Deploying iTunes with Group Policy and Locking Down Features

UPDATED 27-JUNE-2011 - Updated registry value table to allow disabling of Home Sharing, iTunes Update Check, First Run Welcome Screen, and Ping Social Network. See step 25. Compatible with iTunes 10.2 or higher.

I recently needed to mass deploy iTunes across a network and lock down some of the features, and it turned out to be a little more complicated than a bunch of command line switches. It's not difficult, but there is little official documentation available so having completed the task here is a detailed methodology for anyone out there needing to do the same thing:

A. Preparation

1. First you are going to need Orca, which is included in the Windows Installer SDK. It's not installed by default, but once the SDK is installed you should be able to find orca.msi and install it. If you can't be bothered to go through all of that, I've uploaded a copy here.

2. Download the latest version of iTunes and save the installer into a folder that is accessible (read only) by all. I have a shared folder for all my group policy deployments so I'll just put it in there, in a \Apple\iTunes\Version sub-folder.

3. Extract the iTunes installer files using WinRAR and then delete the downloaded file, SetupAdmin.exe and AppleSoftwareUpdate.msi. The remaining five .msi files are required.

B. Transforming The Installers

AppleApplicationSupport.msi does not require any modification, so I'll just move on to the other four files:

QuickTime.msi

4. Start Orca and open QuickTime.msi. Go to View -> Summary Information and remove all languages except for 1033. Click OK and then save over the original.

5. Go to Transform -> New Transform, and then make the following modifications:

- LaunchCondition -> NOT BNEWERPRODUCTISINSTALLED: Right click and drop this row.
- Property -> SCHEDULE_ASUW: Set the value to 0 (zero).
- Registry: Find the item that has QTTask.exe in the Component column and drop that row.
- Shortcut: Drop rows for QuickTimePlayer_Desktop, QuickTimeUninstaller, and QuickTimeReadMe.

6. Generate the transform (.mst file), Transform -> Generate Transform, and save it as QuickTime.mst.

iTunes.msi

9. In Orca, open the iTunes.msi file, Go to View > Summary Information and remove all languages except for 1033. Click OK and then save over the original.

10. Go to Transform -> New Transform, and then make the following modifications:

- Component -> iTunesDesktopShortcuts: set the Condition so that it reads DESKTOP_SHORTCUTS="0" (zero).
- CustomAction -> QuickTimeInstallFailed: Drop this row.
- Property -> IAcceptLicense: Set the value to Yes.
- Property -> SCHEDULE_ASUW: 0 (zero).
- Shortcut: Drop the AboutiTunes row.

11. Generate the transform (.mst file), Transform -> Generate Transform, and save it as iTunes.mst.

Bonjour.msi

12. In Orca, open the Bonjour.msi file, Go to View -> Summary Information and remove all languages except for 1033. Click OK and then save over the original.

13. Go to Transform -> New Transform, and then make the following modifications:

- Property -> IAcceptLicense: Set Value to Yes.
- LaunchCondition -> NOT BNEWERPRODUCTISINSTALLED: Drop this row.
- Shortcut -> Drop all rows.

14. Generate the transform (.mst file), Transform -> Generate Transform, and save it as Bonjour.mst.

AppleMobileDeviceSupport.msi

15. In Orca, open the AppleMobileDeviceSupport.msi file, Go to View -> Summary Information and remove all languages except for 1033. Click OK and then save over the original.

16. Go to Transform -> New Transform, and then make the following modifications:

- Property -> IAcceptLicense: Set Value to Yes.
- LaunchCondition -> NOT BNEWERPRODUCTISINSTALLED: Drop this row.

17. Generate the transform (.mst file), Transform -> Generate Transform, and save it as AppleMobileDeviceSupport.mst.

18. Close Orca.

C. Group Policy Deployment (Active Directory)

Using the Group Policy Management tool, create a new Group Policy Object (GPO) and link it to the Organisational Unit that contains the target computers. In my case I only want iTunes to go to certain machines so I also filter the object by a security group of computers. You probably already have a structure for group policy deployment and I'm not going to cover that stuff here anyway, so I'll get straight to adding each installer to the GPO.

19. Edit the Group Policy Object and expand Computer Configuration -> Policies -> Software Settings -> Software Installation.

20. Right click and select New -> Package. Browse to your deployment share and select AppleApplicationSupport.msi. Leave 'assigned' selected as the deployment method and click OK to add it to the object.

21. Add another package but this time select QuickTime.msi. Select Advanced as the deployment method and click OK. After a few moments the Quicktime Properties panel will open. Go to the Modifications tab and select Add. Pick your QuickTime.mst file and press OK to finish.

