eXtreme Deployment: Workstation deployment and personalization technology designed for ubiquitous computing.

In 1984, Drew University became the first liberal arts institution to provide computers to every student as part of tuition. Today, the ubiquitous computing model is in use at colleges and universities throughout the world, and Drew University is recognized as a leader in this area. Drew's development of this unique deployment technology continues this trend.

The issue

Drew University distributes over 450 computers to freshman during a single day at the start of each academic year. In recent years, the task of configuring these computers for the students has become increasingly complex, time consuming, and error prone. While we have been working with our student computer vendors to deliver the computers pre-configured with a custom Drew-supplied image, this alone is insufficient to obviate the problem, as the computers must still be customized for the individual users. Configuring a Windows portable for use on the Drew network and customized for the individual user consists of at least the following steps:

• Naming the computer according to University computer naming conventions.
• Creating the machine account and joining the computer to the campus Active Directory domain.
• Adding the appropriate domain users as local administrators on the computer.
• Setting unique passwords for the Administrator and other local accounts on the computers, and providing a means for those passwords to be retrieved if necessary for recovery purposes.
• Creating and populating with user settings, a local profile for Mozilla, which is Drew's standard email client.

In the summer of 2003, Drew began to examine ways in which parts of this process could be automated, in order to reduce support burdens and improve the out-of-box experience for students receiving their computers.

We quickly determined that asking the computer vendor to provide these services for each individual computer would be well-outside of our budget. Further, solutions offered by various commercial imaging packages, which require the ownership and customization information to be known prior to imaging would be infeasible given our computer distribution process. Given these issues, Drew decided to develop it's own post-imaging personalization technology, which we call "eXtreme Deployment."

The Technology

eXtreme Deployment is a scriptable post-imaging workstation personalization system built around a wide variety of open-source and commercial technologies. The eXtremee Deployment system consists of a deployment server and client components located on each workstation to be deployed. The deployment server and client both run on the Windows platform and use Apache/Win32 to provide HTTP services. Scripting support is provided via the PHP script engine.

Deployment Server

The deployment server is responsible for managing the deployment database and the administration of machine trust accounts in the active directory domain. It provides a web-based administration interface allowing administrators to create computer accounts in the domain and associate them with specific machines in the deployment database. Association of computers with computer accounts and customer information located in the deployment database is via the serial number and asset information located in the SMBIOS of each client computer. The administrative interface also provides a facility for recovering local Administrator passwords which have been escrowed in the deployment database by client machines.

The deployment server also exposes an XML-RPC interface to clients. It is over this XML-RPC interface that clients request their configuration information from the deployment server, notify the deployment server of deployment activity, and store Administrator passwords to be escrowed in the deployment database. All communication between deployment clients and the deployment server is over an encrypted connection. Clients do perform validation of the certification path of the deployment server certificate for additional security.

The deployment server is also the machine which serves as the distribution point for digitally signed update packages for deployment client components.

Deployment Clients

The deployment client consists of a local Apache server with PHP scripting engine that provides an HTML based setup interface to the user. The client HTTP server is configured to listen on the loopback interface only, and an Internet Explorer browser operating in full-screen "kiosk" mode provides the setup interface to the user. The client is responsible for retrieving the computer's asset tag information from the SMBIOS and passing this information to the deployment server. The deployment server returns a configuration profile to the client, which is then used to set the computer's name, join the computer to the domain, and add the appropriate administrator users to the computer. The client is also responsible for generating an Administrator password for the machine, which is passed to the deployment server to escrowed in encrypted form in the deployment database.

The deployment client also includes an updater component. When started, the client will contact the deployment server and check for updated packages. If updates are available, they are downloaded from the deployment server and installed. The packages are digitally signed to ensure that they are not corrupted and haven't been tampered with.

The Process

Using eXtreme Deployment technology, the process for Drew's large scale computer handout (450+ students in 5 hours) works as follows:

1. Students arrive at computer handout and proceed through business office check in before being directed to pick up their computer.
2. Staff members distribute computers to the students. The machines are pre-imaged by our vendor with a Drew-custom image that contains all of the Drew standard software, including the eXtreme Deployment client components. The machines are not pre-assigned to the individual students, however. At the time of handout, the serial numbers of the computers and the student's ID number are barcode scanned into a custom web application which:
   • Assigns the computer to the user in our inventory tracking system.
   • Adds the machine as an asset to our helpdesk application.
   • Generates a computer name for the machine and creates the machine trust account in the campus Active Directory domain.
   • Adds the association information between the computer's serial number and its computer account to the deployment database.
   • Prints out a contract for the user to sign.
3. When the student returns to their room, they attach their new computer to the campus network and boot it. The image that is pre-installed on the machine is configured to auto-login to a local Deploy account and begin the eXtreme Deployment process.
4. When eXtreme Deployment starts, it updates itself to the latest version available on the deployment server. After updating, the eXtreme Deployment process opens a full-screen web-browser window directed at the local instance of Apache now running on the machine, and begins the deployment process.
5. The client queries the SMBIOS of the machine for its asset tag information and passes this to the deployment server in an XML-RPC request. The deployment server returns a configuration profile for the computer.
6. Based on the configuration profile, the deployment client performs the following actions:
   • Renames the computer to the name specified in the configuration profile.
   • Runs an SID generator utility to change the system's SID.
   • Prompts the user for domain credentials and then joins the computer to the campus active directory domain using the machine trust account that has already been created for it.
   • Adds the owner of the computer's domain user account to the local Administrators group.
   • Generates a local Administrator password and escrows this in the deployment database.
7. After initial deployment is complete, the deployment client disables auto-login on the workstation and returns the user to a standard network login screen.
8. When the user first logs into the workstation, a process runs which creates the user's Mozilla email profile.

Contacts and Availability

eXtreme Deployment technology was developed by E. Axel Larsson (elarsson@drew.edu) and Russell Sprague (rsprague@drew.edu) during the summer of 2003. We intend to package eXtreme Deployment components for general distribution. Please stay turned to this site for updates or contact us for more information.