This method will update Outlook (Win/Citrix/RDS) email signatures without any user interaction
IMPORTANT NOTE: This method has been discontinued as of August 4, 2016. It has been replaced with oAuth2 based installation.
This is perfect if:
- You want to deploy the Xink Outlook App unattended to all Outlook (Windows) users.
- You don't want Outlook (desktop) users to have any kind of interaction.
- You don't want to deal with invitation emails and rely on users having to enter credentials.
- You want to deploy across medium or larger teams.
This process works with:
- Outlook (Win)
- Outlook (Citrix/RDS)
- Active Directory as data source (AD on-prem)
- Domain users
You use GPO or a third-party deployment tool like Citrix to deploy the package to users in your IT environment.
- You request an MSI package with a certificate.
- You deploy via GPO, Citrix/RDS or other deployment tools.
NOTE: If some employees installed the Xink App manually via the invitation email, we recommend that the installation is removed before the MSI package is pushed to those clients.
You'll find those users in Employees menu when you filter by 'last update'.
We support only one installation per client. Having two Xink App installations, the email signature updates might not work.
Unattended Outlook deployment works in a Windows environment.
- If you have users running Mac OS they need to manually install the client app and add their own credentials.
Due to Outlook’s configuration, we cannot support Mac OS MSI deployments in a Windows environment.
How does Xink's MSI package work
Instead of installing the client app manually and connecting it to the Xink account by entering email and password, you deploy this through your GPO, Citrix/RDS or Active Directory (AD).
In order to do this (and especially to make the deployment secure) we issue a certificate and we make a package especially for you.
We sign this package with our certificate.
When you deploy the package you also need to deploy the certificate with it.
This guarantees Xink that the requests coming from users are genuine.
You need to make sure that you have email addresses updated in your AD as the email is the identifier for each of the users.
- When using MSI deployment, the Xink Outlook App uses client certificate to authenticate the user against Xink servers.
- Neither usernames nor passwords are specified in any configuration files using this method.
- Your users will be identified through the certificate and AD properties.
P.S When the App is installed via .MSI, there will be no automatic updates of the App from our server.
- To update the Xink Outlook App you request a new MSI package and redeploy it.
Open the Xink Outlook App and click on the Xink logo to see the version you deployed in your environment:
How to get the signed MSI package
It is a manual process to get a signed package from us. You need to request it. To do so follow these steps:
- In your Xink account, click on the gear wheel near your name > Preferences and fill out information about your company such as address, contact person, and email (most of this information is probably already there).
- Create a support ticket stating that you want to receive a signed MSI package for unattended deployment (login or signup and you can create a support ticket).
- In return, you will get in touch with one of our support representatives who will provide a customized client certificate and pre-configured MSI package.
The package is configured to use this particular certificate. The certificate is password-protected.
The files you will receive are a certificate with a password and a signed MSI package with the client app.
How to install the certificate on the user store
The certificate needs to be on all PCs using Outlook for desktop.
The 'User Store' is the best certificate location. Its intended access policy is "user full control".
Use this command to deploy the certificate via GPO in order to install the certificate on a user store basis:
certutil -f -user -p "CertificatePassword" -importpfx "%LOGONSERVER%\netlogon\certificates\ems-company.pfx"
We do not offer support for certificates added to machine stores.
There are too many complex local factors which are out of our control which is why we cannot offer support for machine store certificate installations. There are permission issues to consider and applying the certificate in machine store is not always desired and it is out of scope for us to advise on this.
How to install the MSI package for Xink
When the certificate is installed you deploy the package as any other MSI package.
When the package is installed, 'My Credentials' are dimmed so users cannot select, as users are verified through the certificate and the signed MSI package:
You can check when users are updated in 'Employees menu'.
Find the employee you want to check and check 'Last Outlook Update' date.
If this is blank this user has not yet synced, but if it works you will see the date of the last update when you received email signatures.
Support for many users using one PC
When the Xink Outlook App is installed via MSI there is full support for different users using the same PC.
The only thing you need to do is to install the certificate for each user.
Citrix/RDS Remote Desktop - Outlook as Published Applications is not supported
Install the client app in per-machine mode
Put the server in installation mode and then deploy the package.
Remember to install the certificate as well as described above - it follows the same steps.
The users do not need to enter any credentials as they are verified through the certificate and the signed MSI package, meaning that you don’t have to involve users in the process, with IT maintaining control over it all.
Additional Information and useful links
About X.509 certificate tool: http://msdn.microsoft.com/en-us/library/aa529278.aspx
Managing private keys: http://technet.microsoft.com/en-us/library/ee662329.aspx
Providing access to private keys: http://blogs.technet.com/b/operationsguy/archive/2010/11/29/provide-access-to-private-keys-commandline-vs-powershell.aspx