CyberArk EPM Deployment

Hey there - does anyone else use CyberArk EPM (end point management) to manage admin rights and third party app installations more easily? We're beginning to roll out a test bed in my company, and I'm working on the mac deployment.

CyberArk provides some instructions for deploying here, but I'm struggling with them. It seems to want the zip file deployed as the package, and there is no pkg, but I've never used a zip file as an installer through Jamf. Anyone got this deployed? Or have any insight on using zip files to deploy apps?

Page 1 / 2

We actually did a demo with them last year and setup a test environment and will be purchasing soon. From what I remember you had to log into the EPM console and export the macOS agent install package, we then used that, and this script in a policy to do the install:

#!/bin/sh
installer -target / -pkg /Library/CyberArk/CyberarkEPMAgent.pkg

Interesting, so getting into your EPM console gave you a pkg to install? So far my security team has just given me a zip file, I'll hit them up and see if they can pull a pkg from another source.

What's in the .zip? If you extract the .zip do you have the EPM installer .pkg?

The link you posted shows how to download the package:

"Download package

In the EPM Management Console, select My Computers and then select Download Agent Installation to display the Download Agent Installation Package window.

Select the relevant MSI installation file or macOS installation package, then enter a key of your choice and click OK. You will use this key again during installation.

Copy the relevant MSI installation file or macOS installation package to a shared network."

@rtylerdavis @brianmcbride99 From what I'm seeing, it's an app not a package. I'm in the same boat. Documentation is very limited. I'm not sure why it's asking for the admin/pass and using sudo in the command unless that is the admin/pass it is going to rotate. However, the documentation just states that's what will be used to install the app. See here:
https://docs.cyberark.com/Product-Doc/OnlineHelp/EPM/Latest/en/Content/Installation/Manually_Installing_Agents.htm

I have scheduled the test install for next week but based on what I read so far, you download the installer via CyberArkEPMAgentSetupMacOs_11.6.0.449(the_name_of_your_set).zip. Inside this zip there is a "CyberArkEPMConfiguration.json" and an "Install CyberArk EPM.app.zip". Extract the "Install CyberArk EPM.app.zip" and you get the "Install CyberArk EPM.app".

Drop "CyberArkEPMConfiguration.json" and "Install CyberArk EPM.app" onto the target system in the same folder, then install via

"pathtoinstaller/Install CyberArk EPM.app/Contents/MacOS/CyberArkEPMInstaller" -configuration "pathtojson/CyberArkEPMConfiguration.json"

If you want CyberArk to rotate local passwords or carry out other admin tasks you need to specify a local user account that has a secure token.

"pathtoinstaller/Install CyberArk EPM.app/Contents/MacOS/CyberArkEPMInstaller" -configuration "pathtojson/CyberArkEPMConfiguration.json" 
 -adminUser localuserwithsecuretoken -adminPassword localuserwithsecuretoken password

@DirkM According to this documentation, you only need to grant the CyberArk EPM user a SecureToken if the account you want to rotate already has SecureToken enabled. https://docs.cyberark.com/Product-Doc/OnlineHelp/EPM/11.3/en/Content/EPM_PET/Install_CredRotation.htm?Highlight=secure%20token

I am struggling with these new releases that are a .app instead of the pkg
The requirement to pass an admin user/pass, when I am already deploying the app with a tool like jamf, is not just asinine, but asiten and asieleven. If you read their documentation or use their scripts, they mention a command argument, -withoutPwdRotation which is supposed to get rid of these admin prompts....well, if you run with that argument, it returns an error about an unrecognized command. But it is in their documentation......
We have a ticket open with them. One of their first suggestions was to go on jamf nation for tips on deployment...not something I ever want to hear from a vendor. The Windows deployment was as easy as adding the command switches to the MSI, I don't know why they had to reinvent the wheel with this one

@hdsreid I had some trouble with getting this installed for the first time. I'm not using -withoutPwdRotation so I can't comment on that. Can you just leave that option out entirely since you already installed the app and you are upgrading it. Their documentation is weak at best. It's confusing, laid out poorly, and some steps like creating a Config Profile to allow installation which should be first are listed as the last step.

