improve the machine-wide install experience

[shiftkey]

While we're using the same machine-wide installation that Atom provides, it lacks in a couple of areas:

• it ignores the overrides to msiexec to let you change where it gets installed to

> msiexec /i AtomSetup.msi TARGETDIR="C:\GitHub Desktop"

• when users install it, it still adds builds into %LOCALAPPDATA% - this means updates will work for users without administrators needing to deploy a new version, however it means administrators will not have the ability to control how this is deployed.

The VSCode team moved away from Squirrel.Windows a while ago due to these issues (and maybe more, I forget), and appear to now be using Inno Setup to create their installer. This commit looks relevant to our interests, as a starting point: https://github.com/Microsoft/vscode/commit/65b2a4e0db44b20855db74276c897c909b2188a1#diff-1a67e12e0eafc5bb8a6448cbbc8ad549

[joshaber]

I'm gonna tentatively throw this in 1.0, but we can revisit when we get closer.

[shiftkey]

Going to look at using https://github.com/felixrieseberg/electron-wix-msi to see if it addresses these issues.

[mhouston100]

I had logged a separate issue https://github.com/desktop/desktop/issues/4345 regarding this install in an enterprise environment.

The installer should be following normal Windows conventions for application installs, not fighting them. Almost all security software relies on this, EXE's and data being in the expected (correct) locations.

Installing executable's to a user writable area is a massive no-no in an Enterprise environment. While it is mitigated by using Applocker/Software Restriction exception rules you are essentially pushing more work on local administrators for very little benefit.

I understand that a LOT of dev's appear to be doing this, often to try and circumvent normal, expected Windows security prompts (like prompting UAC for application upgrades) but it doesn't mean this is a correct or acceptable way.

[JamesYeoman]

Just a suggestion here, this here has a 'freeware' edition that, according to this page

Advanced Installer is available in five editions: Freeware, Professional, For Java, Enterprise and Architect. The Freeware edition does not need registering and is free to use for both commercial and non-commercial purposes.

So maybe this could be an option?

---

Edit

An open-source alternative

[michalzobec]

Hello, you can use Advanced Installer. AI has special license for OpenSource projects.

Or if you want, I can make installer for you as free for automated compilation/build based on WiX (Windows Installer XML).

Note: All administrators of Enterprise environment needs full offline installation with all files, installed traditionally to only %ProgramFiles%.

You cannot expect:

• access to internet
• you cannot try check for updates
• users not have access rights
• users cannot run any executable from user profile

AppLocker is technology for whitelisting of approved executables (run executable files based on digital signature of files). Typical scenario is run of applications from approved publisher (developer). For this scenario you must have all applications signed. Unsigned applications is not approved and will be blocked for run.

[michalzobec]

any update?

[ionred]

Following up on this as well, linked from #9408 as silent installs are still not truly silent

[tag]

Still looking for the ability to define install location, whether user or system.

Example use case: GitHub Desktop is approved on DoD "research & development" machines, but:

a. Can't be installed by users to their profile directory b. Can only be run from a specific directory (not the profile dir) c. Machine-level install runs tasks on first login that users don't have permission for, so that doesn't work either

In other words, ya'll have made it impossible to use GitHub Desktop on thousands of machines by not permitting custom install location.

Either a "thumb drive" type install (app folder is self-contained, may be moved) or custom install location solves these issues.

[kiler129]

This is purely ridiculous. I stumbled upon this issue by trying to write an instruction for engineers not accustomed to git: it is trivial until you want to use GitHub Desktop. You cannot install it on R&D machines to just the user profile and expect it to run.

[NiklasBr]

Some feedback I was asked to convey:

Please stop launching the app every time it is updated. Please stop re-creating the shortcut icon every time it is updated.

[michalzobec]

this ticket is bad example of ignoring of the:

• requirements, and
• security standards, and
• deployment standards

of the large environments/corporates.