How to Deploy Software to Air-Gapped Machines: A Complete Workflow

The single biggest air-gap mistake is grabbing a vendor's default download, which is often a 1–5 MB "web installer" that fetches the real payload at install time. On an offline box, it fails. You need the full standalone/offline installer — the complete application in one file (.exe/.msi on Windows, .dmg/.pkg on macOS, .deb/.rpm/.AppImage/.tar.gz on Linux). Many vendors publish these but bury them behind an "Other platforms," "Offline installer," or "Enterprise" link. Confirm by file size: a full installer is tens to hundreds of MB, a stub is a couple of MB. Always download from the publisher's own domain — for an air-gapped environment, a tampered installer is a worst-case scenario, so third-party mirrors are off the table.

Do verification on the connected staging machine, while you still have references. Two checks: (1) Hash — if the vendor publishes a SHA-256 checksum, compute it (certutil -hashfile file.exe SHA256 on Windows, shasum -a 256 file on macOS/Linux) and compare. (2) Signature — confirm the installer is digitally signed by the publisher (Properties → Digital Signatures on Windows; spctl -a -vv or codesign -dvv on macOS; gpg --verify against the vendor's published signature on Linux). Record the hash alongside the file so the offline side can re-verify after transfer. Skipping this step defeats the entire point of an air gap.

Move the verified installer using whatever your security policy allows — typically a dedicated, scanned USB drive, a one-way data diode, or an approved transfer kiosk. Best practices: use removable media reserved for this purpose (not someone's personal stick), scan it on the connected side, and re-compute the hash on the air-gapped side to confirm the file arrived bit-for-bit intact. If you deploy regularly, keep a single "software depot" folder structure on the media so transfers are predictable and auditable.

On the target, run the installer. For one machine, an interactive install is fine. For several, use the silent/unattended switches most full installers support: Windows MSIs take msiexec /i app.msi /qn, many EXE installers accept /S or /silent, macOS .pkg files install with sudo installer -pkg app.pkg -target /, and Linux packages install with the distro's package manager pointed at the local file. Capturing the exact silent command in a short runbook makes the next deployment a copy-paste rather than a fresh investigation. Our silent-install reference collects these switches for common tools.

Offline installs fail most often on missing dependencies the installer assumes it can download: Visual C++ Redistributables and .NET runtimes on Windows, shared libraries on Linux, or a specific framework version. Before you transfer the main app, identify and stage its prerequisites too — vendors usually list system requirements, and you can pre-download the matching redistributables from the same official source. Bundling the runtimes with the app in your depot folder prevents the classic "installed fine on my online test box, failed on the air-gapped target" surprise.

An air-gapped machine will never auto-update, so its software ages — and ageing software is a security liability. Build a cadence: on a schedule, re-download the current installer on the connected side, re-verify, and re-deploy through the same controlled-media process. Keep a simple inventory of what is installed where and at which version so you know what is due. Treat the offline installer depot as a living artifact, not a one-time copy.

Deploying to air-gapped machines is less about any single trick and more about a disciplined chain: source the real standalone installer from the official domain, verify it before it leaves the internet, transfer it with controlled media, install it (ideally silently), stage its dependencies, and schedule updates. Get that workflow right once and every future deployment becomes routine. Our directory focuses on exactly the verified, official standalone installers this process depends on.