22. Repeat step 21 for iTunes.msi, Bonjour.msi and AppleMobileDeviceSupport.msi, being sure to add the correct transform file for each package.

23. Reopen the iTunes package you created, and on the Deployment tab you can tick 'Uninstall this application when it falls out of scope of management'. This is just so that iTunes can easily be removed if necessary.

D. Locking Down Features & Parental Controls

Apple provides a mechanism for locking down various parts of the software, including automatically checking for updates, parental controls and a few other things. This is all managed through a single registry key.

I prefer to use Group Policy Preferences for this sort thing so I have created a single registry entry in the same GPO that I am using to deploy the software. The correct location for this entry in the GPO is under Computer Configuration -> Preferences -> Windows Settings -> Registry.

24. You can add the registry key however you like, but if you are using Group Policy Preferences then create a New Registry Item and fill in the properties box with the following values:

- Hive: HKEY_LOCAL_MACHINE
- Key Path: SOFTWARE\Apple Computer, Inc.\iTunes\Parental Controls\Default
- Value name: AdminFlags (do not tick Default)
- Value type: REG_DWORD
- Value data: Please see the next step to work out your particular value.
- Base: Decimal

Note. For a 64bit installation the key path needs to be: SOFTWARE\Wow6432Node\Apple Computer, Inc.\iTunes\Parental Controls\Default

25. The last thing we need to do is figure out that crucial registry key value. The table below shows all the options that are available to you. All you have to do is add together all the values for the ones you want and apply the total value:

Item	Value
kParentalFlags_Locked	1
kParentalFlags_DisablePodcasts	2
kParentalFlags_DisableMusicStore	4
kParentalFlags_DisableSharing	8
kParentalFlags_DisableExplicitContent	16
kParentalFlags_DisableRadio	32
kParentalFlags_RestrictMovieContent	64
kParentalFlags_RestrictTVShowContent	128
kParentalFlags_DisableCheckForUpdates	256
kParentalFlags_RestrictGames	512
kParentalFlags_DisableMiniStore	1024
kParentalFlags_DisableAutomaticDeviceSync	2048
kParentalFlags_DisableGetAlbumArtwork	4096
kParentalFlags_DisablePlugins	8192
kParentalFlags_DisableOpenStream	16384
kParentalFlags_DisableAppleTV	32768
kParentalFlags_DisableDeviceRegistration	65536
kParentalFlags_DisableDiagnostics	131072
kParentalFlags_AllowITunesUAccess	262144
kParentalFlags_RequireEncryptedBackups	524288
kParentalFlags_DisableHomeSharing	1048576
kParentalFlags_DisableCheckForAppUpdates	2097152
kParentalFlags_DisableCheckForDeviceUpdates	4194304
kParentalFlags_DisablePing	8388608
kParentalFlags_DisableFirstRunWelcomeWindow	16777216

I have including only the following controls:

- kParentalFlags_Locked: You must include this or users will be able to override your settings.
- kParentalFlags_DisableSharing
- kParentalFlags_DisableExplicitContent
- kParentalFlags_DisableHomeSharing
- kParentalFlags_DisableCheckForAppUpdates
- kParentalFlags_DisablePing
- kParentalFlags_DisableFirstRunWelcomeWindow

The value for my registry key is therefore 1 + 8 +16 + 1048576 + 2097152 + 8388608 + 16777216 = 28311577. The value you end up with will depend on your specific requirements.

All done!

E. Further Reference

http://developer.apple.com/library/ios/#featuredarticles/FA_Deploying_iTunes/Introduction/Introduction.html

http://support.apple.com/kb/HT2102

Life in Melbourne: Food, Parties & The Dalai Lama!

We've been in Melbourne for over a month now and we've been going out a lot! We've been partying hard down here and have a got a pretty good grasp of the city, where all the cool stuff is, where's good to eat and drink, and what the night life is like. We're staying in Coburg, in the north of Melbourne, and the main road down to the city is peppered with cool bars and restaurants, notably one called 'Lentils as Anything' where you eat whatever you want and pay whatever you think it was worth - it's a great concept and the food is fantastic! There's tons of other good food around here: Lebanese, Italian, Afghan, Nepalese, Turkish, Indian, Greek, Thai, Chinese, Vietnamese... The list goes on and on and it's all right on our doorstep - now that can only be a good thing! I have yet to find a Burmese restaurant - its supposed to be a wonderful fusion of Indian and Oriental cooking :) If you know a good one... stick a comment on this blog!

