f73f999938
Replaces the Acrobat-only enforcer with a generic Common-Enforce that
handles all cross-PC-type apps from one manifest + one scheduled task
on the SFLD share at \\tsgwp00525\shared\dt\shopfloor\common\apps\.
Renames:
Acrobat-Enforce.ps1 -> Common-Enforce.ps1
Register-AcrobatEnforce -> Register-CommonEnforce
acrobat-manifest.json -> common-apps-manifest.json
common.acrobatSharePath -> common.commonAppsSharePath
'GE Acrobat Enforce' task -> 'GE Common Apps Enforce' task
C:\Program Files\GE\Acrobat -> C:\Program Files\GE\CommonApps
Register-CommonEnforce cleans up the legacy 'GE Acrobat Enforce' task
if present from a prior image.
WJF Defect Tracker (replaces ClickOnce):
- Added to preinstall.json (PCTypes=*, fleet-wide imaging-time install)
- MSI staged on PXE at pre-install/installers/
- Added to common-apps-manifest with FileVersion detection on
C:\Program Files\WJF_Defect_Tracker\Defect_Tracker.exe
- site-config + 06-OrganizeDesktop: shortcut changed from ClickOnce
'existing' to exe-path pointing at the MSI-installed binary
- Update workflow: drop new MSI on share, bump DetectionValue
CMM 09-Setup-CMM: added goCMM + DODA to the ACL grant list.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
124 lines
4.8 KiB
PowerShell
124 lines
4.8 KiB
PowerShell
# Common-Enforce.ps1 - On-logon enforcer for cross-PC-type apps (Acrobat
|
|
# Reader, WJF Defect Tracker, future common apps).
|
|
#
|
|
# Runs under a SYSTEM scheduled task triggered at user logon on every PC
|
|
# regardless of PC type. Mounts the tsgwp00525 SFLD share (common\apps
|
|
# path) using SFLD creds provisioned by Azure DSC, reads
|
|
# common-apps-manifest.json from the share, and hands off to
|
|
# Install-FromManifest.ps1 which installs anything whose detection fails.
|
|
#
|
|
# Update workflow: drop new installer on the share, bump DetectionValue in
|
|
# common-apps-manifest.json, every PC catches up on next logon.
|
|
#
|
|
# Graceful degradation:
|
|
# - SFLD creds missing (Azure DSC has not run yet) -> log + exit 0
|
|
# - Share unreachable (network, VPN) -> log + exit 0
|
|
# - Install failure -> log + exit 0
|
|
#
|
|
# Never returns non-zero to the task scheduler; failures show up in the log.
|
|
|
|
$ErrorActionPreference = 'Continue'
|
|
|
|
$installRoot = 'C:\Program Files\GE\CommonApps'
|
|
$libPath = Join-Path $installRoot 'lib\Install-FromManifest.ps1'
|
|
$logDir = 'C:\Logs\CommonApps'
|
|
$logFile = Join-Path $logDir ('enforce-{0}.log' -f (Get-Date -Format 'yyyyMMdd'))
|
|
$driveLetter = 'T:'
|
|
|
|
if (-not (Test-Path $logDir)) {
|
|
New-Item -Path $logDir -ItemType Directory -Force | Out-Null
|
|
}
|
|
|
|
function Write-EnforceLog {
|
|
param([string]$Message, [string]$Level = 'INFO')
|
|
$line = "[{0}] [{1}] {2}" -f (Get-Date -Format 'yyyy-MM-dd HH:mm:ss'), $Level, $Message
|
|
Write-Host $line
|
|
Add-Content -Path $logFile -Value $line -ErrorAction SilentlyContinue
|
|
}
|
|
|
|
Write-EnforceLog "================================================================"
|
|
Write-EnforceLog "=== Common-Enforce session start (PID $PID, user $env:USERNAME) ==="
|
|
