The following article details how Cloud Drive Mapper can be deployed to multiple machines across an organisation.
Please note that the following information describes just two methods of deploying Cloud Drive Mapper to multiple machines. It can be deployed in many different ways, depending on the environment topology. We have listed the methods below to help you co-ordinate the methodology that best suits your environment.
Download & Preparation
- Download Cloud Drive Mapper from the IAM Cloud Resource Centre.
- Identify whether you are using IAM Cloud Authentication services (Single Sign On) or Cloud Drive Mapper ONLY.
- If you are Using Cloud Drive Mapper Only you will have been supplied with a LicenceKey.
- If you are using the IAM Cloud full service you can disregard the licence as this will be automatically detected on authentication.
- If you are deploying Cloud Drive Mapper from a shared location the following share and security permissions must be enabled.
- Within the shared location, go to Properties>Security and apply Authenticated Users as per example
Once Authenticated Users have been allocated the correct privileges to view the shared location the Authenticated Users also need to have access to the particular location. To do this go to the shared location and select > Properties > Sharing > Advanced Sharing > Permissions.
Please ensure that you give authenticated users Read access to the shared location.
To use Group Policy to manage the Deployment of Cloud Drive Mapper a policy and distribution method needs to be created.
In the following example ‘CDM F1’ is defined as the policy and the distribution method is a security group named ‘CDM.' Users/Computers within this group will have the policy assigned to them which contains the MSI installation as shown below.
To install Cloud Drive Mapper, apply the MSI to the following policy path:
Computer Configuration > Policies > Software Settings > Software Installation
(Below Is an example policy)
Once this policy has been completed ensure that user account control has been disabled for this particular policy.
Disabling user account control for a policy
Select Your Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Polices > Security Option
The following policies need to be disabled to ensure there are no conflicts during the installation process:
- User Account Control: Detect Application Installations and prompt for elevation
- User Account Control: only elevate UIAccess applications that are installed in secure locations
- User Account Control: Run all administrators in Admin Approval Mode.
Once all the steps above have been applied your policy is ready for execution. You may want to adjust the permissions/roll out method to suit your environment.
If you roll out preference is via a .Bat Script then push out in the way you would normally but run in quiet mode. Below is an example of a working script.
:: Stops CDM if already running
tasklist /nh /fi "imagename eq cloud drive mapper.exe" | find /i "cloud drive mapper.exe" >nul && taskkill /im "cloud drive mapper.exe" /f
:: Adjust the timer below to suit your needs
timeout /t 10 /nobreak
:: Uninstall the previous ver if needed
msiexec /x "C:\Users\admin\Desktop\CDM 1.3\SetupCDM_1.3.msi" /qn
:: Adjust the timer below to suit your needs
timeout /t 10 /nobreak
:: Install the latest ver adjusting the language to EN-GB / EN-US to suit your needs
msiexec /i "C:\Users\admin\Desktop\CDM 1.4\CDMBuild\Installer_x64\SetupCDM_1.4.msi" /qb LANGUAGE=EN-GB RUN=TRUE
:: NEXT LINE NOT REQUIRED IF ALREADY PUSHING LIC KEY BY GPO ( Highly recommended in domain environments further exlained below )
::REG ADD "HKCU\Software\IAM Cloud\CloudDriveMapper" /v "LicenceKey" /t "REG_SZ" /d "YOUR-LIC-KEY-HERE" /f
Cloud Drive Mapper also fully supports:
For non-persistent Citrix XenDesktop or XenApp with RES Workspace Manager (RES-WM) please follow the steps below:
Step 1: Install Cloud Drive Mapper in the Golden Image.
a. Change startup type of wuauserv to automatic ( if it’s not running)
b. Install Windows6.1-KB2846960-x64.msu (If this affects you receive an error when opening a SharePoint Document Library in Windows Explorer or map a network drive to the library after you install Internet Explorer 10 in Windows 7 or Windows Server 2008 R2 )
c. Install Cloud Drive Mapper x64 edition from IAM Cloud Resource Centre.
d. Delete CloudDriveMapper key under HKEY_Local_Machine\Software\Microsoft\Windows\Currentversion\Run\
Step 2: Configure in RES Workspace Manager with the correct license-key for a specific user group
a. Browse to Composition >Actions By Type> Execute Command
b. Create New Command
Edit the Command Line: %script%.
Check the checkbox for Run Hidden
Edit Run Task; At logon after other actions
c Go to Tab Script and copy & paste this with file extension “cmd”
REG ADD "HKCU\SOFTWARE\IAM Cloud\CloudDriveMapper" /f /v LicenceKey /t REG_SZ /d yourlicensekeyfromtheportal
start "" "c:\Program Files\IAM Cloud\Cloud Drive Mapper\Cloud Drive Mapper.exe"
d. Go to Tab Access Control and assign the user group from the AD.
