How are you pushing software to remote users who rarely VPN in?
Posted by m0zi-@reddit | sysadmin | View on Reddit | 59 comments
We’ve got domain-joined Windows machines out in the field. Our VPN is user-initiated after Windows login, so there’s no always-on tunnel. Users only connect when they need to, which means GPO and anything that depends on line-of-sight to a DC is unreliable for software deployments.
Right now we have ConnectWise RMM and ScreenConnect, so I can remote in and install things manually, but that obviously doesn’t scale.
Appreciate any insight. Ideally looking for something that doesn’t require a massive lift to implement since we’re pretty spread thin as it is.
Thanks.
Affectionate-Cat-975@reddit
Action1
GeneMoody-Action1@reddit
We appreciate the shoutout!
inspector1135@reddit
Action1 is a remote patching software made just for this purpose and has 200 free endpoint license.
GeneMoody-Action1@reddit
We handle that! And thanks for the shoutout. Part of being a patch management solution is the ability to install/uninstall. That can be patches or software. All our app titles in the repository support install/uninstall as well as using the installers to patch. And you can add your own as well.
Since we are SaaS/cloud based, no VPN required at all, all live, all 24x7x365 as long as the endpoint has internet connectivity, you have control.
If anyone would like to know more, just mention Action1 or me, and a data pigeon will be dispatched immediately.
CrashnetMtl@reddit
Second time in the same day I recommend PDQ. I got pdq connect for this exact issue. Great so far.
master_illusion@reddit
I’ll second PDQ Connect. Have used it for over a year and it just works.
PDQ_Brockstar@reddit
Have you noticed that the package library has more than doubled over the last couple of weeks? We're approaching 600 packages that are vetted and maintained by PDQ. Our energy drink bill has mysteriously gone through the roof though ;)
The_Penguin22@reddit
Holy crap! Good thing you got the folders done first.
PDQ_Tarabyte@reddit
I may or may not have been compulsively organizing my folders during a meeting yesterday in which I definitely should have been paying attention.
The_Penguin22@reddit
Yep, trialing Connect right now after years with Deploy and Inventory. So far it's great!
PDQ_Brockstar@reddit
Awesome! Let me know if you have any questions or feedback.
PDQ_Brockstar@reddit
That's awesome. Glad it's working for you. Yeah, remote software deployments is like the bread and butter of PDQ Connect, but it's really just the tip of the iceberg.
If you ever need anything, have questions, or want to submit a product feature request, let me know!
m0zi-@reddit (OP)
thanks i’ll check it out
AwalkertheITguy@reddit
For most basic apps we use Ninja. But we also have certain power users who have autoconnect VPN outside of that.
No_Chipmunk_2992@reddit
PDQ Connect
xXNorthXx@reddit
Pre-login vpn aka always-on vpn. If it’s on, it checks in and gets patched. Post-login, it switches to user context.
XXViperXX@reddit
PDQ connect.
Fabulous_Dog_6514@reddit
PDQ connect.
Crumby_Bread@reddit
Intune.
Or you can store the installers in a cloud repo and download them to a temp directory + install them via script with CW Automate, since you said that’s your RMM. Make sure you clean up the installers after the fact.
m0zi-@reddit (OP)
hmm i’ll have to try the cloud repo
trying to think of how to do it securely
mnvoronin@reddit
Automate has a built-in file repository that you can use in scripts to download installers from. It is also accessible via HTTPS.
SMB: \ltserver\ltshare\Transfer[folder][file.msi]
Scripting: File Download: [folder][file.msi] to (enter local path including filename)
HTTPS: https://ltserver.example.com/Labtech/Share/Transfer/[folder]/[file.msi]
m0zi-@reddit (OP)
i don’t believe we have Automate, just RMM
Crumby_Bread@reddit
Azure blob storage lets you publish read-only anonymous access URLs to the storage container. You can download via script with said URL.
iliketurtlz@reddit
And you can have your script confirm the hash before installing if you want to ensure you're installing exactly what you expect.
pande2929@reddit
We use on-prem ManageEngine Endpoint Central with a Secure Gateway server to reach those pesky off-vpn endpoints.
BWMerlin@reddit
Via a MDM, that is the major point of having one.
You could also look at having an always on VPN solution but I would really look at if you need a VPN and domain joining or are better off moving to Entra joined devices.
punkwalrus@reddit
Our company has it so you have to connect to the company VPN within 30 days, or RSA locks you out, and your laptop is a paperweight. You have to log in and complete a series of hoops to refresh your days.
CrashnetMtl@reddit
I like this! Is it enforced via rsa with a rule or policy?
punkwalrus@reddit
I believe RSA does this.
Acheronian_Rose@reddit
Kaseya VSA, all endpoints have an agent
justint13791@reddit
I use Intune and NinjaOne. Works pretty good, and scales for at least my company for now
the_doughboy@reddit
jwalker55@reddit
Action1, free for the first 200 endpoints.
Secret_Account07@reddit
Lots of good answers here but I’m curious. How can a user not VPN that often? How do they access documents or software? Everything O365?
m0zi-@reddit (OP)
yeah, pretty much most of them just vpn in to change their password….
llDemonll@reddit
Does ConnectWise not work for this? Isn’t that part of the point of an RMM?
m0zi-@reddit (OP)
We have no place to store our installers and what not that i’m aware of. Granted we are fairly new to having an RMM after asking for one for 3 years.
boofnitizer@reddit
Azure, AWS, etc.?
m0zi-@reddit (OP)
AWS, i’ve thought about s3 but haven’t had time to sit down and figure out how to do it securely
hankhillnsfw@reddit
It’s insanely easy but…I wouldn’t really recommend it for your use case.
Your RMM should be able to handle sending packages down to endpoints and running the installs?
You also have Intune presumably?
Wartz@reddit
Intune.
MDM over https has been around for more than a decade. There's lots of options.
iceph03nix@reddit
Msi installs or scripts through our RMM.
landob@reddit
kinda don't have to. Most of our core bread and butter is self-hosted. So if they don't vpn they really can't access anything but their email.
But on top of that the machines are setup to auto connect vpn anyway.
DontForgetTheDivy@reddit
CMG
ne1c4n@reddit
Second this, works great for us. CMG = Cloud Management Gateway, which is an extension of MECM/SCCM.
gnarlycharlie4u@reddit
Wdym rarely vpn in? Company issued devices, zscaler always on (w/ strict enforcement), Intune for mdm, and autopilot if you're having a bad day.
CantPullOutRightNow@reddit
Make that VPN connection automatic. It’s the companies device. You have no idea what people have in their home internet and they may not either.
Elensea@reddit
Push it through connectwise scripts. That’s what I did in similar situation until we went hybrid and intune.
m0zi-@reddit (OP)
How did you store your installers?
Elensea@reddit
We used the LTshare folder but we were on cwa hosted. Not sure how that differs from cw RMM.
Specialist_Guard_330@reddit
Action1 and Intune
Chungus-Galactic@reddit
NinjaOne RMM over here.
BeyondRAM@reddit
Atera
do_not_free_gaza@reddit
RMM, N-Able N-Sight.
RevengyAH@reddit
Your RMM will do that.
maggotses@reddit
Automate VPN
SevaraB@reddit
Yeah, if you want clients on networks you don’t control getting reliable software updates in 2026, you should be having them check in and pull via agent instead of trying to make a push work.
ThatsNASt@reddit
Depending on the software you can just use your RMM via powershell.
tonberry3@reddit
Im using Automox, it does the job.