Unpacking Software Livestream

Join our monthly Unpacking Software livestream to hear about the latest news, chat and opinion on packaging, software deployment and lifecycle management!

Learn More
Chocolatey Product Spotlight

Join the Chocolatey Team on our regular monthly stream where we put a spotlight on the most recent Chocolatey product releases. You'll have a chance to have your questions answered in a live Ask Me Anything format.

Learn More
Chocolatey Coding Livestream

Join us for the Chocolatey Coding Livestream, where members of our team dive into the heart of open source development by coding live on various Chocolatey projects. Tune in to witness real-time coding, ask questions, and gain insights into the world of package management. Don't miss this opportunity to engage with our team and contribute to the future of Chocolatey!

Learn More
Calling All Chocolatiers! Whipping Up Windows Automation with Chocolatey Central Management

Webinar from
Wednesday, 17 January 2024

We are delighted to announce the release of Chocolatey Central Management v0.12.0, featuring seamless Deployment Plan creation, time-saving duplications, insightful Group Details, an upgraded Dashboard, bug fixes, user interface polishing, and refined documentation. As an added bonus we'll have members of our Solutions Engineering team on-hand to dive into some interesting ways you can leverage the new features available!

Watch On-Demand
Chocolatey Community Coffee Break

Join the Chocolatey Team as we discuss all things Community, what we do, how you can get involved and answer your Chocolatey questions.

Watch The Replays
Chocolatey and Intune Overview

Webinar Replay from
Wednesday, 30 March 2022

At Chocolatey Software we strive for simple, and teaching others. Let us teach you just how simple it could be to keep your 3rd party applications updated across your devices, all with Intune!

Watch On-Demand
Chocolatey For Business. In Azure. In One Click.

Livestream from
Thursday, 9 June 2022

Join James and Josh to show you how you can get the Chocolatey For Business recommended infrastructure and workflow, created, in Azure, in around 20 minutes.

Watch On-Demand
The Future of Chocolatey CLI

Livestream from
Thursday, 04 August 2022

Join Paul and Gary to hear more about the plans for the Chocolatey CLI in the not so distant future. We'll talk about some cool new features, long term asks from Customers and Community and how you can get involved!

Watch On-Demand
Hacktoberfest Tuesdays 2022

Livestreams from
October 2022

For Hacktoberfest, Chocolatey ran a livestream every Tuesday! Re-watch Cory, James, Gary, and Rain as they share knowledge on how to contribute to open-source projects such as Chocolatey CLI.

Watch On-Demand

Secure Offline Deployments

How to Manage Windows Software with an Offline Deployments Solution

Chocolatey for Business customers are some of the largest and most secure organizations in the world.

With these customers, we have created a best practice solution called Offline Deployments based on their complex IT landscape and security constraints.

This Solution Brief describes the Offline Deployments solution and offers a choice of three patterns. The pattern you choose depends on the constraints you have, and those constraints are often security constraints.

Offline Deployments Are Driven by Security Needs

People working on a whiteboard
"How do we use Chocolatey for Business to automate our Windows software management inline with industry-standard security practices?"

Protect Your Software

Create an internal software repository with curated packages and restrict access to uploads and downloads.

Read National Cyber Security Center advice

Isolate Your Endpoints

Use network architectures and air-gap techniques to isolate locations and individual endpoints.

Read about air gap architectures

Four Ways These Security Constraints Can Impact System Administrators

1. Architecture

Where do you deploy your repository and Chocolatey for Business in relation to your endpoints?

2. Installation

How do you configure the software and endpoints in multiple locations and on air-gapped systems?

3. Operation

The day in the life of a SysAdmin, getting the software to the repository and managing Chocolatey for Business.

4. Optimization

Using the virtual appliance approach with Chocolatey Quick Deployment Environment.

Applying this Offline Deployments solution with Chocolatey for Business is a real-world, in-production answer that meets the most common security requirements in software management.

In This Guide

Introducing the Quick Development Environment
1
Pattern 1 - Internal Deployment
2
Pattern 2 - Remote Deployment
3
Pattern 3 - Isolated Deployment

Introducing the Quick Deployment Environment

All of the patterns described in this solution use the Chocolatey for Business virtual appliance called the Quick Deployment Environment, or QDE.

QDE is a production-ready, all-in-one virtual appliance and scales to manage a thousand endpoints.

It contains Chocolatey for Business, Jenkins and a Sonatype Nexus repository out of the box.

Learn more about the QDE here.
Quick Deployment Environment Architecture

Which offline deployment solution do you need?

