How to allow users to update iTunes on desktop computers without admin?

[Cerulean]

Greetings,

Easy way is to give local administrator, but I want to add some challenge and search for an alternative and more appropriate solution. At another company I work for the CEO has iTunes on his computers. Quite frequently, iTunes prompts for administrative credentials to update the software. Unfortunately, the CEO never remembers the local Administrator password resulting in a text coming to my phone asking for it.

I'm looking for suggestions for a solution that is "this is the proper way to do it". Thanks!

 

[Shockey]

Grant read/write/modify access to the install directory and registry keys to his login

 

[XOR != OR]

Trust me, we've all been down this road. Unless you are up against some severe regulations ( DOJ, PCI, SOX, ect... ), just give the CEO admin access to their local machine and try to keep a lid on the damage they can do ( good A/V, openDNS, filter their outbound traffic at the firewall, ect... ).

It's not ideal, but it's the easiest of all the options.

 

[da sponge]

Deploy updates by group policy at the computer level. Voila, no admin credentials required.

 

[jalaj]

GP can do it. But only if you're aware of the iTunes update, as it is a manual approach to push the specific update package via GP. Think the OP wants to grant the users' PCs to automatically update iTunes whenever there is a new release.

 

[bigdogchris]

I deploy iTunes via Group Policy to keep it updated, which is the easiest way for me.

I don't keep Apple Software Updater on people's computers, but does using that allow you to update without Admin credentials? I've never tried.

 

[Cerulean]

Notes to self:

• http://lawrit.lawr.ucdavis.edu/itdocs/it/how-to/deploying-itunes-with-group-policy/view
• https://discussions.apple.com/thread/1772486?start=0&tstart=0
• http://techierambles.blogspot.com/2011/01/deploy-itunes-or-quicktime-msi-files.html

 

[bigdogchris]

Notes to self:

• http://lawrit.lawr.ucdavis.edu/itdocs/it/how-to/deploying-itunes-with-group-policy/view
• https://discussions.apple.com/thread/1772486?start=0&tstart=0
• http://techierambles.blogspot.com/2011/01/deploy-itunes-or-quicktime-msi-files.html

Yup, except iTunes 11 has changed a little. You need to add Desktop_Icons = 0 into the properties table now. Also when it suggest dropping Bonjour and Software updater, also drop Mobile Device Support and Application Support. That way iTunes can install in any order, rather than being forced to install after Mobile Device Support (since you cannot choose the order in GP other than nesting OUs)

I also don't use the AdminFlags because it locks out some content, but I use UserFlags to disable the updater then just throw that out with group policy preferences and attach that to an OU with the users getting iTunes.

 

[mngl1500]

Use ninite pro and update it that way.

Also by using ninite pro you take the worry out of flash, other web browsers, java and acrobat plus a whole lot more.

There is the demo you can play with for 1 week for free.

Do my users need to have Administrator rights?
No. Normal users actually never interact with Ninite Pro. You'll either manage things over the network with the remote mode, or update things behind the scenes by having Ninite Pro run as a scheduled task or startup script.

I have just been doing manual remote update scans when flash, java etc has updates.

 

[jalaj]

Just to clarify, the GP method still requires manual administration.
If you want to give users a newer iTunes version/update, then you'll have to update the GP iTunes installer package. But by disabling the automatic updates in the GP iTunes installer configuration, the user won't be prompted for a new version.

 

[bigdogchris]

Just to clarify, the GP method still requires manual administration.
If you want to give users a newer iTunes version/update, then you'll have to update the GP iTunes installer package. But by disabling the automatic updates in the GP iTunes installer configuration, the user won't be prompted for a new version.

Apple does not update major versions frequently enough for it to be a big deal. You usually don't have to update iTunes other than when the new version of iOS comes out. When you do, other than maybe testing the software, it only takes moments to remove the old package and add the new one.

Also, I don't know if you can disable the updaters with just the package. You can disable setting the update schedule and not installing the apple software updater, but the check for updates checkbox is still ticked, unless you changed it in the registry from what I've seen... unless you know something that you can share?

 

[athlon1.2]

Since you already gave him a local admin account, If you use UAC why don't you just Start > Run > control userpasswords 2 and add the domain account as a local administrator on that machine?