@spraguga it still wants me to pass an admin user/password at the command line, and I would really not like to do this. we don't even have a token set to "protect" the set. i don't get it lol

Working on this as well. Instructions from CyberArk say to drop the .zip file into JAMF Admin but every time i try to add it to Admin it throws up an NilObjectException not handled error. When i try what @DirkM suggests i get errors saying invalid admin credentials even though i know the username and password are correct and my admin account has a secure token. Who's got the solution??

@Kyuubi what version of CyberArkEPM Agent are you trying to install? We are on 11.5 and finally got an update from our ticket, apparently they are aware of the issue related to admin credentials. We were given a patch to install on the EPM server and then told to generate a new package, however the team managing Cyberark has not done this yet, so I cannot confirm if it does solve the issue.

Our cloud instance is at version 11.6 and the macOS client is version 10.6.1.487. The downloadable zip contains the Install CyberArk EPM.app and a CyberArkEPMConfiguration.json which has to be in the same location as the app.

I can install the client using

sudo /pathtoapp/Install CyberArk EPM.app/Contents/MacOS/CyberArkEPMInstaller -k installKey -withoutPwdRotation

where install key is the string entered when downloading the zip.

So far, so good. I cannot get past the "System Extension Blocked" though, even though I have configuration profile that has the Team ID DF8U2CCCD8 as approved kernel extension as well as allowed system extension. Once I approve manually it seems to be working.

Does any of you have a config profile that surpasses the System Extension Blocked on 10.15.6?

@DirkM this is where I am at as well at this point. Looks like its time to push back on support some more...

I struggled with the system blocking as well, just randomly trying things until I got it working. Their documentation is terrible. In my testing you MUST add the system extension for this to work and it's not the one stated in their documentation.

Here is how I got it working:
1) Approved kernel extension with bundle id: DF8U2CCCD8

2) PPPC with the following: Identifier: com.cyberark.CyberArkEPMEndpointSecurityExtension
Code Requirement:

anchor apple generic and identifier "com.cyberark.CyberArkEPMEndpointSecurityExtension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DF8U2CCCD8)

Service:
SystemPolicyAllFiles = Allow

3) System Extensions:
It will not work with the Team ID only. In my testing you must add the system extension for this to work.
Team ID: DF8U2CCCD8
Allowed System Ext: com.cyberark.CyberArkEPMEndpointSecurityExtension

Cheers!

Excellent!

The PPPC code requirement should read as below but other than that it worked right away.

anchor apple generic and identifier "com.cyberark.CyberArkEPMEndpointSecurityExtension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DF8U2CCCD8)

Thank you!

@DirkM Yeah, I should have added that as code which I have adjusted so they don't get stripped out of the post.

@spraguga

thanks!!! seems to be working, you are saving me a week of going back and forth with support :)

Could someone help me understand how can I distribute EPM agent through Jamf?

I'm following steps from this docu:
https://docs.cyberark.com/Product-Doc/OnlineHelp/EPM/Latest/en/Content/Installation/macOS-InstallAgents.htm#InstallationusingJamf

ad 1. Successfuly added CyberArkEPMAgentSetupMacOs_11.5.0.4610(MacOS).zip to Jamf via Jamf Admin.app
ad 3. Kernel Extension, System Extension and PPPC profile created and applied.

My concern is regarding point 2. How to create policy to install an Agent? Just adding zip file is not a solution. Such policy is doing nothing because it should be pkg.
Any hints?

And could someone explain me point 4.? What is it for? As I understood it's only when I'm trying to install agent manually. But I'm lost here...

EDIT: This ONLY works on macOS 10.14 and below. For 10.15 systems it appears the System Extension needs to be trusted too as others have pointed out above.

