Monday, January 17, 2011

Deploy iTunes 10.4 or 10.5 using group policy GPOs

UPDATE 10/12/2011: With yesterday's release of iTunes 10.5, iTunes no longer requires Quicktime. You can ignore all references to Quicktime below if you'll be deploying iTunes 10.5. You can still deploy Quicktime if needed in your environment, but it should be treated as a separate deployment

Original Post

Having an organization filled with iPhones, I end up managing a lot of iTunes installs. I've slowly been revoking admin privileges from users and have been providing network installation packages for most common software, but iTunes has been a bit problematic. After finding a couple of useful articles this past weekend, I decided to write my own with the steps I used to finally have a successful deployment of iTunes. The particular version of iTunes I'm deploying is, for both 32-bit and x64 Windows (XP, Vista, and 7). During the deployment I'm also stripping out Apple Software Update and Bonjour because they're not needed for anything we do.

First off, here are the helpful links I tracked down. Apple has an Enterprise Deployment guide for iPhones, which includes a little about deploying iTunes. You can find it here. I also found another paper about deploying iTunes in a corporate setting, and you can see that here. Neither included the full set of steps I needed to use, and I had to add a few of my own, so here is my own rendition of deploying iTunes.

To start you have to download iTunes, and you also need to have Orca (which you can get from here) or some other MSI editor. If you just want to deploy Quicktime the steps are very similar, but you can download the Quicktime installer. In order to use this guide, you'll also need 7-zip for extracting the .msi files from the .exe. It's not completely necessary since you can get the msi files from a temp folder, but it is quicker and 7-zip is a good tool to have anyway. From this point on I'm going to assume you have all three items downloaded, and both 7-zip and Orca installed on your machine. I'm also going to assume you're familiar with deploying software using group policy, and that you have a software deployment share setup somewhere on your network. 

1. Right-click on iTunesSetup.exe and choose 7-zip->Extract to iTunesSetup. This will extract the .exe file into a folder called iTunesSetup in the same location. This folder will contain the .msi files you will need.

2. This will extract the .exe file into a folder called iTunesSetup in the same location. This folder will contain the .msi files you will need. Go into the iTunesSetup folder

3. The only files you need are AppleApplicationSupport.msi, AppleMobileDeviceSupport.msi, Quicktime.msi, and iTunes.msi. You can keep the others or delete them, whichever is your preference. Quicktime and AppleApplicationSupport are the same for both x32 and x64, so you won't need to change these at all. However, if you'll be deploying both x32 and x64 versions, you'll want to make sure to note AppleMobileDeviceSupport.msi and iTunes.msi with which version they're for because these are different depending on your architecture. If you're only deploying Quicktime, you only need AppleApplicationSupport.msi and Quicktime.msi from the folder that you end up with.

4. Now you need to fire up Orca and edit all four .msi files to use the language you need. According to the guides I read you can do this in the GPO, but that didn't work for me so I'd suggest doing it in both places. Start Orca, then go to File->Open, and open iTunes.msi.

5. Once the .msi opens, go to View->Summary Information... This will be where you eliminate all unneeded languages

6. In the Languages box, delete all but the language you need. US English is 1033, which is the only language code I would leave in the box. To lookup other language codes, please check out this MSDN article. Use the value in the HexLCID Dec column. Once you're done click OK

7. Save the .msi file.

8. Repeat steps #4 through #7 on the remaining three .msi files (AppleApplicationSupport.msi, AppleMobileDeviceSupport.msi, and Quicktime.msi).

If you want to install Bonjour and Apple Software Update you'll want to skip down to step #12. However, I'm going to guess since you're going through the trouble of deploying this you don't need them either.

9. Reopen iTunes.msi with Orca and go to Transform->New Transform

10. In the Tables column to the left, scroll down and click on "caPackage". In the right-hand window, right-click and select Drop Row on both AppleSoftwareUpdate and Bonjour. This will put a line through them to show that they will be removed.

11. Using that same idea go to LaunchCondition and drop the row with condition NOT BNEWERPRODUCTISINSTALLED. To auto-accept the license agreement go to the Property table and change the property IAcceptLicense to Yes. Also, under the Property table change property SCHEDULE_ASUW to 0. ASUW is the Apple Software Update service, and setting it to 0 shuts that off. There are some other optional settings you can add to your iTunes transform if too if you'd like. If you do not want shortcuts added to the desktop, go into the Component table and change the condition of component iTunesDesktopShortcuts to DESKTOP_SHORTCUTS="0". That's the only other one I have, but you can search Google for more if you want to try to change other settings too.

12. Once you have your changes to the installer all set up, go to Transform->Generate Transform. Name your transform file and save it. I suggest naming it iTunes.mst and saving it in the iTunesSetup folder with all the msi files, but that's up to you.

13. Repeat steps 9, 11, and 12 (skip 10) on AppleApplicationSupport.msi and AppleMobileDeviceSupport.msi to create transforms for each of them. You only need to do the first two things from step 11 though (drop NOT BNEWERPRODUCTISINSTALLED and change IAcceptLicense to yes).