There are three slightly varied patterns to solve the same solution, depending on the constraints you have.

1. Internal

Internal Deployment Pattern
  • Private repository
  • Offline location
  • Air-gapped endpoint

2. Remote

Remote Deployment Pattern
  • Private repository
  • Offline location
  • Air-gapped endpoint

3. Isolated

Isolated Deployment Pattern
  • Private repository
  • Offline location
  • Air-gapped endpoint
Internal Deployment Pattern Internal Deployment Pattern

1. Internal Deployment

It is the default for most Chocolatey for Business customers to secure their software deployments by using an internal (private, secure and self-curated) software repository.

This pattern reduces the risk of malware by forcing endpoints to use a secure internal repository as their software source instead of public community repositories. It also protects against malicious internal actors.

An Internal Deployment is not limited to one location. If you have the right network infrastructure you could extend this to remote locations/branches in a "hub-and-spoke" model with HQ as the hub, where the Quick Deployment Environment (QDE) is deployed, and QDE-client endpoints in remote branch offices “calling home” for software.

Steps Required to Implement the Internal Deployment Pattern
  1. Use the Chocolatey Quick Deployment Environment so you don’t need to hand-install the repository and Chocolatey components.
  2. Add packages and a Chocolatey for Business license to the repository.
  3. Use Package Internalizer to curate selected community packages to the internal repository.
  4. Connect the endpoints and configure them to use the QDE repository.
  5. Use Package Synchronizer to curate existing, deployed but unmanaged software from endpoints to the internal repository.
Remote Deployment Pattern Remote Deployment Pattern

2. Remote Deployment

Some organizations need to do a little more than the Internal Deployment pattern because they have an additional constraint: they need to deploy Chocolatey for Business to secure remote locations where no internet connectivity is limited or not available.

The added complications arise during initial deployment and continued operation:

  • How do we get software into the disconnected remote location?
  • How do we then manage the software and endpoints in the remote location using Chocolatey for Business?

The answer to this is to split the previous Internal pattern into two parts:

  • Prepare the QDE in a “normal” connected environment onto removable media (or maybe you have a VPN or DMZ and can use that).
  • Take the removable media preparation to the remote location (or copy over the VPN) and deploy the solution.

This also requires a different ongoing remote operating model:

  • The endpoints at the remote location will access their local QDE repository across their local shared network that is not connected to the internet.
  • The remote endpoints will not “call HQ” for software. If they call HQ then that is a “branch-to-HQ” or “hub-and-spoke” model, not a disconnected remote location.
  • To update the remote repository and therefore the endpoints will require an administrator to visit the remote location with the software on removable media.
Steps Required to Implement the Remote Deployment Pattern
  1. Start the preparation in an internet-connected location.
  2. Use the Chocolatey Quick Deployment Environment so you don’t need to hand-install the repository and Chocolatey components.
  3. Add packages and a Chocolatey for Business license to the repository.
  4. Use Package Internalizer to curate selected community packages to the internal repository.
  5. Store the prepared QDE environment on removable media if there is no secure connection (VPN or DMZ) to the remote location.
  6. Deploy the QDE on a networked server in the remote location so clients can access it.
  7. Connect the endpoints and configure them to use the QDE repository.
  8. Use Package Synchronizer to curate existing, deployed but unmanaged software from endpoints to the internal repository.
Isolated Deployment Pattern Isolated Deployment Pattern

3. Isolated Deployment

In the most secure organizations, not only a secure remote locations not connected to the internet, but each individual endpoint is air-gapped from the network and each other.

It is still possible and beneficial to use Chocolatey for Business in this locked-down scenario because of all of the ease-of-use features you get in C4B. If you decided to use Chocolatey Open Source you would have to build these features yourself.

Similar to the Remote Deployment, the to-be-implemented solution is first prepared at a site with internet connectivity then transferred to each air-gapped endpoint on removable media.

Steps Required to Implement the Isolated Deployment Pattern
  1. Start the preparation in an internet-connected location.
  2. Use the Chocolatey Quick Deployment Environment so you don’t need to hand-install the repository and Chocolatey components.
  3. Add packages and a Chocolatey for Business license to the repository.
  4. Use Package Internalizer to curate selected community packages to the internal repository.
  5. Store the prepared QDE environment on removable media.
  6. Deploy the QDE appliance from the removable media onto each air-gapped endpoint.
  7. Configure the endpoint to use the QDE repository.
  8. Use Package Synchronizer to curate existing, deployed but unmanaged software from endpoints to the internal repository.