We utilized Composer to create a package which includes the CyberArk Install.app and the .json file required. The composer package just copies this over to a temp directory on the machine (/private/tmp). We then created a policy which runs the package first(to copy the installer down) then runs a script which calls the installer to perform the install.

#!/bin/sh

sudo /private/tmp/CyberArk/Install CyberArk EPM.app/Contents/MacOS/CyberArkEPMInstaller -k TOKENHERE -withoutPwdRotation

Obviously the TOKENHERE is the token which is unique to your account when you exported the installer from EPM.
Hope this helps, if you need clarification on anything just let me know.

@brianmcbride99 I'm going to give this a try.. b/c I'm currently struggling to make this work.

record scratches to a halt

Wait, WHAT?

You have to install this thing with a local admin account that has secure token by passing it's credentials in clear text to an app bundle? No no and HELL NO. That's a security breach waiting to happen.

We were talking about this at work. My recommendation is now going to be to drop this like it's hot. That's not a security product, that's an insecurity product.

@franton I want to say that with the -withoutPwdRotation argument on your install script you don't need to pass the username and password of a secure token account. I'm working on this tomorrow and Friday so I guess I'll find out, but from reading this thread it seems like that can now be avoided.

@rtylerdavis Maybe so, but the fact that's even asked for is a giant red warning flag to me.

@franton I totally get that.

Been struggling with this for a bit, especially on Big Sur. This is how I got it working(mostly). Some of this also came from their support.

Things needed

DMG created by files from Cyberark
Script that they gave me, which I'm giving you
Whiteboard to try and make sense of all of this

1a. Download the zip from the Cyberark server. In the zip grab your .json and the .app(also in another zip file), from there make a DMG with those two files where you want to stick them, so /tmp/ or in the case of what they told me, /Library/Application Support/JAMF/Waiting Room/. (basically what you normally do with Composer). Name it what you want, I named mine CyberArkEPMAgentSetupMacOs.dmg just to follow their instructions.

Once made, upload that DMG to your JAMF server, stick it in a policy and tell it to cache the DMG. Add a payload for the script attached. At

CYBERARKEPM_INSTALL_DMG=

type in what your package is called.

From there in the script payload, set to run after and in the parameters values, stick the file name of the dmg in #4, your URL to the server (using the example they gave me) if it is

https://na115.epm.cyberark.com/

then use

https://na115.epm.cyberark.com/VFAGT/vfagent.asmx

for #5.

For our location ours has the Agent Self Defense enabled so we needed to add our token in #6. You can generate that by going to the console > My Computers > Upgrade or Uninstall Agent > Action > Generate Secure Token for all Computers.

One thing that did take me a bit, was the System Extension. Their instructions only talk about adding the Team ID which was still causing prompts on install. I also had to add

com.cyberark.CyberArkEPMEndpointSecurityExtension

After that, I finally got it to install and report back to our Cyberark server. Only "hang" up now is on Big Sur after a reboot it has a pop up saying it downloaded from the internet and asking if you want to run it

The script they gave me

#!/bin/sh
####################################################################################################
#
# ABOUT THIS PROGRAM
#
# NAME
#   jamfCyberArkEPMInstallFromDMG -- Install CyberArkEPM version 11.5 from DMG with configuration file
#
# SYNOPSIS
#   sudo jamfCyberArkEPMInstallFromDMG <mountPoint> <computerName> <currentUsername> <dmgName> <protectionToken>  -- if set is protected
#
# DESCRIPTION
# Sample script to install CyberArkEPM version 11.5 with preconfigured set
##############################
#
# 0. Download CyberArkEPMAgentSetupMacOs.zip from EPM server console.
# 1. Unzip CyberArkEPMAgentSetupMacOs.zip to the directory. 
# 2. Rename the directory for something like ./CyberArkEPMAgentSetupMacOs-setX
# 3. Create DMG file by running:  
#
#  hdiutil create -volname CyberarkEPMAgentSetupMacOs -srcfolder ./CyberArkEPMAgentSetupMacOs-setX -ov -format UDZO ./CyberArkEPMAgentSetupMacOs-setX.dmg
#
# 4. Upload CyberArkEPMAgentSetupMacOs-setX.dmg to the Jamf server
# 5. Add  CyberArkEPMAgentSetupMacOs-setX.dmg  to the Policy's pkg payload
#
# Use the attached "jamfCyberArkEPMInstallFromDMG" script in the Jamf policy. 
# 
# You have to provide two parameters to this script 
# 1. name of dmg file. As it is named on Jamf
# 2. protectionToken for the set, if the set is protected
#
####################################################################################################
#set -x

