App Install Deferrals (PSADT) with Workspace ONE – Tech Preview

Intro

In the 2004 release, Workspace ONE UEM has added full app install deferral support for PSADT and other apps that leverage specific exit codes to indicate install “deferral”. My other post outlined a way to sort-of make it work with what was available at the time, but now that is no longer needed. If you take a look at the 2004 release notes you’ll see this little nugget:

This is a Tech Preview feature and only can be activated in your environment by enabling the feature flag “WindowsInstallationDeferralCustomOnlyFeatureFlag”. If you are a SaaS customer, then a SaaS Ops ticket is all that is required. If you are on-prem you can enable the Feature Flag yourself or contact support. You’ll also want to make sure the following components are installed on the client:

  • Requires Hub 2004 or later to be installed
  • App Deployment Agent version 3.12.3 or higher (this is the software distribution component). You can view it on the App inventory tab on the device.

NOTE: I’ve been told that this feature will be enabled by default in the 2007 release.

How Does it Work

Workspace ONE UEM already supported custom exit codes for reboot and installer success. You can see them on the Deployment Options tab of the app:

But for Install Deferral (meaning before the script or app completes the install), we need to configure the deferral code in a different place. This will instead go on the “Assignment” page after you upload the app. While this was built with PSADT in mind, it is by no means exclusive to it. You can write your own script and configure it to send a deferral code and it will accomplish the same thing. Let’s walk through the steps.

Create the App

  1. In your PSADT folder, select all of the content and send to zip.

    NOTE: Don’t select the top-level parent folder and zip that as it will create an additional sub-folder underneath.
  2. Upload the zip file to Workspace ONE as an app (Devices > Apps & Books > Applications > Native > Add Application)
  3. Configure as follows on each tab:
    1. Details Tab
      1. Fill out metadata as needed
      2. For “Supported architecture”: Setting to 32 bit will support both 32 and 64 bit. Setting to 64bit will be 64bit only.
    2. Files Tab
      1. App Uninstall Process
        1. Custom Script Type: Input
        2. Uninstall Command: Deploy-Application.exe -DeploymentType “Uninstall” -DeployMode “Silent”

    3. Deployment Options Tab
      1. How to Install
        1. Install Context: User (super important you put User context here otherwise you won’t see a windows and PSADT will just silently install)
        2. Install Command: Deploy-Application.exe (this just runs everything default which is “Install” and “Interactive”)
        3. Admin Privileges: Yes
        4. Device Restart: Do Not Restart
        5. Retry Count: leave default
        6. Retry Interval: leave default
        7. Install Timeout: 120 (in min). The default PSADT settings are configured to timeout after 6900 seconds (1 hr 55 min). This will enable the popup to timeout and trigger a deferral instead of a failure. Reference the AppDeployToolkit\AppDeployToolkitConfig.xml file
        8. Installer Reboot Exit Code: Leave Blank
        9. Installer Success Exit Code: Leave Blank
      2. When to call Install Complete
        1. Fill out as you need (generally use “App Exists” if the app makes a proper GUID registration.) Can use this powershell command to find it:
          get-wmiobject Win32_Product | sort name | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

Here is my Chrome PSADT App configured:

Assign the App and Input Deferral Code

  1. Now that the app is configured, we need to set the deferral code. Click on “Save & Assign”
  2. Click on “Add Assignment”
  3. Fill out the Name and Description and then pick your Assignment Group.
  4. For App Delivery Method select per your preference as both are supported.
  5. Then enable the “Allow User Install Deferral”. You’ll notice that the “Custom” radio button is selected and greyed out. This means that only third party or custom defer solutions are supported but UEM plans to add native deferral support meaning you won’t have to wrap an app with PSADT.
  6. Select the Install Deferral Interval Time. 12 and 24 hrs are available with the 2006 release.
  7. For Install Deferral Exit Code, put “1618,60012” if you are using PSADT defaults. 1618 is for when the popup times out due to no user selection and 60012 is when the click the defer button. We want to support both codes. You can edit these codes as well in the AppDeployToolkitConfig.xml if you want to change the defaults.
  8. Display in App Catalog is optional as well.
  9. Click Create

Here is my PSADT app configured with all of the settings:

Click Save to save the assignment. Now we need to deploy to the device.

Deploy

  1. First, browse to the device details page and click on the “Apps” tab
  2. Select “PSADT Chrome Brooks” (the name of my app) and click Install
  1. After a short while, the app should download and the deferral should appear.
  1. Click defer
  2. Open up the Software Distribution registry hive and let’s take a look at the “Queue” folder (HKEY_LOCAL_MACHINE\SOFTWARE\AirWatchMDM\AppDeploymentAgent\Queue)
  3. You should see the PSASDT app with many different reg keys. Let’s take a look at the most important ones:

DeferalCurrentCount – This is how many times the app has been deferred. UEM does not limit this, but rather this is limited by PSADT. The default in PSADT is three and you must manually update the app or change the command line to increase/decrease this. PSADT tracks the deferral count under HKEY_LOCAL_MACHINE\SOFTWARE\PSAppDeployToolkit.

DeferralInterval – This is the “Installer Deferral Interval” value set on the assignment page. The amount in hours should be what the decimal value is. So for my app I set it to 24 hours and I can see the key is correctly set to 24:

Additionally, if we open up the Log reg key and copy/paste into notepad, we can also see that UEM correct received the deferral code and set the correct deferral time:

BONUS: WakeTime If you want to see when the agent is scheduled to re-run after the deferral, you can check the WakeTime reg key. This is stored as an Int64 decimal value and must be converted. So you can use a little powershell magic to convert (thanks to this blog for the easy steps). Make sure to replace the GUID at the end of the reg path with your own.

$regKey = Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\SOFTWARE\AirWatchMDM\AppDeploymentAgent\Queue\{89320A3D-D4F8-4F54-AC31-56121E9E4093}"
$time = $regKey.WakeTime
[DateTime]::FromFileTime($time)

After comparing the logs with the “WakeTime” value, I can see that it is indeed 24 hours from now.

24 hours later this will rerun and then will have only 2 deferral remaining. Then this will continue until no deferrals are left (remember, this is managed by PSADT in its own reg keys) it will force the install.

Powershell App Deployment Toolkit has a bunch of other useful features including verifying a logged in user, setting a deadline, custom branding and so much more. It’s a great, free tool that greatly improves the user experience when deploying software to end users.

Leave a Reply