13. Now you're ready to start creating GPOs. Copy the .msi files and your .mst transform files out to your software deployment share on the network

14. Login to the computer you're going to use to create your GPOs. You'll need a separate GPO for each .msi because they need to be installed in a particular order. Go ahead and create your four GPOs now. If you don't already have it, Group Policy Management console is really useful when you have multiple policies to manage. It's also what I'll be using in the directions

15. In the iTunes GPO, add your software package making sure to select Advanced when given the Assigned, Published, or Advanced options

16. You can set the software deployment settings however you'd like, except for the following. Go to the Deployment tab and click on the Advanced button. Check the box for "Ignore language when deploying this package", and also uncheck "Make this 32-bit X86 application available to Win64 machines" (if it's there)

17. Make sure to include your transform iTunes.mst to eliminate Bonjour and Apple Software Update. You have to do this with the initial package configuration, or else you have to recreate it. Go to the Modifications tab, click Add, then browse out to your iTunes.mst file.

18. That's it for iTunes.msi, as long as you configured the other settings to however you want them. Now you have to repeat steps 14 and 15 for your other three .msi files, making sure to tell the packages to ignore the languages. For Quicktime.msi and AppleApplicationSupport.msi, leave the box checked for "Make this 32-bit X86 application available to Win64 machines" since they don't have separate x64 versions. Make sure it's unchecked though for both iTunes and AppleMobileDeviceSupport.

19. Once you have your GPOs setup all that is left is to order them properly. They must be installed in a particular order, which is:

a. AppleApplicationSupport
b. AppleMobileDeviceSupport
c. Quicktime
d. iTunes

so your group policy order should look something like this

NOTE 9/22/11: I originally had an incorrect screenshot posted, but this one is correct. The link order determines the priority of that GPO's inheritance, so when you're installing items in a particular order you want it to be setup backwards because the highest link order will be the last thing to be installed. It does not install the highest link order first. Thanks to Matthew L. Christy for pointing this out in the comments below.

That's it for the important stuff, however there are some additional notes I'd like to make because I still ran into a few issues after this point. In case you run into them as well, I'd advise you to keep reading or bookmark this article so you can come back to it later. I hope this was useful

1. Getting an iPod service error during the iTunes install seems to be normal. I have safely ignored it and have not seen any adverse effect yet

2. Each time you deploy a new version of iTunes you will need to edit the msi files for the language, just like you did in steps #4-7. If you know of a way to save the language info in a transform let me know and I'll update the instructions

3. When deploying a new version, make sure to also apply your iTunes.mst transform to the new version of iTunes. You don't have to recreate the mst file every time, at least not until Apple changes the installed format and the caPackage table disappears

4. If you run into an issue installing Quicktime thats says there's already a newer version installed I have a workaround. First make sure Quicktime isn't installed, and if it is uninstall and try again. If it isn't installed and you get the error, then check out my other article for a workaround using another transform file

5. You can assign or publish all the msi files needed to deploy iTunes. If you publish them, which is what I did, make sure your users are aware of the proper order of installation.

6. To deploy both 32-bit and x64 versions, go through the same process but include both versions of iTunes.msi and AppleMobileDeviceSupport.msi through your GPOs. Using the "Make this 32-bit X86 application available to Win64 machines" check box allows you to control which one goes to which type of machine.


Matthew L. Christy said...

One note on your GPO order-- as it's confusing.

You state that it has to be installed in a particular order:

a. AppleApplicationSupport
b. AppleMobileDeviceSupport
c. Quicktime
d. iTunes

Is that AppleApplicationSupport first? followed by AppleMobileDevice Support, followed by Quicktime, lastly followed by iTunes? If so, your GPO example is wrong.

Objects with the lowest link order number are installed last, where the objects with the highest link order are installed first. So if you're saying iTunes should be the last thing installed, it should be in position 1, not 4.

Please clarify?

rslygh said...

The order of installation is correct in your interpretation, and the GPO screenshot is wrong. I've never really thought about it since I only publish the software and don't assign it, but yes, the GPO link order would need to be backwards from the usual to force iTunes to be installed last. I'll update the screenshot and thanks for pointing that out.

Keith said...

Will you be updating this for iCloud?

rslygh said...

Hi Keith,

I wasn't planning to, but maybe at some point if I can find the time. It looks like the iCloud.exe installer includes the required .msi files, so it should be possible. Using this guide with those files should almost get you there, as long as you understand a little bit about what's going on in the guide and aren't just following the directions. I see there is a MobileMe installer tied into it as well, and I don't know if that would be required or not. If you decide to try it on your own please post back and let us know how it went. Good luck!

Wordmeister said...

You must create a new transform every time a new version is released. The transform (MST) is tied to the GUID of the MSI, which will change with each new version.

stars75238 said...

I know this is late to the conversation, but has anyone figured the best way to deploy iCloud through GPO?

rslygh said...

Sorry, but I haven't done anything with iCloud besides avoid it.

Nism0 said...

I tried this and it works perfectly for new installations but i can't make it update existing installations. Does anyone know why?

rslygh said...

How are you deploying? Published or Assigned? User or Computer? What I did is set it up as assigned and deployed by user, using a security group in AD to control who has the software deployed to them. It has been working fine for me and is also updating.

Also, make sure under the Upgrades tab you click the box that makes it required.

Anonymous said...


I have set it up but there seems to be a problem, we already have itunes installed on the client and after applying the GPo it got upgraded to the latest version. But when I went to just removed just the iTunes GPO it completely wipe itunes on the client, so I reapplied the same GPO and it has installed I think an Arabic version, I have checked and it is set to 1033 english and ignore language settings in the software deployment, what else am I doing wrong? is it some settings not applying in the transform file?



rslygh said...

That's a good question Ken, but I have no idea. I would suggest removing all the iTunes install GPOs from the machine and making sure the software is completely uninstalled, then reapply the GPOs and see how the reinstall goes.