This feature is available with Cloud Identity Premium edition. Compare editions
You can install software on Windows devices enrolled in Windows device management by adding custom settings in the Google Admin console. You specify the app MSI file location in an XML file that you set as the value of the custom setting.
Step 1: Get required app details and create the XML file
To create the XML file, you need the URL of the app, the file hash, and the product ID.
- On your Windows device, download the MSI file you want to deploy.
Note: The app installation file must be available either from the vendor's website or a server location accessible by http, https, or ftp protocol where your IT admin hosts the file.
For example, you could download the 7‑Zip installation file from https://7-zip.org/a/7z1900-x64.msi.
- Open PowerShell.
- To get the file hash, run Get‑FileHash ‑Path PathToFile ‑Algorithm SHA256, where PathToFile is the path to the app installation file. Record the hash value, which is the 64-character string returned in PowerShell.
For example, if the 7‑zip MSI file is in your Downloads folder, run Get‑FileHash ‑Path C:\Users\username\Downloads\7z1900‑x64.msi ‑Algorithm SHA256
- To get the product ID:
- Copy the following PowerShell script into a text editor and save it as Get-MSIFileInformation.ps1.
param( [parameter(Mandatory=$true)] [IO.FileInfo]$Path, [parameter(Mandatory=$true)] [ValidateSet("ProductCode","ProductVersion","ProductName")] [string]$Property ) try { $WindowsInstaller = New-Object -ComObject WindowsInstaller.Installer $MSIDatabase = $WindowsInstaller.GetType().InvokeMember("OpenDatabase","InvokeMethod",$Null,$WindowsInstaller,@($Path.FullName,0)) $Query = "SELECT Value FROM Property WHERE Property = '$($Property)'" $View = $MSIDatabase.GetType().InvokeMember("OpenView","InvokeMethod",$null,$MSIDatabase,($Query)) $View.GetType().InvokeMember("Execute", "InvokeMethod", $null, $View, $null) $Record = $View.GetType().InvokeMember("Fetch","InvokeMethod",$null,$View,$null) $Value = $Record.GetType().InvokeMember("StringData","GetProperty",$null,$Record,1) return $Value } catch { Write-Output $_.Exception.Message }
- In PowerShell, run PathToScript\Get‑MSIFileInformation.ps1 ‑Path PathToFile ‑Property ProductCode, where PathToScript is the location of the PowerShell script and PathToFile is the path to the MSI installation file.
For example, if you save the PowerShell script in your Desktop folder, to get the product code for 7-Zip, run C:\Users\username\Desktop\Get‑MSIFileInformation.ps1 ‑Path C:\Users\username\Downloads\7z1900‑x64.msi ‑Property ProductCode
The product ID is an alphanumeric string in brackets. For example, {23170F69-40C1-2702-1900-00001000000}.
- Copy the following PowerShell script into a text editor and save it as Get-MSIFileInformation.ps1.
- Create the XML file:
- Copy the following XML into a text file:
<MsiInstallJob id=""> <Product Version="1.0.0"> <Download> <ContentURLList> <ContentURL>MSI-URL</ContentURL> </ContentURLList> </Download> <Enforcement> <CommandLine>/quiet</CommandLine> <TimeOut>5</TimeOut> <RetryCount>3</RetryCount> <RetryInterval>5</RetryInterval> </Enforcement> <Validation> <FileHash>FileHash</FileHash> </Validation> </Product> </MsiInstallJob>
- In the
<ContentURL>
tags, replace MSI-URL with the URL of the MSI file. - In the
<FileHash>
tags, replace FileHash with the file hash of the MSI file. - If needed, update the installation parameters in the
<Enforcement>
tags. For details, refer to the Microsoft documentation. - Save the file.
- Copy the following XML into a text file:
Step 2: Add the custom setting
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesMobile and endpointsSettingsWindows.
- Click Custom settings.
- Click Add a custom setting.
- Configure the custom setting:
- In the OMA-URI field, enter EnterpriseDesktop and select ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/<Enter ProductID>/DownloadInstall.
- In the OMA-URI, replace <Enter ProductID> with the MSI product ID, encoding the brackets. To format correctly, enter %7BProductID%7D, where %7B is the encoded version of "{" and %7D is the encoded version of "}".
For example, the OMA-URI string for 7-Zip is ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B23170F69-40C1-2702-1900-00001000000%7D/DownloadInstall
- When you select the OMA-URI, the Name field updates to "DownloadInstall". Enter a unique name that includes the app name to help you identify it in the list of custom settings. For example, "Install 7-zip v19.0".
- For Data type, select String (XML), click Upload XML, and select the XML configuration file you created in the first section.
- (Optional) Enter a description.
- To go on and select the organizational unit the custom setting applies to, click Next. If you want to start another custom setting, click Add another. These policies aren't applied to an organizational unit until you click Next and select the organizational unit.
- Choose one or more organizational units to apply the policy to.
- Click Apply.
The app is installed on users' devices within 3 hours if the device is connected to the internet. For devices that aren't connected, the app is installed the next time the device is connected.
Step 3: Verify app installation
You can confirm that an app you deployed through a custom setting was installed on a device in several ways. Checking on the device has the least lag between when you apply the custom setting and when you get it on the device because you can run a manual sync.
On the device
- On the device, open Settings and find Managed by Google.
- If the app is installed, it's listed under Areas managed by Google in the Applications section.
- If the app isn't in the list, run 2 manual syncs to make sure the device gets the custom setting. While installation is pending, the app is listed by its product ID. After installation, it's listed by the app name.
- If the app doesn't install after the manual syncs, review the custom setting values and make sure they're set up correctly.
In the device's app inventory in your Admin console
This option allows you to review the apps installed on a device remotely. Note: It can take up to 12 hours for app data to appear in the app list.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
Go to Menu DevicesOverview.
- Click Endpoints.
- Click the device. If your organization has many devices, use the filters or search bar to find the specific device.
- Click Installed apps and confirm the app is listed.
Uninstall an app
You can uninstall apps that were installed with custom settings. You can't use custom settings to uninstall apps that were installed by other methods.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesMobile and endpointsSettingsWindows.
- Click Custom settings.
- On the left, click the organizational unit you want to uninstall the app for. To uninstall the app for all users, select the top organizational unit.
- Point to the custom setting and click Delete or Disable. To confirm deletion, click Delete.
If you selected a child organizational unit that inherited the custom setting, you disable the custom setting because you can't delete it for the rest of the organization. If you change your mind, you can click Inherit to install the app on devices in the child organizational unit again.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.