Write-EnforceLog "================================================================"
|
|
|
|
$getProfileScript = 'C:\Enrollment\shopfloor-setup\Shopfloor\lib\Get-PCProfile.ps1'
|
|
if (-not (Test-Path $getProfileScript)) {
|
|
Write-EnforceLog "Get-PCProfile.ps1 not found at $getProfileScript - cannot locate share" "ERROR"
|
|
exit 0
|
|
}
|
|
. $getProfileScript
|
|
|
|
if (-not $siteConfig -or -not $siteConfig.common -or -not $siteConfig.common.commonAppsSharePath) {
|
|
Write-EnforceLog "No common.commonAppsSharePath in site-config - nothing to enforce" "WARN"
|
|
exit 0
|
|
}
|
|
|
|
$sharePath = $siteConfig.common.commonAppsSharePath
|
|
Write-EnforceLog "Share: $sharePath"
|
|
|
|
function Get-SFLDCredential {
|
|
param([string]$ServerName)
|
|
$basePath = 'HKLM:\SOFTWARE\GE\SFLD\Credentials'
|
|
if (-not (Test-Path $basePath)) { return $null }
|
|
|
|
foreach ($entry in Get-ChildItem -Path $basePath -ErrorAction SilentlyContinue) {
|
|
$props = Get-ItemProperty -Path $entry.PSPath -ErrorAction SilentlyContinue
|
|
if (-not $props -or -not $props.TargetHost) { continue }
|
|
if ($props.TargetHost -eq $ServerName -or
|
|
$props.TargetHost -like "$ServerName.*" -or
|
|
$ServerName -like "$($props.TargetHost).*") {
|
|
return @{
|
|
Username = $props.Username
|
|
Password = $props.Password
|
|
TargetHost = $props.TargetHost
|
|
KeyName = $entry.PSChildName
|
|
}
|
|
}
|
|
}
|
|
return $null
|
|
}
|
|
|
|
$serverName = ($sharePath -replace '^\\\\', '') -split '\\' | Select-Object -First 1
|
|
$cred = Get-SFLDCredential -ServerName $serverName
|
|
|
|
if (-not $cred -or -not $cred.Username -or -not $cred.Password) {
|
|
Write-EnforceLog "No SFLD credential for $serverName yet (Azure DSC has not provisioned it) - will retry at next logon"
|
|
exit 0
|
|
}
|
|
|
|
Write-EnforceLog "Credential: $($cred.KeyName) (user: $($cred.Username))"
|
|
|
|
net use $driveLetter /delete /y 2>$null | Out-Null
|
|
|
|
$netResult = & net use $driveLetter $sharePath /user:$($cred.Username) $($cred.Password) /persistent:no 2>&1
|
|
if ($LASTEXITCODE -ne 0) {
|
|
Write-EnforceLog "net use failed (exit $LASTEXITCODE): $netResult" "WARN"
|
|
Write-EnforceLog "Share unreachable - probably off-network. Will retry at next logon."
|
|
exit 0
|
|
}
|
|
Write-EnforceLog "Mounted $sharePath as $driveLetter"
|
|
|
|
try {
|
|
$manifestOnShare = Join-Path $driveLetter 'common-apps-manifest.json'
|
|
if (-not (Test-Path $manifestOnShare)) {
|
|
Write-EnforceLog "common-apps-manifest.json not found on share - nothing to enforce" "WARN"
|
|
return
|
|
}
|
|
|
|
if (-not (Test-Path $libPath)) {
|
|
Write-EnforceLog "Install-FromManifest.ps1 not found at $libPath" "ERROR"
|
|
return
|
|
}
|
|
|
|
Write-EnforceLog "Handing off to Install-FromManifest.ps1 (InstallerRoot=$driveLetter)"
|
|
& $libPath -ManifestPath $manifestOnShare -InstallerRoot $driveLetter -LogFile $logFile
|
|
$rc = $LASTEXITCODE
|
|
Write-EnforceLog "Install-FromManifest returned $rc"
|
|
}
|
|
finally {
|
|
net use $driveLetter /delete /y 2>$null | Out-Null
|
|
Write-EnforceLog "Unmounted $driveLetter"
|
|
Write-EnforceLog "=== Common-Enforce session end ==="
|
|
}
|
|
|
|
exit 0
|