Does anyone know if Cisco is looking into a way to allow Cisco Agent Desktop to upgrade without requiring Administrator privilege on the agent PCs?
After installing the Cisco VoIP / Call Center solution, this is the one issue that we cannot get around. We were told by Cisco TAC and directed to the documentation that states that Administrator privilege is required for CAD for it to upgrade.
Even though we know administrator privilege is required, we refuse to accept it without trying every possible way to get around it and to be able to manage it like any good enterprise application.
We thought we had a solution at one point, by using Microsoft SMS to log in as an administrator and launch the CAD software at which point it would upgrade and be ready for the agent when they logged in. We found that when we upgraded UCCX the next time there was a service pack for CAD that required popups to be clicked. This was different than the previous patch that didn't require any popups to be acknowledged. So, we cannot predict what will be needed from one upgrade to the next and still have an unreliable CAD upgrade process short of giving the agents admin rights on their PC.
At the very least, Cisco shouldn't cause CAD to not launch if the upgrade doesn't occur. This would give us time to write an SMS script to be use to upgrade the CADs.
Does anyone else have thoughts on this issue?
Cisco Customer Response Solutions (CRS) servers include a JTAPI Update Utility that performs synchronization of the Cisco Unified CallManager Plugin with the CRS server and the Cisco Agent Desktop (CAD). You must run this update tool to ensure successful operation of your CRS server.
If you have CRS or Cisco Unified CallManager Auto-Attendant installed (either coresident with the Cisco Unified CallManager server or on a separate server) and you upgrade and/or install Cisco Unified CallManager, you must take additional action to ensure plug-in synchronization.
Because an upgrade to a Cisco Unified CallManager server may include an updated JTAPI Plugin component, make sure that you run the JTAPI Update Utility on the CRS server to upgrade the JTAPI client. Running the JTAPI Update Utility on your CRS server, after you upgrade Cisco Unified CallManager, ensures that the JTAPI Plugin gets properly installed.
Thanks for your response, but I don't think it is the same type of upgrade that I had described.
The update I am talking about is with the CAD desktop software upgrades. When UCCX is upgraded the package often contains an upgrade to CAD. Currently CAD requires administrator privilege to perform the upgrade. It's not that we wouldn't be able to upgrade CAD by giving our call center agents admin privilege on their PC, it's that we don't want to have to give them admin privileges on their PC for security reasons.
not that I tested this, or that it is supported, but whenever I see similar scenario I tend to think at Windows RUNAS service, the equivalent of the SU in a Unix world.
You should be able to implement a script or a batch so that at Windows login time the application gets launched with admin credentails and not the ones for the user.
RUNAS could be used also at the command line interface.
We're in the boat as yourself, I posted a question without first reading your posts.
But yes, we have a site with restricted desktop user privileges and need to know what/where are the flags that disables the autoupdates.
I will be eagerly monitoring any replies you may post.
I can't believe it has been two years since we installed UCCX and still upgrades to CAD require administrative privilege. I recently asked this question again to our Cisco Rep and received the following reply.
- when might administrative access *not* be required to upgrade an agent or supervisor desktop
A - We will continue to add functionality to the browser based CAD. At some point, depending on the customer's requirements, their agents will be able to use the browser version that does not require an install or upgrade on the desktop.
- will the ability to deploy upgrades via SMS ever be supported
A - SMS is a valid deployment mechanism both for initial installations and upgrades. Additional information is outlined in the Cisco CAD Installation Guide under the chapter heading âUsing Automated Package Distribution Tools.â
I checked out the "Using Automated Package Distribution Tools" section and the only information provided is the useless paragraph below.
Using Automated Package Distribution Tools
Cisco Agent Desktop and Cisco Supervisor Desktop can be installed or upgraded on
multiple desktops (âpushedâ) through the use of an automated package diestribution
tool. Consult the distribution tool's documentation for information on how to do this.
We did use SMS to successfully launch CAD remotely as an admin and it did upgrade, but we found that from time to time the upgrade requires user input that we are not aware of ahead of time.
One suggestion I would make to Cisco is to replace the CAD version available on the UCCX plugin download page, after each UCCX upgrade that contains CAD updated, with a completely updated version CAD instead of requiring the downloaded version to need to be upgraded to the latest version after it is installed on the PC. At least that way you could reliably use SMS to completely re-install CAD to the latest version.
One note I always bring up about this issue is that the AnyConnect SSLVPN client requires admin privilege to install initially, but not for additional upgrades to the client. The guys in the Security BU have the right idea. Could they not share how they make this work with the Unified Communications BU?
I can't believe Cisco has not acknowledged this as beeing a really big issue and done something about it. More surprising to me is that there aren't that many posts about it on this forum. I came across my own post (this one) after almost a year and didn't see anything since then about it.
So far this is what I have found.
The user needs the following rights on the system to allow the update to fully process.
Grant Local users full rights to
Grant Full Registry Rights to
Grant local users launcf and activate to the Machine Debug Manager.
I use setalc to script and modify the registry rights. I use CACLS to modify the file/direcory rights.
Now my challange is to identify how to script the COM object rights.
We have the auto-update turned off and user rights only machines.
When a CAD service release comes out, we install it on the server(s) side and we use SMS to push out the update .msi and install. No problems so far.
I have a feeling that Express does not allow you to turn off auto-updates, but CAD with Enterprise does.
Again, could just be a UCCE page.
CCX does not expose the option to disable auto-updates within CAD. The official answer is that you must either grant the agents local administrative rights; or, set Group Policy to "Always install with elevated privileges" to be supported.
The answer Mark got on the browser-based UI is the route they are taking. You can see the first iteration of this in CCX 7 with CAD BE. Anything beyond that is NDA material at this point and not committed anyways. The closest the BU has come to discussing this in public was at Cisco Live 09. Terri discussed the road map, where they are devoting developer time, and what features they are targeting for upcoming releases.
Too bad there is no Chat feature in CAD-BE.
Our agents use this feature a lot in CAD.
Would be a hard sell for me to move to CAD-BE w/o chat.
Looks like I might not have a choice moving forward though...