Elastic agent | Community

Hey all,

Anybody managed to install Elastic agent via jamf pro?

during the installation process, it asks whether I want to instal it in /Library/agent and I have yes/no options

That is pausing the installation process and I need away to auto answer with yes !

Thoughts?

Page 1 / 1

I haven't managed to get it to install correctly yet, but it sounds like you're missing an argument: -f

https://gist.github.com/peasead/33394868ddbd773c39bedde4011b4f6a?permalink_comment_id=4350069#gistcomment-4350069

We just got this working. I modified the script so it checks for system architecture to determine whether the Intel or ARM (Apple silicon) installer should be used. Let me if you need a copy.

Interesting .. yes please share it with me

I'm 99% sure this works, but I've only tested it once since replacing the URLs in the script with parameters (for slightly easier/cleaner updates). If it doesn't work for you, try replacing {$4} and {$5} with the actual URLs:

#!/bin/bash -eux

# Single script to install the Elastic Agent (Intel and ARM versions) on macOS



# Checks architecture

arch_name="$(uname -m)"



# Create a temporary directory

tempdir=$(mktemp -d)

cd $tempdir



# Steps to complete on Intel-based Macs

if [[ "${arch_name}" = "x86_64" ]]; then 



    # Downloads the Elastic Agent and saves it to your computer in the directory specified

    curl -OL {$4}



    # Uses the Tar command to decompress the Elastic Agent and prepare it for installation

    tar zxf elastic-agent-8.4.1-darwin-x86_64.tar.gz



    # Enters the Elastic Agent directory that was decompressed in the previous step

    cd elastic-agent-8.4.1-darwin-x86_64

    

# Steps to complete on ARM (Apple)-based Macs

elif [[ "${arch_name}" = "arm64" ]]; then



    # Downloads the Elastic Agent and saves it to your computer in the directory specified

    curl -OL {$5}



    # Uses the Tar command to decompress the Elastic Agent and prepare it for installation

    tar zxvf elastic-agent-8.4.1-darwin-aarch64.tar.gz



    # Enters the Elastic Agent directory that was decompressed in the previous step

    cd elastic-agent-8.4.1-darwin-aarch64



fi



# Uses "super user do" to install the Elastic Agent, sends data to Elastic Cloud, and enrolls it in Fleet so that updates to the Agent can be managed

sudo ./elastic-agent install -f --kibana-url=fleet-server-address --enrollment-token=enrollment-token



# Clean up, clean up

rm -rf $tempdir

In the policy, set parameter 4 to the URL for the Intel package and 5 to the URL for the ARM/Apple version.

@Bretterson it works perfectly, thanks

Sure thing! Though I just realized I should probably make it so the parameters replace the file name rather than the URL. The way I have it now, to update it you have to replace the URL parameter as well as the file name a few times in the script itself. Here's an updated version (that I just tested successfully):

#!/bin/bash -eux

# Single script to install the Elastic Agent (Intel and ARM versions) on macOS



# Checks architecture

arch_name="$(uname -m)"



# Create a temporary directory

tempdir=$(mktemp -d)

cd $tempdir



# Steps to complete on Intel-based Macs

if [[ "${arch_name}" = "x86_64" ]]; then 



    # Downloads the Elastic Agent and saves it to your computer in the directory specified

    curl -OL https://artifacts.elastic.co/downloads/beats/elastic-agent/${4}.tar.gz



    # Uses the Tar command to decompress the Elastic Agent and prepare it for installation

    tar zxf ${4}.tar.gz



    # Enters the Elastic Agent directory that was decompressed in the previous step

    cd ${4}

    

# Steps to complete on ARM (Apple)-based Macs

elif [[ "${arch_name}" = "arm64" ]]; then



    # Downloads the Elastic Agent and saves it to your computer in the directory specified

    curl -OL https://artifacts.elastic.co/downloads/beats/elastic-agent/${5}.tar.gz



    # Uses the Tar command to decompress the Elastic Agent and prepare it for installation

    tar zxvf ${5}.tar.gz



    # Enters the Elastic Agent directory that was decompressed in the previous step

    cd ${5}



fi



date



# Uses "super user do" to install the Elastic Agent, sends data to Elastic Cloud, and enrolls it in Fleet so that updates to the Agent can be managed

sudo ./elastic-agent install -f --url=https://siemfleet1a.hq.overdrive.com:8220 --enrollment-token=bEQ5emhZTUIweHJYSkJOanlPQVc6TG1mTTZFZWNTX0dWX2xFZ0VhUGdDdw==



# Clean up, clean up

rm -rf $tempdir

Now I have parameter 4 set to "elastic-agent-8.4.1-darwin-x86_64" and 5 as "elastic-agent-8.4.1-darwin-aarch64".

Tada!

@Bretterson Have you managed to grey out the elastic-agent in Login items in Ventura!?

i tried using a service management profile where I used the BundleID and TeamID but still not working !!

@Bretterson Have you managed to grey out the elastic-agent in Login items in Ventura!?

i tried using a service management profile where I used the BundleID and TeamID but still not working !!

I'm not currently running Ventura on my test machine, but I don't have anything for Elastic in "Login items." I'm pretty sure we haven't pushed Elastic Security yet, just the agent. I'll try to look into it and let you know.

I managed to grey it out in the login windows using LabelPrefix co.elastic

Just in case it shows up later in the login items in Ventura.

I managed to grey it out in the login windows using LabelPrefix co.elastic

Just in case it shows up later in the login items in Ventura.

I was able to do the same yesterday. Good call on the prefer rather than regular label!

Is there any way to setup full disk access for the Endpoint agent?

Elastic has a Python script that'll create a configuration profile for you. It includes full disk access: https://github.com/elastic/endpoint/blob/main/deployment/macos/mobiledevicemanagement/mobile_config_gen.py

I love this community so much. Thank you all for your work

Im having trouble getting this to deploy, and there isnt really much info about it on that GitHub page, have you gotten this to work?

Yep, I used it successfully.

Just because I'm a little unclear what you mean by deploy, you aren't trying to deploy the Python script itself, are you? Because it's something you run locally to create a profile you can upload to Jamf.

Yep, I used it successfully.

No not the script directly. I used the script to build the .mobileconfig profile, I just cant get the config profile to reach the machine.

Ok, so, what's happening..? I'm pretty sure all I did was upload the profile to Jamf and scope it.

Apologies if this redundant- 

I was able to get the installer to go on silently-

1st I used mobile config generator in their Github:



https://github.com/elastic/endpoint/blob/main/deployment/macos/mobiledevicemanagement/mobile_config_gen.py



I made that config profile "user removable" and deployable via self service.

then created a policy that executed the below script as a script payload:





# Checks Architecture

arch_name="$(uname -m)"

tarname="$4"

tarnameintel="$5"

installtoken="$6"

 

# Makes JAMF managed Dir

if [ -a /Applications/JAMF_Managed/ ];

then

echo "JAMF_Managed - Dir exists."

else

mkdir /Applications/JAMF_Managed

fi

 

# Steps to complete on ARM (Apple)-based Macs

if [[ "${arch_name}" = "arm64" ]]; then

 

# Downloads the Elastic Agent and saves it to your computer in the directory specified

sudo curl -Lo /Applications/JAMF_Managed/"$tarname".tar.gz https://artifacts.elastic.co/downloads/beats/elastic-agent/"$tarname".tar.gz

 

# Uses the Tar command to decompress the Elastic Agent and prepare it for installation

sudo tar xzvf /Applications/JAMF_Managed/"$tarname".tar.gz -C /Applications/JAMF_Managed

 

# Enters the Elastic Agent directory and Enrolls

sudo /Applications/JAMF_Managed/"$tarname"/elastic-agent install --url=[[your_fleet_URL_here]]:443 --enrollment-token=$installtoken -f -n

fi

 

# Steps to complete on Intel-based Macs

if [[ "${arch_name}" = "x86_64" ]]; then

 

# Downloads the Elastic Agent and saves it to your computer in the directory specified

sudo curl -Lo /Applications/JAMF_Managed/"$tarnameintel".tar.gz https://artifacts.elastic.co/downloads/beats/elastic-agent/"$tarnameintel".tar.gz

 

