How to PowerShell App Deploy Toolkit (PSADT) with Workspace ONE

Intro

In the 2004 release, Workspace ONE UEM has added full app install deferral support for PSADT and other apps that leverage specific exit codes to indicate install “deferral”. My other post outlined a way to sort-of make it work with what was available at the time, but now that is no longer needed. This feature enables you to deploy an app wrapped in PSADT and take advantage of all of the great user experience that PSADT with the branded UI, app deferrals, and limited number of attempts.

The best thing about this is that it does NOT require the user to be an administrator. Workspace ONE is able to pass the administrative token to the process in the user context. So the user can see the popup and the install can happen properly without them needing to be a local admin. Pretty great! So let’s walk through how to set up the PowerShell App Deploy Toolkit with Workspace ONE.

How Does it Work

Workspace ONE UEM already supported custom exit codes for reboot and installer success. You can see them on the Deployment Options tab of the app:

But for Install Deferral (the app sends a specific exit code to the Workspace ONE Hub so that it can understand this was deferred and try again later), we need to configure the deferral code in a different place. This will instead go on the “Assignment” page after you upload the app. While this was built with PSADT in mind, it is by no means exclusive to it. You can write your own script and configure it to send a deferral code and it will accomplish the same thing. Let’s walk through the steps.

Create the App

  1. In your PSADT folder, select all of the content and send to zip.

    NOTE: Don’t select the top-level parent folder and zip that as it will create an additional sub-folder underneath.
  2. Upload the zip file to Workspace ONE as an app (Devices > Apps & Books > Applications > Native > Add Application)
  3. Configure as follows on each tab:
    1. Details Tab
      1. Fill out metadata as needed
      2. For “Supported architecture”: Setting to 32 bit will support both 32 and 64 bit. Setting to 64bit will be 64bit only.
    2. Files Tab
      1. App Uninstall Process
        1. Custom Script Type: Input
        2. Uninstall Command: Deploy-Application.exe -DeploymentType “Uninstall” -DeployMode “Silent”

    3. Deployment Options Tab
      1. How to Install
        1. Install Context: User (super important you put User context here otherwise you won’t see a windows and PSADT will just silently install)
        2. Install Command: Deploy-Application.exe (this just runs everything default which is “Install” and “Interactive”)
        3. Admin Privileges: Yes
        4. Device Restart: Do Not Restart
        5. Retry Count: leave default
        6. Retry Interval: leave default
        7. Install Timeout: 120 (in min). The default PSADT settings are configured to timeout after 6900 seconds (1 hr 55 min). This will enable the popup to timeout and trigger a deferral instead of a failure. Reference the AppDeployToolkit\AppDeployToolkitConfig.xml file
        8. Installer Reboot Exit Code: Leave Blank
        9. Installer Success Exit Code: Leave Blank
      2. When to call Install Complete
        1. Fill out as you need (generally use “App Exists” if the app makes a proper GUID registration.) Can use this powershell command to find it:
          get-wmiobject Win32_Product | sort name | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

Here is my Chrome PSADT App configured:

Assign the App and Input Deferral Code

  1. Now that the app is configured, we need to set the deferral code. Click on “Save & Assign”
  2. Click on “Add Assignment”
  3. Fill out the Name and Description and then pick your Assignment Group.
  4. For App Delivery Method select per your preference as both are supported.
  5. Then enable the “Allow User Install Deferral”. You’ll notice that the “Custom” radio button is selected and greyed out. This means that only third party or custom defer solutions are supported but UEM plans to add native deferral support meaning you won’t have to wrap an app with PSADT.
  6. Select the Install Deferral Interval Time. 12 and 24 hrs are available with the 2006 release.
  7. For Install Deferral Exit Code, put “1618,60012” if you are using PSADT defaults. 1618 is for when the popup times out due to no user selection and 60012 is when the click the defer button. We want to support both codes. You can edit these codes as well in the AppDeployToolkitConfig.xml if you want to change the defaults.
  8. Display in App Catalog is optional as well.
  9. Click Create

Here is my PSADT app configured with all of the settings:

Click Save to save the assignment. Now we need to deploy to the device.