On the night life side of things, we've been having a ball! We've been to illegal warehouse parties and legit club nights alike, we also went to see DJ Shadow play at The Forum which, aside from a rash of technical problems and London priced tickets, was pretty cool. He's definitely a very talented guy and it was great to see some live stuff once again. Check out the video I shot - it's hardly audiophile sound quality, my little camera simply not up the bass, but you get the general idea and if you know DJ Shadow you'll recognise the classic track!


Watch all my videos on Vimeo

We also went to see the Dalai Lama talk at a free event in a football stadium. 'His Holiness' was definitely a very chilled out guy and despite some fairly heavy topics he doesn't seem to take things too seriously, laughing and joking about quite a bit and the way he spoke and chuckled reminded me a lot of Yoda! It was a really interesting afternoon, and it feels quite special to have had the opportunity to see the Dalai Lama at all.

Overall, I like Melbourne a lot and we've both settled in pretty well. I don't much like the federal government out here: Their policies regarding immigration and indigenous people are blatantly discriminatory and even downright racist - they're a bunch of bloody Nazis. It's very disappointing to see that people will actually vote for such policies, in much the same way as it was disappointing to see Bush get a second term. I can only hope they get the boot in the coming elections.

Over the past few weeks I've been busy uploading loads more photos from our travels so far to my album on Zooomr, so if you haven't already had a look, then please do! They're not all great photos, but they tell a story.


View all my photos on Zooomr

Well, it doesn't feel much like 'travelling' any more, job hunting is taking up most of my time so I probably won't blog again for a little while. I will try to keep the photos and videos coming though, and please stay in touch.

Steve x

Road Trip: Brisbane to Melbourne

Hi... First I'll quickly mention that it's my birthday! Those of you that forgot, I will no doubt see another time, probably in Hell ;) Talking of which, the obvious question now is "What the Hell are you doing sitting in front of a computer on your birthday?!" If you know me, you'll also know that it doesn't take much, any excuse will usually be sufficient! This time, however, I do actually have a pretty good excuse...

We've just completed a road trip from (near) Brisbane to Melbourne. If you look on a map it doesn't initially look like a very long way... BUT, God, those maps can be deceiving... 2500km later, just a few hours ago, we finally got to Melbourne. It's a huge distance and it is the first time I have been able to get any sort of feel for how absolutely massive Australia really is!

As you head south, things change quite a lot. The coast from Brisbane to Sydney, along the Pacific Highway, feel quite wealthy, middle class, is very very modern, and has beach after beach after beach. I'm not really a beach person, I'm more interested in city life and like to have lots of stuff going on around me, so when we finally turned off the coast I was actually a little relieved! We took a long diversion inland to Armidale, where Heather was born. Everyone you speak to will say stuff like: "why d'ya wanna go there" or "there's nothing there", but actually I quite liked Armidale. They are absolutely right, there is nothing there... except for some nice older architecture from the 1800s - a rare jewel in such a young country. Then it was back to the coast for more beaches (yawn) and then down into Victoria and through lots of rain forest.

An obligatory rant about logging: Why is everybody cutting down their rain forests... surely they understand the consequences? Driving along, we were constantly met by huge trucks carrying logs and there are numerous huge areas that have been cleared for farming and (probably McDonalds) cows! They may have re-planting schemes in place, so perhaps I'm being a little unfair, but this practice of clearing forest is something I've seen a lot of recently, in the Amazon for starters, and it really sucks! You would think a country with an ozone hole sitting over it would know better!
Disclaimer: I did use 5 or 6 full tanks of petrol during the trip and am therefore technically not exactly helping things either ;) I should have probably walked or hitched or something like that, but whatever my sins... I still don't like seeing all those trees getting cleared!!

So finally, after more camping and hundreds of kilometers of driving, we are here in Melbourne. It's been a fantastic drive and, despite my beach yawns, the coast is very beautiful. The last bit of the drive wasn't very interesting as we were running out of time and had to cut off the final section of the coast in favour of taking the motorway, but it was easy driving and we arrived in Melbourne not long ago. It's raining, as we'd been led to expect, but I don't care much about that - I'm used to it! I notice a particular London-like feel (maybe its the rain), narrower streets, some old buildings and it has a multicultural feel which is something I have become very accustomed to and prefer.

So, back to my excuse for being on a computer on my birthday... I'm killing time waiting for a lift to my new home (sofa) in Australia. Probably won't have much to say for a while, but I'll still be updating photos and other stuff down the right hand side. OK... time to get very drunk! Steve x

PS. Click here for a route map of our road trip.