# Uses the Tar command to decompress the Elastic Agent and prepare it for installation

sudo tar xzvf /Applications/JAMF_Managed/"$tarnameintel".tar.gz -C /Applications/JAMF_Managed

 

# Enters the Elastic Agent directory and Enrolls

sudo /Applications/JAMF_Managed/"$tarnameintel"/elastic-agent install --url=[[your_fleet_URL_here]]:443 --enrollment-token=$installtoken -f -n

fi

 

rm -rf /Applications/JAMF_Managed/"$tarname"

rm -rf /Applications/JAMF_Managed/"$tarname".tar.gz

 

 

 

I also created extension attributes too:

#v2 - Title and Status

#Fleet Status

result=$(sudo elastic-agent status --output human | grep -m2 'fleet\\|status:')

echo "<result>$result</result>"

exit 0

 

#Elastic Agent Status

result=$(sudo elastic-agent status --output human | grep -m3 'elastic-agent\\|status:' | tail -2)

echo "<result>$result</result>"

exit 0

 

#Endpoint-Default 1 Status

result=$(sudo elastic-agent status --output human | grep -m4 'endpoint-\\|status:' | tail -2)

echo "<result>$result</result>"

exit 0

 

#Endpoint-Default 1.1 Status

result=$(sudo elastic-agent status --output human | grep -m6 'endpoint-\\|status:' | tail -2)

echo "<result>$result</result>"

exit 0

 

#Endpoint-Default 1.2 Status

result=$(sudo elastic-agent status --output human | grep -m8 'endpoint-\\|status:' | tail -2)

echo "<result>$result</result>"

exit 0



 

In the policy I added the files and process payload to execute the installation of the config profile vis jamfselfservice url:



We use a workbench directory called JAMF_Managed, but you can curl it to where ever you want. The install goes pretty quiet... All thats missing, is dynamic way to get the version numbers of the installer to make it an auto-update script. But the key here is the post install shell command that installs the config profile after the install finishes to enable and system extension and grant full disk access for the executables.

 

Currently working on a non-interactive uninstaller. I'm close, currently users have to remove the config profile 1st via the remove button in Self Service and then launch the uninstaller policy. I just need to figure out how to uninstall the config profile via shell script....



Hope that helps

Apologies if this redundant- 

I was able to get the installer to go on silently-

1st I used mobile config generator in their Github:



https://github.com/elastic/endpoint/blob/main/deployment/macos/mobiledevicemanagement/mobile_config_gen.py



I made that config profile "user removable" and deployable via self service.

then created a policy that executed the below script as a script payload:





# Checks Architecture

arch_name="$(uname -m)"

tarname="$4"

tarnameintel="$5"

installtoken="$6"

 

# Makes JAMF managed Dir

if [ -a /Applications/JAMF_Managed/ ];

then

echo "JAMF_Managed - Dir exists."

else

mkdir /Applications/JAMF_Managed

fi

 

# Steps to complete on ARM (Apple)-based Macs

if [[ "${arch_name}" = "arm64" ]]; then

 

# Downloads the Elastic Agent and saves it to your computer in the directory specified

sudo curl -Lo /Applications/JAMF_Managed/"$tarname".tar.gz https://artifacts.elastic.co/downloads/beats/elastic-agent/"$tarname".tar.gz

 

# Uses the Tar command to decompress the Elastic Agent and prepare it for installation

sudo tar xzvf /Applications/JAMF_Managed/"$tarname".tar.gz -C /Applications/JAMF_Managed

 

# Enters the Elastic Agent directory and Enrolls

sudo /Applications/JAMF_Managed/"$tarname"/elastic-agent install --url=[[your_fleet_URL_here]]:443 --enrollment-token=$installtoken -f -n

fi

 

# Steps to complete on Intel-based Macs

if [[ "${arch_name}" = "x86_64" ]]; then

 

# Downloads the Elastic Agent and saves it to your computer in the directory specified

sudo curl -Lo /Applications/JAMF_Managed/"$tarnameintel".tar.gz https://artifacts.elastic.co/downloads/beats/elastic-agent/"$tarnameintel".tar.gz

 

# Uses the Tar command to decompress the Elastic Agent and prepare it for installation

sudo tar xzvf /Applications/JAMF_Managed/"$tarnameintel".tar.gz -C /Applications/JAMF_Managed

