MSI created with MEE

[kardock]

hi all,

 

in MEE, when I create a package as a MSI file, I can associate it with a group of computers.

 

for testing purposes, I've created 2 MSI files, each one associated to a group. but if I look in the MSI file, I can't see where it is set so that when installed, the MSI (or policy) will add the pc to a given group.

 

the idea was to create an MSI package that I could have dynamic, depending on the location of the comptuer in the OU of our AD. since I can't find where this is set, I cannot edit the MSI with the settings I need.

 

if I can make this work, I would deploy this MSI with SCCM 2012, get the OU in AD where the computer is located, and install the policy associated with that OU.

 

can someone please help me regarding this?

 

thank you!

[gonzo]

When you create the MSI, you should specify a policy that will be burned into that MSI.  Don't think of the MSI as being associated with a group, think policy instead.  After you install onto an endpoint, the OU that the computer is part of is where you will find that computer in MEE.  You will probably have to do a SYNC NOW in MEE to get the newly-installed client to show up.  If you have policies that are different based on the OU, you will need the same number of MSI packages.

 

If you want to do it on the back-end instead, use a default policy in your MSI.  Use it to install on the endpoint, then SYNC NOW to get them to show up, and then change policy for newly-installed ones.  Its probably less work using the first method.

[kardock]

ok you got that half right :-)

 

yes, this is what I wish to do. but instead of having a MSI for each policy, I would like a single MSI that I could pass a variable to make it dynamic to link to the correct policy.

 

since our AD is divided into multiple OUs, I do not wish to create like 80 MSIs.

 

so, is it possible to have a single MSI that could be conditioned to be link to a given policy?

 

thank you!

[kardock]

Michael, maybe I got your answer wrong.

 

if I use a default policy into an MSI, and add AD OU as group, when I'll sync the clients, will it go in the correct OU automatically?

 

thanks!

[kardock]

I tried adding an AD OU as group, but if I create a policy for this group, I cannot create a policy and associate it to this group. the group is greyed out and if I hover my mouse on it, got the message that "you can not select this group".

 

I have no idea how to manage computers from AD and associate a policy to the correct OU.

 

thanks for any help you can bring to me.

[kardock]

OK I'm starting to put all this together. in fact, it is simpler than I thought it was.

 

one question though:

• I've created a new group from some AD OU.
• I created a policy deployed to that group.
• I've set the policy to install on new computers.
• I added a new computer to that OU
• the computer was discovered in MEE, looking good so far

but following that, the installation never happened. what am I missing?

 

thanks!

[gonzo]

MEE recognizing the computer is part of the OU is a step forward, but it sounds like the actual installation on the computer has not been done yet.  Setting the policy is not actually installing anything anywhere.  It is replacing "default" behavior characteristics in the endpoint client with characteristics that define how your endpoint's protection will respond ONCE IT HAS BEEN INSTALLED.  I don't think that last part has been done yet.  That sounds like SCCM was set up to push the MSI out to the client but was not set up to install it.

[kardock]

you are right. I thought that assiging the policy would install the client.

 

I did install it and yes, the console recognize it and I see the client in the correct OU.

 

now, if we had the ability to copy an existing policy, I would be very happy :-)

 

instead of creating like 80 policies, I would have like to copy / paste one and adjust as needed.

 

anyway, I think that all my questions are answered for now. thank you for your help!

[gonzo]

And that is (and has been) one of my bigger complaints.  It is on the list for a future release.  Its easy to not think about how long it takes to create policies when you're not the one doing it.