3 Replies Latest reply on Apr 24, 2015 6:18 AM by Kenyon

    Can software distribution be setup on an http share, without granting anonymous access?

    rlattin Rookie

      I'm setting up a preferred package server and am wondering if it's possible to deploy software to our Macs using an HTTP share that does not have anonymous access turned on.  It seems like a bad practice to allow anonymous access to our entire software library.  Thanks!

        • 1. Re: Can software distribution be setup on an http share, without granting anonymous access?
          Kenyon Expert

          Yes you can set security on HTTP. When you set up the preferred server you can confirm this by performing the "Test credentials" option.

          • 2. Re: Can software distribution be setup on an http share, without granting anonymous access?
            Peter Massa Expert

            rlattin,

             

            1.  Create a new folder on your core.

            e.g. "SecureHTTP"

            2.  Open IIS Manager

            3.  Add the new folder as a virtual directory

            4.  Enable directory browsing for this directory

            5.  Add MIME types

            6.  Go create a test package pointing to this location:  http://core/securehttp/package

            7.  Now go back to IIS Manager

            8.  Select Authentication

            9.  Disable Anonymous Authentication and Enable Windows Authentication

            10. Open .NET Authorization Rules

            11.  Create an allow rule for the account that will be used to authenticate to this share

            12.  Create a deny rule for all other accounts

             

            13.  Go to your LANDESK Console

            14.  Open Tools->Distribution->Content replication / Preferred servers

            15.  Add a new source

            16.  Configure your other preferred servers to have the same .NET Authorization rules and Authentication configurations

            17.  Replicate

            18.  Deploy your package.

             

            *Note: I have found that when ever I need to add a new package I need to temporarily disable the authentication requirements above in order to generate package hashes.  This is why I had you create your package back on step 6.

             

            I have tested this with Windows clients and it does work - I am not sure about for OS X.  You will have to attempt it and let us know if this works.

             

            Otherwise the other route to go down is to create UNC based packages via the new OS X Provisioning templates in 9.6.1 - which would allow you to secure packages as well.

             

            To do this:

            1.  Open OS Provisioning

            2.  Create an empty template

            3. 

            4.  Add System migration action

            5.  Choose Map/Unmap drive

            6.  Configure UNC path and mount point - Note this uses the domain\readaccount you configured above

            7.  Now you can either copy the file over from the share to the local system or you can execute it directly from the share (emulating "run from source")

            8.

            9.  Create the execute file action

            10.  [Edit - forgot this] - Add a Unmap action for the UNC above otherwise it will stay mapped on that device

            11.  Schedule the template

            12.  Deploy your package

             

            *Note - there might be some info missing here since I just wrote this on the fly - but it should get you down the right path.

             

            Hope this helps,

            Peter