If you don’t have the Citrix tools mentioned above, then the same can be achieved via MS Deployment tools and GPO.
It is important that when you are running in an RDS you do not use the registry to control if the application runs on startup. Firstly, these keys are only invoked when the explorer.exe process runs (which it does not on RemoteApp.) This also means if you allow multiple sessions per user it can cause conflicts.
To ensure this is not the case, during install select RDS as the environment or make sure the CloudDriveMapper key is removed from:
To allow Cloud Drive Mapper to work with multiple instances you need to add the following key:
REG ADD "HKLM\Software\IAM Cloud\CloudDriveMapper" /v "MultipleInstanceOveride" /t "REG_SZ" /d "true " /f
This will allow each instance (even multiple user sessions) to be permitted
CDM allows for a client to have multiple different groups, eg:- IT Dept / Admin / Management / Staff.
The current generation CDM uses different licencekeys for each of these groups in order to pull their mappings down to the clientside application.
In some organisations users have roaming profiles and often hotdesk to different computers daily.
And for this reason we strongly recommend “pushing” out the groups licencekey as a registry update against HKCU, thus when a user moves to a different computer then their mappings will always follow them. A good reason for this is that a computer may be shared by persons from different groups which may have different mappings, thus having these set against the computer makes no sense in this scenario.
However an exception to the above is small office type environments where all staff members are often in a single group with only a single licence and thus having the licence within HKLM is acceptable.
To deploy the licencekey by gpo see example below :
Action : Update
Hive : HKEY_CURRENT_USER
Key Path: software\IAM Cloud\CloudDriveMapper
Value Type : REG_SZ
Value Data : LIC KEY
|ADAttribute = mail / UserPrincipalName||Used in cases where the user logon isn’t the same as the O365 UPN which CDM uses to auth|
( Used in conjunction with CredentialCacheOverride = true )
|CredentialCacheOverride = true||( Used in conjunction with ADAtrribute )|
|Domainoverride = emaildomain.com||Used when the O365 email domain is different to what the user logs in with. Also allows user to enter only the pre-fix (mail alias) and will auto append the value of the key.|
|PasswordStoreLocation = %appdata%\OneDriveMapper.tmp||Used where a user has a roaming profile and there is no SSO and credential manager isn’t an option, this creates a secure file within appdata for credential storage.|
|Verbose = true||Used for event logging diagnosis.|
|MultipleInstanceOveride = true||Used to allow multiple instances of CDM app to run, used primarily on RDP servers|
|UserNameStoreLocation = %path%||Used to specify the location of the username file, this key is only use if the password store location exists, by default if this key does not exist but passwordstore does, it will use the same path as the passwordstore and append #2 to the end|
|HKLM / HKCU|
Please note though:
If you are wanting to automatically sign into the default AD Authority, you must run the following powershell: (get-adfsproperties).Identifier.OriginalString
and configure the AdfsHRD key in the registry to that If you would like to use a different Claim Provider that is not the default AD Authority then you must use the identifier for that claim provider.
|UseO365AppPassword = true|
|HKLM / HKCU - Used for MFA app password when there is also ADFS detected ( client side have their own ADFS ). Setting this key allows the application to “bypass” adfs and directly auth with O365 via the use of an app password.|
|WriteLogToFile = path|
|Writes to a txt log file, path should be written something like :- C:\temp\cdmlogs\cdmlog.txt ( path to be a location CDM can write logfiles to ) Good when used in conjunction with verbose = true|
|WriteLogToEventLog = false|
|True by default. Setting as false stops CDM from producing large numbers of event logs.|
|UseADAL = true||Can be used in either HKCU or HKLM|
Allows client to choose ADAL, required for alternative IDP / MFA / AAD
Although can still read the username from cred manager it will NOT use the pwd stored.
|DisableSSO = true||If set to true (V18.104.22.168 onwards) will NOT store creds in cred manager or pwd file. Stops CDM from trying to auth via SSO when ADFS is present but SSO has been disabled.|
If you need any assistance please do not hesitate to contact the IAM Cloud support team
IAM Cloud's Technical Support Team.
Support Portal: http://support.iamcloud.com
Email us: firstname.lastname@example.org
Phone (UK): +44 118 324 0000
Phone (US): +1 914 495 1298
For IAM Cloud Service Status information please visit http://www.iamcloudstatus.com
For latest updates to our platform please visit https://www.iamcloud.com/changelog/