in the case where versions can be installed in parallel as standalone software, you can adjust the package name during packaging. In this way, the UEM Agent handles the packages completely independently of each other.

A package should be updated again on all computers 

Example: A file or configuration has been changed.

• Default procedure: The revision in the installation script and in the properties of the package is incremented. All computers that have this package assigned with Install & Update or Update Only deployment options will automatically install the package in the background. Re-activation is not required.
• Alternatively, you can customize the package and use the Reinstall option on the assigned package to force a reinstall. The disadvantage is the ambiguous traceability, because the package appears the same in the log and in the inventory. The Reinstall option is available on a package or on a computer.

A package should be installed only when a user is logged in. 

This is important, for example, for software packages that contain user queries or check conditions that are only possible when a user is logged in.

• In the package properties, the installation context is set to " After user login only".

• The UEM Agent downloads the package after it is assigned and activated, but does not start the installation until a user is logged in.

A package is to be distributed to some test computers first and then rolled out further. 

Example: a new SAP client version is to be tested on some workstations first to test its smooth installation and functioning.

• Standard procedure: All computers that are to receive the new version are added to a new assignment group.
  • This group contains the new package with the Installation distribution option. Depending on the success of the tests, more computers are added. Once the package is to be rolled out completely, the old assignment of the predecessor is replaced. To do this, use the global search for software in the assignments with Multiselect and select "Replace software" and "Apply current deployment options for all packages to be replaced“.
    
    
    
• Alternative by package release: the new package is not "Rady to install" in the properties.
  
  • For all computers on which the packages that are not released for installation should still be installed, the READYTOINSTALL_TEST variable is set to 1.
     
  • Computers that have this variable configured will install any non-general shared packages that are assigned to them. For all other computers, these packages will not be written to the DDC control file and thus will not be installed.
    
  • The package is assigned to all computers that will eventually receive the package.
  • Once all tests are successful, the package is released for general installation.
  • 
  • The READYTOINSTALL_TEST variable should be enabled only for test computers or so-called early adaptors.