# Provide local admin user to enable macOS secure token

CYBERARKEPM_INSTALL_DMG="CHANGE THIS"

# OPTIONAL PARAMETRES STARTS FROM 4

if [ "$CYBERARKEPM_INSTALL_DMG" == "" ]; then
    if [ "$4" != ""  ]; then
        CYBERARKEPM_INSTALL_DMG="$4"
    fi
fi

PROTECTION_ARG=""

protectionToken=""
if [ "$protectionToken" == "" ]; then
    if [ "$5" != ""  ]; then
        protectionToken="$5"
    fi
fi

if [ "$protectionToken" != "" ]; then
          PROTECTION_ARG=" -token $protectionToken"
fi


JAMF_CACHE_LOCATION="/Library/Application Support/JAMF/Waiting Room"


echo "Check if dmg file exists."

if [[ ! -f "$JAMF_CACHE_LOCATION/$CYBERARKEPM_INSTALL_DMG" ]]; then
    echo "File $JAMF_CACHE_LOCATION/$CYBERARKEPM_INSTALL_DMG not found"
    exit 2
fi


CYBERARKEPM_INSTALL_TMP=$(mktemp -d -t ci-XXXXXXXXXX)


rm -fr $CYBERARKEPM_INSTALL_TMP
mkdir -p $CYBERARKEPM_INSTALL_TMP

sudo /usr/bin/hdiutil attach -nobrowse -mountpoint $CYBERARKEPM_INSTALL_TMP/dmg "$JAMF_CACHE_LOCATION/$CYBERARKEPM_INSTALL_DMG"


ditto -xk $CYBERARKEPM_INSTALL_TMP/dmg/Install CyberArk EPM.app.zip $CYBERARKEPM_INSTALL_TMP
cp -a $CYBERARKEPM_INSTALL_TMP/dmg/CyberArkEPMConfiguration.json $CYBERARKEPM_INSTALL_TMP/CyberArkEPMConfiguration.json 

xattr -d $CYBERARKEPM_INSTALL_TMP/Install CyberArk EPM.app

sudo /usr/bin/hdiutil detach $CYBERARKEPM_INSTALL_TMP/dmg

#Cleans Up the dmg so it doesnt take up space on machine
rm -f "$JAMF_CACHE_LOCATION/$CYBERARKEPM_INSTALL_DMG"
rm -f "$JAMF_CACHE_LOCATION/$CYBERARKEPM_INSTALL_DMG.cache.xml"

cat "$CYBERARKEPM_INSTALL_TMP/CyberArkEPMConfiguration.json"

echo "Installing..."

$CYBERARKEPM_INSTALL_TMP/Install CyberArk EPM.app/Contents/MacOS/CyberArkEPMInstaller -withoutPwdRotation -configuration "$CYBERARKEPM_INSTALL_TMP/CyberArkEPMConfiguration.json" $PROTECTION_ARG

epmVersionFull=$(/usr/local/bin/CyberArkEPM --version)

echo "Cleaning up"

rm -fr $CYBERARKEPM_INSTALL_TMP


if [[ ! $epmVersionFull ]]; then
    echo "CyberArk EPM installation failed"
    exit 2
fi

echo "$epmVersionFull was successfully installed"
exit 0

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded