Auto Updates in Enterprise (Windows)

Question

I would like to understand how enterprises update software (once deployed) across multiple machines. I have created an MSI installer using WiX for my .NET application. I am using a tool called WinSparkle to notify users that there is an update that they can install (through WinSparkle) and install it.

I am not entirely sure how to handle the updates of my software using WinSparkle in an enterprise setting where the IT admin usually handles software updates.

If anyone can point me in the right direction that would be greatly appreciated.

Answer 1

Common Methods of Enterprise Application Deployment

The most common methods of automatically distributing software to multiple Windows clients seem to be as follows:

• group policy software installation - only works for MSI installations; coarse control; limited monitoring
• configuration management tools (like SCCM) - these can be highly-capable and complex client-server systems that typically include OS, application, and update deployment automation and monitoring/compliance tools

Hallmarks of a Good Enterprise Application Installer

As a developer packaging applications for enterprise deployment, you should do the following to enable enterprise IT departments to deploy and manager your application:

1. Provide a documented installation method that supports unattended installation. - If you don't do this, then every post-OS-deployment installation has to be manually installed by someone. If you have hundreds of seats deployed in an enterprise or remote offices and workers, unattended installation is the only practical method of deployment.
2. Never require BOTH administrative privileges to install AND installation for a particular user. - If you require administrative privileges and per-user installation, you're forcing every installation to be attended by both the user (to grant write access to their profile) and an administrator (to grant write access to the system), which basically defeats any possibility of unattended installation. Installation for the system (i.e. all users) is always OK, and installation for a particular user is OK as long as no administrative privileges are required.
3. Wherever possible, stick to pure MSI installations (as opposed to executables). - any Windows domain is already capable of automatically deploying MSI installers
4. If your application has external dependencies (e.g. .NET frameworks, MSXML, etc) that are not fulfilled out-of-the-box by every currently-supported Windows distribution, then clearly state those in the release notes (you have release notes right?)
5. If your application requires an administrator to perform configuration after installation, make it possible to set that configuration using group policy (like Chrome does via the Chrome group policy ADMX template) or some other centralized administrative mechanism.

Installers Should be Agnostic to Deployment Method

Windows application installers should be as agnostic as possible to how the application is deployed. Some enterprises give their users local administrator rights and let them click next,next,finish on the installers themselves. Others might have administrators manually install applications. Larger enterprises most likely use a method to push applications automatically and unattended. And some even have a sort of internal app store. The point is, if you follow the practices for Windows application installation currently recommended by Microsoft, and the above hallmarks list, enterprises should have no problem installing and updating your application.

Winsparkle, etc

As an IT admin, I am suspicious of any application that wants to auto-update. It comes down to trust: In order for an application to auto-update it requires, in general, administrative privileges. That means that anything the update application decides to install on my systems can wreak havoc on my systems. I certainly trust Microsoft products to update themselves. I probably trust google Chrome and Firefox to update themselves. I might trust Adobe products. But I certainly would not voluntarily give any other random application ongoing administrative rights to download and install whatever it (or someone exploiting it) wants to.