 

# Enters the Elastic Agent directory and Enrolls

sudo /Applications/JAMF_Managed/"$tarnameintel"/elastic-agent install --url=[[your_fleet_URL_here]]:443 --enrollment-token=$installtoken -f -n

fi

 

rm -rf /Applications/JAMF_Managed/"$tarname"

rm -rf /Applications/JAMF_Managed/"$tarname".tar.gz

 

 

 

I also created extension attributes too:

#v2 - Title and Status

#Fleet Status

result=$(sudo elastic-agent status --output human | grep -m2 'fleet\\|status:')

echo "<result>$result</result>"

exit 0

 

#Elastic Agent Status

result=$(sudo elastic-agent status --output human | grep -m3 'elastic-agent\\|status:' | tail -2)

echo "<result>$result</result>"

exit 0

 

#Endpoint-Default 1 Status

result=$(sudo elastic-agent status --output human | grep -m4 'endpoint-\\|status:' | tail -2)

echo "<result>$result</result>"

exit 0

 

#Endpoint-Default 1.1 Status

result=$(sudo elastic-agent status --output human | grep -m6 'endpoint-\\|status:' | tail -2)

echo "<result>$result</result>"

exit 0

 

#Endpoint-Default 1.2 Status

result=$(sudo elastic-agent status --output human | grep -m8 'endpoint-\\|status:' | tail -2)

echo "<result>$result</result>"

exit 0



 

In the policy I added the files and process payload to execute the installation of the config profile vis jamfselfservice url:



We use a workbench directory called JAMF_Managed, but you can curl it to where ever you want. The install goes pretty quiet... All thats missing, is dynamic way to get the version numbers of the installer to make it an auto-update script. But the key here is the post install shell command that installs the config profile after the install finishes to enable and system extension and grant full disk access for the executables.

 

Currently working on a non-interactive uninstaller. I'm close, currently users have to remove the config profile 1st via the remove button in Self Service and then launch the uninstaller policy. I just need to figure out how to uninstall the config profile via shell script....



Hope that helps

This seems very similar to the script I posted earlier on this thread. I might give those extension attributes a try though.

I'm not sure why you'd need to remove the config profile to uninstall it. I have the profile scoped, with the full disk access and system extension bits, to all machines all the time and it hasn't been an issue.

I had to mess with uninstallation a bunch pretty recently because some installs were inconsistent and wouldn't update from the server. This is the uninstall script I ended up with: (note: I have it run inventory at the end so Jamf sees Elastic missing and puts the machine in scope for the installation policy, which I also trigger at the end)

#!/bin/zsh



/Library/Elastic/Agent/elastic-agent uninstall -f



if [[ -e /Library/LaunchDaemons/co.elastic.elastic-agent.plist ]]; then

	echo "Elastic Agent is still installed, removing manually..."

    launchctl bootout system/co.elastic.elastic-agent

	launchctl bootout system/co.elastic.endpoint

	rm /Library/LaunchDaemons/co.elastic.elastic-agent.plist

	rm -R /Library/Elastic/Agent

fi



if [[ -e /Library/Elastic/Endpoint/elastic-endpoint ]]; then

	echo "Elastic Endpoint is still installed, attempting to uninstall..."

    cd /tmp

	cp /Library/Elastic/Endpoint/elastic-endpoint elastic-endpoint

	/tmp/elastic-endpoint uninstall

	rm elastic-endpoint

fi



if [[ -e /Applications/ElasticEndpoint.app ]]; then

	echo "Elastic Endpoint is still installed or the app got left behind, attempting to remove..."

	rm /Library/LaunchDaemons/co.elastic.endpoint.plist

	rm -R /Library/Elastic

	rm -R /Applications/ElasticEndpoint.app

fi



jamf recon

sleep 10

jamf policy -id  54



exit 0

This seems very similar to the script I posted earlier on this thread. I might give those extension attributes a try though.

