DataLocker PortBlocker
Mass Deployment
Installation
The Portblocker-Setup.msi installer will deploy three key parts to the target workstation. The three parts consist of a Device Driver, Windows Service, and a Windows Application that the user can interact with. The installation will require local admin privileges to complete the process and is recommended to run as the system account to avoid UAC prompts. Once PortBlocker is installed, all mass storage type devices will be blocked. The following arguments can be used during installation.
/i: This is the msiexec option for install.
/quiet: used for silent installations on new installs and version upgrades.
/S: hides the notification that PortBlocker is already installed
/norestart: Prevents the machine from restarting automatically after the installation is completed.
/forcerestart: The machine will be restarted after the installation is complete.
Registration
Registration is needed before devices can be allowed. When registration parameters are successfully passed to the installer, PortBlocker will automatically register after installation. The following arguments can be used during installation to automatically register PortBlocker after registration.
URL=<SafeConsoleConnectionToken>: the SafeConsole connection token (https://myserver.safeconsolecloud.io/connect)
EULA=1: Accept the end-user license agreement on behalf of the user
USER=<UniqueToken>: OPTIONAL, register the PortBlocker Install to a specific user already in SafeConsole
LAUNCH_CLIENT=1 | 0: Launch Windows client application after installation. The default value is 1 (launch client application). It is recommended to set to 0 (do not launch client application) for mass deployment scenarios to avoid unresponsive client processes in the background. The client application should be launched by the user or startup script on user login in this case.
DISABLE_AUTO_UPDATE=1 | 0: OPTIONAL, Disables the automatic application update prompt. Set to value back to 0 to revert the change. (Requires 1.4.14.2+)
DISABLE_UI_SYS_STARTUP=1 | 0: OPTIONAL, Disables the PortBlocker UI during OS startup. UI can still be started by running the PortBlocker application. (Requires 1.6+)
HIDE_CLIENT_UI=1 | 0: OPTIONAL, Disables the PortBlocker UI. This will run PortBlocker as a process but UI cannot be triggered. (Requires 1.6+)
It is recommended that the SafeConsole Server be configured with both unique token and admin approval disabled. This will allow a simple registration process for the end-user.
Uninstall Password
As of PortBlocker version 1.4, and SafeConsole version 5.7, the uninstall password is controlled via a SafeConsole policy for both Windows and macOS.
The following argument can be used when uninstalling PortBlocker.
PASSWORD=: PortBlocker may be uninstalled via CMD or Powershell. Use "PASSWORD=" to specify the uninstallation password.
For more information regarding the uninstall process, please see the process in the PortBlocker admin guide starting on page 23:
Requirements
- PortBlocker 1.4.3+ or later MSI Installer
- Windows 10 and Windows 7
- SafeConsole Connection Token, ex: https://myserver.safeconsolecloud.io/connect
- Public server share to host installer, ex: \\nas\share\PortBlocker-Setup.msi
Example
This example PowerShell script can be modified for use with your software deployment tool.
*Note* Windows by default restricts execution of PowerShell script. However, this execution policy will not need to be changed for deployment as the script will execute with the privilege of the local system account. When testing the script locally, the PowerShell execution policy may need to be modified. For more information see Microsoft's documentation.
# Location of msi, such as a public network share
Set-Variable -Name "installer" -Value "\\nas\share\PortBlocker-Setup.msi"
# SafeConsole Connection URL
Set-Variable -Name "safeConsoleURL" -Value '"https://server.safeconsolecloud.io/connect"'
$installerArgs = "/i $installer /quiet /norestart EULA=1 URL=$safeConsoleURL LAUNCH_CLIENT=0"
Start-Process msiexec.exe -Wait -ArgumentList $installerArgs