If you are using an administrative installation point or a network install for Microsoft Office updates in BES, you will need to setup a "null session share", which will allow the BES Client computers (which run as the SYSTEM user) to access the computer hosting the shared files. If the shared files are on a computer with the NTFS file system, you will also need to make sure that "EVERYONE", "NETWORK", or "ANONYMOUS LOGON" has NTFS "read" permissions. Null session shares can only be set up on Windows NT+ computers and will not work on Win9x/WinME.
Note: If the computer that is hosting the shared files has the value "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous" set to 1 or 2, then the BES Clients will not be able to access the shared files. You will need to set the RestrictAnonymous value to 0 to allow the BES Clients access to the shared files.
If the system where you are creating the null session share is running Windows 2003 Server, you will also need to enable the Group Policy "Network access: Let Everyone permissions apply to anonymous users". You can do this by:
If the system where you are creating the null session share is running Windows 2008 Server, you will also need to enable the "Network access: Shares that can be accessed anonymously". You can do this by:
To test your setup, you can use the "net use" command to connect to your resource using an anonymous login and null password (simulating what the BES Client process will be doing). From a command prompt, execute the following:
net use \\servername\sharename "" /user:""
(Where "\\servername\sharename" is replaced by the UNC of the null share.)
If you already have a connection to the server, you will have to clear the connection to the server prior to executing the above command, or it will instead attempt to map the device using the previously successful connection parameters.
The response "The command completed successfully" indicates that the device was mapped successfully, while errors such as "System error 5 has occurred. Access is denied" indicate an immediate failure and you must verify your setup.
If you have successfully mapped the device, you should then attempt to copy files to or from the resource "\\servername\sharename" to ensure you have the access desired.
You are now ready to deploy Office updates through the BES Console. You will be prompted to enter the location of the shared installation point during each patch deployment. Please enter it in the form of \\server_name\sharename.
You may wish to print or bookmark this page for future reference. For further information on null session shares, click here for Microsoft's knowledge base article.