#!/bin/zsh



/Library/Elastic/Agent/elastic-agent uninstall -f



if [[ -e /Library/LaunchDaemons/co.elastic.elastic-agent.plist ]]; then

	echo "Elastic Agent is still installed, removing manually..."

    launchctl bootout system/co.elastic.elastic-agent

	launchctl bootout system/co.elastic.endpoint

	rm /Library/LaunchDaemons/co.elastic.elastic-agent.plist

	rm -R /Library/Elastic/Agent

fi



if [[ -e /Library/Elastic/Endpoint/elastic-endpoint ]]; then

	echo "Elastic Endpoint is still installed, attempting to uninstall..."

    cd /tmp

	cp /Library/Elastic/Endpoint/elastic-endpoint elastic-endpoint

	/tmp/elastic-endpoint uninstall

	rm elastic-endpoint

fi



if [[ -e /Applications/ElasticEndpoint.app ]]; then

	echo "Elastic Endpoint is still installed or the app got left behind, attempting to remove..."

	rm /Library/LaunchDaemons/co.elastic.endpoint.plist

	rm -R /Library/Elastic

	rm -R /Applications/ElasticEndpoint.app

fi



jamf recon

sleep 10

jamf policy -id  54



exit 0

I'll give yours a try, heres what I have so far-

I didn't think I needed to remove the profile either but when i watch the uninstaller process, the files don't remove until i uninstall the config profile... heres my script so far :

Thanks!

#Unload Launch Daemons and Kills Process

sudo launchctl unload /Library/LaunchDaemons/co.elastic.elastic-agent.plist

sudo launchctl unload /Library/LaunchDaemons/co.elastic.endpoint.plist

sudo profiles remove -type='configuration' -identifier='UID goes here' -verbose



agentvar=$(pgrep elastic-agent)

endpointvar=$(pgrep elastic-endpoint)

filebeatvar=$(pgrep filebeat)

echo "this is var 1:$agentvar"

echo "this is var 2:$endpointvar"

echo "this is var 3:$filebeatvar"

sudo kill -9 $agentvar

sudo kill -9 $endpointvar

sudo kill -9 $filebeatvar



#Deletes Files

sudo rm -rf /Library/Elastic/*

sudo rm -rf /Library/Elastic

sudo rm -rf /Applications/Elastic\\ Security.app

sudo rm -rf /Applications/ElasticEndpoint.app

sudo rm -rf /Library/LaunchDaemons/co.elastic.endpoint.plist

sudo rm -rf /Library/LaunchDaemons/co.elastic.elastic-agent.plist

This seems very similar to the script I posted earlier on this thread. I might give those extension attributes a try though.

#!/bin/zsh



/Library/Elastic/Agent/elastic-agent uninstall -f



if [[ -e /Library/LaunchDaemons/co.elastic.elastic-agent.plist ]]; then

	echo "Elastic Agent is still installed, removing manually..."

    launchctl bootout system/co.elastic.elastic-agent

	launchctl bootout system/co.elastic.endpoint

	rm /Library/LaunchDaemons/co.elastic.elastic-agent.plist

	rm -R /Library/Elastic/Agent

fi



if [[ -e /Library/Elastic/Endpoint/elastic-endpoint ]]; then

	echo "Elastic Endpoint is still installed, attempting to uninstall..."

    cd /tmp

	cp /Library/Elastic/Endpoint/elastic-endpoint elastic-endpoint

	/tmp/elastic-endpoint uninstall

	rm elastic-endpoint

fi



if [[ -e /Applications/ElasticEndpoint.app ]]; then

	echo "Elastic Endpoint is still installed or the app got left behind, attempting to remove..."

	rm /Library/LaunchDaemons/co.elastic.endpoint.plist

	rm -R /Library/Elastic

	rm -R /Applications/ElasticEndpoint.app

fi



jamf recon

sleep 10

jamf policy -id  54



exit 0

I actually figured out a work around for the uninstaller.

I just wrapped my uninstaller sh command inside a function, and the call the function 2x with a sleep 10 in between. That seems to work for me, and I don't need to remove the config profile.

#!/bin/bash

elasticUninstall(){

/Library/Elastic/Agent/elastic-agent uninstall -f

if [[ -e /Library/LaunchDaemons/co.elastic.elastic-agent.plist ]]; then

	echo "Elastic Agent is still installed, removing manually..."

