A Chocolatey Solution Brief

How to Manage Windows Software with an Offline Deployments Solution

Chocolatey for Business customers are some of the largest and most secure organizations in the world.

With these customers, we have created a best practice solution called Offline Deployments based on their complex IT landscape and security constraints.

This Solution Brief describes the Offline Deployments solution and offers a choice of three patterns. The pattern you choose depends on the constraints you have, and those constraints are often security constraints.

Offline Deployments Are Driven by Security Needs

People working on a whiteboard
"How do we use Chocolatey for Business to automate our Windows software management inline with industry-standard security practices?"

Protect Your Software

Create an internal software repository with curated packages and restrict access to uploads and downloads.

Read National Cyber Security Center advice

Isolate Your Endpoints

Use network architectures and air-gap techniques to isolate locations and individual endpoints.

Read about air gap architectures

Four Ways These Security Constraints Can Impact System Administrators

1. Architecture

Where do you deploy your repository and Chocolatey for Business in relation to your endpoints?

2. Installation

How do you configure the software and endpoints in multiple locations and on air-gapped systems?

3. Operation

The day in the life of a SysAdmin, getting the software to the repository and managing Chocolatey for Business.

4. Optimization

Using the virtual appliance approach with Chocolatey Quick Deployment Environment.

Applying this Offline Deployments solution with Chocolatey for Business is a real-world, in-production answer that meets the most common security requirements in software management.

In This Guide

Introducing the Quick Deployment Environment

All of the patterns described in this solution use the Chocolatey for Business virtual appliance called the Quick Deployment Environment, or QDE.

QDE is a production-ready, all-in-one virtual appliance and scales to manage a thousand endpoints.

It contains Chocolatey for Business, Jenkins and a Sonatype Nexus repository out of the box.

Learn more about the QDE here.
Quick Deployment Environment Architecture

Which offline deployment solution do you need?

There are three slightly varied patterns to solve the same solution, depending on the constraints you have.

Internal Deployment Pattern
  • Private repository
  • Offline location
  • Air-gapped endpoint
Remote Deployment Pattern
  • Private repository
  • Offline location
  • Air-gapped endpoint
Isolated Deployment Pattern
  • Private repository
  • Offline location
  • Air-gapped endpoint
Internal Deployment Pattern Internal Deployment Pattern

1. Internal Deployment

It is the default for most Chocolatey for Business customers to secure their software deployments by using an internal (private, secure and self-curated) software repository.

This pattern reduces the risk of malware by forcing endpoints to use a secure internal repository as their software source instead of public community repositories. It also protects against malicious internal actors.

An Internal Deployment is not limited to one location. If you have the right network infrastructure you could extend this to remote locations/branches in a "hub-and-spoke" model with HQ as the hub, where the Quick Deployment Environment (QDE) is deployed, and QDE-client endpoints in remote branch offices “calling home” for software.

Steps Required to Implement the Internal Deployment Pattern
  1. Use the Chocolatey Quick Deployment Environment so you don’t need to hand-install the repository and Chocolatey components.
  2. Add packages and a Chocolatey for Business license to the repository.
  3. Use Package Internalizer to curate selected community packages to the internal repository.
  4. Connect the endpoints and configure them to use the QDE repository.
  5. Use Package Synchronizer to curate existing, deployed but unmanaged software from endpoints to the internal repository.
Remote Deployment Pattern Remote Deployment Pattern

2. Remote Deployment

Some organizations need to do a little more than the Internal Deployment pattern because they have an additional constraint: they need to deploy Chocolatey for Business to secure remote locations where no internet connectivity is limited or not available.

The added complications arise during initial deployment and continued operation:

  • How do we get software into the disconnected remote location?
  • How do we then manage the software and endpoints in the remote location using Chocolatey for Business?

The answer to this is to split the previous Internal pattern into two parts:

  • Prepare the QDE in a “normal” connected environment onto removable media (or maybe you have a VPN or DMZ and can use that).
  • Take the removable media preparation to the remote location (or copy over the VPN) and deploy the solution.

This also requires a different ongoing remote operating model:

  • The endpoints at the remote location will access their local QDE repository across their local shared network that is not connected to the internet.
  • The remote endpoints will not “call HQ” for software. If they call HQ then that is a “branch-to-HQ” or “hub-and-spoke” model, not a disconnected remote location.
  • To update the remote repository and therefore the endpoints will require an administrator to visit the remote location with the software on removable media.
Steps Required to Implement the Remote Deployment Pattern
  1. Start the preparation in an internet-connected location.
  2. Use the Chocolatey Quick Deployment Environment so you don’t need to hand-install the repository and Chocolatey components.
  3. Add packages and a Chocolatey for Business license to the repository.
  4. Use Package Internalizer to curate selected community packages to the internal repository.
  5. Store the prepared QDE environment on removable media if there is no secure connection (VPN or DMZ) to the remote location.
  6. Deploy the QDE on a networked server in the remote location so clients can access it.
  7. Connect the endpoints and configure them to use the QDE repository.
  8. Use Package Synchronizer to curate existing, deployed but unmanaged software from endpoints to the internal repository.
Isolated Deployment Pattern Isolated Deployment Pattern

3. Isolated Deployment

In the most secure organizations, not only a secure remote locations not connected to the internet, but each individual endpoint is air-gapped from the network and each other.

It is still possible and beneficial to use Chocolatey for Business in this locked-down scenario because of all of the ease-of-use features you get in C4B. If you decided to use Chocolatey Open Source you would have to build these features yourself.

Similar to the Remote Deployment, the to-be-implemented solution is first prepared at a site with internet connectivity then transferred to each air-gapped endpoint on removable media.

Steps Required to Implement the Isolated Deployment Pattern
  1. Start the preparation in an internet-connected location.
  2. Use the Chocolatey Quick Deployment Environment so you don’t need to hand-install the repository and Chocolatey components.
  3. Add packages and a Chocolatey for Business license to the repository.
  4. Use Package Internalizer to curate selected community packages to the internal repository.
  5. Store the prepared QDE environment on removable media.
  6. Deploy the QDE appliance from the removable media onto each air-gapped endpoint.
  7. Configure the endpoint to use the QDE repository.
  8. Use Package Synchronizer to curate existing, deployed but unmanaged software from endpoints to the internal repository.