Deploy

  1. First, browse to the device details page and click on the “Apps” tab
  2. Select “PSADT Chrome Brooks” (the name of my app) and click Install
  1. After a short while, the app should download and the deferral should appear.
  1. Click defer
  2. Open up the Software Distribution registry hive and let’s take a look at the “Queue” folder (HKEY_LOCAL_MACHINE\SOFTWARE\AirWatchMDM\AppDeploymentAgent\Queue)
  3. You should see the PSASDT app with many different reg keys. Let’s take a look at the most important ones:

DeferalCurrentCount – This is how many times the app has been deferred. UEM does not limit this, but rather this is limited by PSADT. The default in PSADT is three and you must manually update the app or change the command line to increase/decrease this. PSADT tracks the deferral count under HKEY_LOCAL_MACHINE\SOFTWARE\PSAppDeployToolkit.

DeferralInterval – This is the “Installer Deferral Interval” value set on the assignment page. The amount in hours should be what the decimal value is. So for my app I set it to 24 hours and I can see the key is correctly set to 24:

Additionally, if we open up the Log reg key and copy/paste into notepad, we can also see that UEM correct received the deferral code and set the correct deferral time:

BONUS: WakeTime If you want to see when the agent is scheduled to re-run after the deferral, you can check the WakeTime reg key. This is stored as an Int64 decimal value and must be converted. So you can use a little powershell magic to convert (thanks to this blog for the easy steps). Make sure to replace the GUID at the end of the reg path with your own.

$regKey = Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\SOFTWARE\AirWatchMDM\AppDeploymentAgent\Queue\{89320A3D-D4F8-4F54-AC31-56121E9E4093}"
$time = $regKey.WakeTime
[DateTime]::FromFileTime($time)

After comparing the logs with the “WakeTime” value, I can see that it is indeed 24 hours from now.

24 hours later this will rerun and then will have only 2 deferral remaining. Then this will continue until no deferrals are left (remember, this is managed by PSADT in its own reg keys) it will force the install.

Powershell App Deployment Toolkit has a bunch of other useful features including verifying a logged in user, setting a deadline, custom branding and so much more. It’s a great, free tool that greatly improves the user experience when deploying software to end users.

Share on:

9 thoughts on “How to PowerShell App Deploy Toolkit (PSADT) with Workspace ONE”

  1. Hi Brooks, this blog is great!

    It seems as though we receive PSADT errors when selecting the User context and Admin privileges like you do above. The toolkit complains that it doesn’t have admin rights to complete the task.

    I’ve attempted to run in System context and use ServiceUI.exe to display prompts to no avail.

    Any suggestions you have would be great, thanks.

    Reply
  2. We are having an issue with the deferral registry key not being set, so the app just fails to install and never sends back a deferral code and the install just quits. I have to manually push it again to reinitiate an install which the user could just defer again.

    Any idea why this would happen? It seems to be happening on a variety of machines from Azure AD to Local AD.

    Reply
      • Yes and how it is supposed to exit with the deferral code being sent back to Workspace ONE. When I check the status on some of our devices, I just see a “Installation Failed”. I talked with a few users and they are all saying they never see another prompt to install until I manually push it again.

        The manual push seems to work and now all devices are pretty much installed, but it doesn’t always seem to send back the deferral code and instead sends back a failed code.

        Reply
        • So if you look in the AppDeployToolkitConfig.xml file, you should see a section for “InstallationDefer_Exit_Code” (see step #7 on the blog ). You’ll want to make sure that code matches what you put on the defer code in Workspace ONE when you assigned it (Assignment > Distribution > Allow User Install Deferral. Then check under “Installer Defer Exist Code”).

          Reply
  3. Hello
    We try to deploy Chrome with a PSADT in a Users context without success.
    Do you have any information about a regression? (We are in 21.11)
    I saw the KB HUBW-5396 but that doesn’t seem to be our case.

    Best Regards

    Reply

Leave a Comment