    #Unload Launch Daemons and Kills Process

	sudo launchctl bootout system/co.elastic.elastic-agent

	sudo launchctl bootout system/co.elastic.endpoint

	sudo launchctl unload /Library/LaunchDaemons/co.elastic.elastic-agent.plist

	sudo launchctl unload /Library/LaunchDaemons/co.elastic.endpoint.plist

	sudo profiles remove -type='configuration' -identifier='Profile UID goes here' -verbose

	sudo rm -rf /Library/LaunchDaemons/co.elastic.elastic-agent.plist

fi

agentvar=$(pgrep elastic-agent)

endpointvar=$(pgrep elastic-endpoint)

filebeatvar=$(pgrep filebeat)

echo "this is var 1:$agentvar"

echo "this is var 2:$endpointvar"

echo "this is var 3:$filebeatvar"

sudo kill -9 $agentvar

sudo kill -9 $endpointvar

sudo kill -9 $filebeatvar

if [[ -e /Library/Elastic/Endpoint/elastic-endpoint ]]; then

	echo "Elastic Endpoint is still installed, attempting to uninstall..."

    sudo launchctl unload /Library/LaunchDaemons/co.elastic.endpoint.plist

    sudo launchctl bootout system/co.elastic.endpoint

	sudo rm -rf /Library/LaunchDaemons/co.elastic.endpoint.plist

fi 

#Deletes Files

sudo rm -rf /Library/Elastic/*

sudo rm -rf /Library/Elastic

sudo rm -rf /Applications/Elastic\\ Security.app

sudo rm -rf /Applications/ElasticEndpoint.app

}

elasticUninstall

sleep 10

elasticUninstall



exit 0

I actually figured out a work around for the uninstaller.

I just wrapped my uninstaller sh command inside a function, and the call the function 2x with a sleep 10 in between. That seems to work for me, and I don't need to remove the config profile.

#!/bin/bash

elasticUninstall(){

/Library/Elastic/Agent/elastic-agent uninstall -f

if [[ -e /Library/LaunchDaemons/co.elastic.elastic-agent.plist ]]; then

	echo "Elastic Agent is still installed, removing manually..."

    #Unload Launch Daemons and Kills Process

	sudo launchctl bootout system/co.elastic.elastic-agent

	sudo launchctl bootout system/co.elastic.endpoint

	sudo launchctl unload /Library/LaunchDaemons/co.elastic.elastic-agent.plist

	sudo launchctl unload /Library/LaunchDaemons/co.elastic.endpoint.plist

	sudo profiles remove -type='configuration' -identifier='Profile UID goes here' -verbose

	sudo rm -rf /Library/LaunchDaemons/co.elastic.elastic-agent.plist

fi

agentvar=$(pgrep elastic-agent)

endpointvar=$(pgrep elastic-endpoint)

filebeatvar=$(pgrep filebeat)

echo "this is var 1:$agentvar"

echo "this is var 2:$endpointvar"

echo "this is var 3:$filebeatvar"

sudo kill -9 $agentvar

sudo kill -9 $endpointvar

sudo kill -9 $filebeatvar

if [[ -e /Library/Elastic/Endpoint/elastic-endpoint ]]; then

	echo "Elastic Endpoint is still installed, attempting to uninstall..."

    sudo launchctl unload /Library/LaunchDaemons/co.elastic.endpoint.plist

    sudo launchctl bootout system/co.elastic.endpoint

	sudo rm -rf /Library/LaunchDaemons/co.elastic.endpoint.plist

fi 

#Deletes Files

sudo rm -rf /Library/Elastic/*

sudo rm -rf /Library/Elastic

sudo rm -rf /Applications/Elastic\\ Security.app

sudo rm -rf /Applications/ElasticEndpoint.app

}

elasticUninstall

sleep 10

elasticUninstall



exit 0

Interesting that it works fine if you loop it and manages to remove the profile. I still find it strange that the profile is causing an issue for you; I wonder how yours differs from mine. Mine is computer level rather than user level, maybe that matters?

I'm also surprised your script doesn't give you a hard time about using "launctl unload", whenever I use unload these days it just complains about it being deprecated. Though they should already be unloaded by the time it gets to that spot in the script.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded