Skip to main content

Hey all, 

Anybody managed to install Elastic agent via jamf pro? 

during the installation process, it asks whether I want to instal it in /Library/agent and I have yes/no options 

That is pausing the installation process and I need away to auto answer with yes !

Thoughts?

I haven't managed to get it to install correctly yet, but it sounds like you're missing an argument: -f

https://gist.github.com/peasead/33394868ddbd773c39bedde4011b4f6a?permalink_comment_id=4350069#gistcomment-4350069


We just got this working. I modified the script so it checks for system architecture to determine whether the Intel or ARM (Apple silicon) installer should be used. Let me if you need a copy.


Interesting .. yes please share it with me 


Interesting .. yes please share it with me 


I'm 99% sure this works, but I've only tested it once since replacing the URLs in the script with parameters (for slightly easier/cleaner updates). If it doesn't work for you, try replacing {$4} and {$5} with the actual URLs:

 

#!/bin/bash -eux # Single script to install the Elastic Agent (Intel and ARM versions) on macOS # Checks architecture arch_name="$(uname -m)" # Create a temporary directory tempdir=$(mktemp -d) cd $tempdir # Steps to complete on Intel-based Macs if [[ "${arch_name}" = "x86_64" ]]; then # Downloads the Elastic Agent and saves it to your computer in the directory specified curl -OL {$4} # Uses the Tar command to decompress the Elastic Agent and prepare it for installation tar zxf elastic-agent-8.4.1-darwin-x86_64.tar.gz # Enters the Elastic Agent directory that was decompressed in the previous step cd elastic-agent-8.4.1-darwin-x86_64 # Steps to complete on ARM (Apple)-based Macs elif [[ "${arch_name}" = "arm64" ]]; then # Downloads the Elastic Agent and saves it to your computer in the directory specified curl -OL {$5} # Uses the Tar command to decompress the Elastic Agent and prepare it for installation tar zxvf elastic-agent-8.4.1-darwin-aarch64.tar.gz # Enters the Elastic Agent directory that was decompressed in the previous step cd elastic-agent-8.4.1-darwin-aarch64 fi # Uses "super user do" to install the Elastic Agent, sends data to Elastic Cloud, and enrolls it in Fleet so that updates to the Agent can be managed sudo ./elastic-agent install -f --kibana-url=fleet-server-address --enrollment-token=enrollment-token # Clean up, clean up rm -rf $tempdir

 

 

In the policy, set parameter 4 to the URL for the Intel package and 5 to the URL for the ARM/Apple version.


@Bretterson  it works perfectly, thanks


@Bretterson  it works perfectly, thanks


Sure thing! Though I just realized I should probably make it so the parameters replace the file name rather than the URL. The way I have it now, to update it you have to replace the URL parameter as well as the file name a few times in the script itself. Here's an updated version (that I just tested successfully):

 

#!/bin/bash -eux # Single script to install the Elastic Agent (Intel and ARM versions) on macOS # Checks architecture arch_name="$(uname -m)" # Create a temporary directory tempdir=$(mktemp -d) cd $tempdir # Steps to complete on Intel-based Macs if [[ "${arch_name}" = "x86_64" ]]; then # Downloads the Elastic Agent and saves it to your computer in the directory specified curl -OL https://artifacts.elastic.co/downloads/beats/elastic-agent/${4}.tar.gz # Uses the Tar command to decompress the Elastic Agent and prepare it for installation tar zxf ${4}.tar.gz # Enters the Elastic Agent directory that was decompressed in the previous step cd ${4} # Steps to complete on ARM (Apple)-based Macs elif [[ "${arch_name}" = "arm64" ]]; then # Downloads the Elastic Agent and saves it to your computer in the directory specified curl -OL https://artifacts.elastic.co/downloads/beats/elastic-agent/${5}.tar.gz # Uses the Tar command to decompress the Elastic Agent and prepare it for installation tar zxvf ${5}.tar.gz # Enters the Elastic Agent directory that was decompressed in the previous step cd ${5} fi date # Uses "super user do" to install the Elastic Agent, sends data to Elastic Cloud, and enrolls it in Fleet so that updates to the Agent can be managed sudo ./elastic-agent install -f --url=https://siemfleet1a.hq.overdrive.com:8220 --enrollment-token=bEQ5emhZTUIweHJYSkJOanlPQVc6TG1mTTZFZWNTX0dWX2xFZ0VhUGdDdw== # Clean up, clean up rm -rf $tempdir

 

Now I have parameter 4 set to "elastic-agent-8.4.1-darwin-x86_64" and 5 as "elastic-agent-8.4.1-darwin-aarch64".

Tada!


@Bretterson Have you managed to grey out the elastic-agent in Login items in Ventura!?

i tried using a service management profile where I used the BundleID and TeamID but still not working !!


@Bretterson Have you managed to grey out the elastic-agent in Login items in Ventura!?

i tried using a service management profile where I used the BundleID and TeamID but still not working !!


I'm not currently running Ventura on my test machine, but I don't have anything for Elastic in "Login items." I'm pretty sure we haven't pushed Elastic Security yet, just the agent. I'll try to look into it and let you know.


I managed to grey it out in the login windows using LabelPrefix co.elastic

Just in case it shows up later in the login items in Ventura.


I managed to grey it out in the login windows using LabelPrefix co.elastic

Just in case it shows up later in the login items in Ventura.


I was able to do the same yesterday. Good call on the prefer rather than regular label!


Is there any way to setup full disk access for the Endpoint agent?


Is there any way to setup full disk access for the Endpoint agent?


Elastic has a Python script that'll create a configuration profile for you. It includes full disk access: https://github.com/elastic/endpoint/blob/main/deployment/macos/mobiledevicemanagement/mobile_config_gen.py


I love this community so much. Thank you all for your work


Elastic has a Python script that'll create a configuration profile for you. It includes full disk access: https://github.com/elastic/endpoint/blob/main/deployment/macos/mobiledevicemanagement/mobile_config_gen.py


Im having trouble getting this to deploy, and there isnt really much info about it on that GitHub page, have you gotten this to work? 


Im having trouble getting this to deploy, and there isnt really much info about it on that GitHub page, have you gotten this to work? 


Yep, I used it successfully.

Just because I'm a little unclear what you mean by deploy, you aren't trying to deploy the Python script itself, are you? Because it's something you run locally to create a profile you can upload to Jamf.


Yep, I used it successfully.

Just because I'm a little unclear what you mean by deploy, you aren't trying to deploy the Python script itself, are you? Because it's something you run locally to create a profile you can upload to Jamf.


No not the script directly. I used the script to build the .mobileconfig profile, I just cant get the config profile to reach the machine.


No not the script directly. I used the script to build the .mobileconfig profile, I just cant get the config profile to reach the machine.


Ok, so, what's happening..? I'm pretty sure all I did was upload the profile to Jamf and scope it.


Apologies if this redundant- I was able to get the installer to go on silently- 1st I used mobile config generator in their Github: https://github.com/elastic/endpoint/blob/main/deployment/macos/mobiledevicemanagement/mobile_config_gen.py I made that config profile "user removable" and deployable via self service. then created a policy that executed the below script as a script payload: # Checks Architecture arch_name="$(uname -m)" tarname="$4" tarnameintel="$5" installtoken="$6" # Makes JAMF managed Dir if [ -a /Applications/JAMF_Managed/ ]; then echo "JAMF_Managed - Dir exists." else mkdir /Applications/JAMF_Managed fi # Steps to complete on ARM (Apple)-based Macs if [[ "${arch_name}" = "arm64" ]]; then # Downloads the Elastic Agent and saves it to your computer in the directory specified sudo curl -Lo /Applications/JAMF_Managed/"$tarname".tar.gz https://artifacts.elastic.co/downloads/beats/elastic-agent/"$tarname".tar.gz # Uses the Tar command to decompress the Elastic Agent and prepare it for installation sudo tar xzvf /Applications/JAMF_Managed/"$tarname".tar.gz -C /Applications/JAMF_Managed # Enters the Elastic Agent directory and Enrolls sudo /Applications/JAMF_Managed/"$tarname"/elastic-agent install --url=[[your_fleet_URL_here]]:443 --enrollment-token=$installtoken -f -n fi # Steps to complete on Intel-based Macs if [[ "${arch_name}" = "x86_64" ]]; then # Downloads the Elastic Agent and saves it to your computer in the directory specified sudo curl -Lo /Applications/JAMF_Managed/"$tarnameintel".tar.gz https://artifacts.elastic.co/downloads/beats/elastic-agent/"$tarnameintel".tar.gz # Uses the Tar command to decompress the Elastic Agent and prepare it for installation sudo tar xzvf /Applications/JAMF_Managed/"$tarnameintel".tar.gz -C /Applications/JAMF_Managed # Enters the Elastic Agent directory and Enrolls sudo /Applications/JAMF_Managed/"$tarnameintel"/elastic-agent install --url=[[your_fleet_URL_here]]:443 --enrollment-token=$installtoken -f -n fi rm -rf /Applications/JAMF_Managed/"$tarname" rm -rf /Applications/JAMF_Managed/"$tarname".tar.gz I also created extension attributes too: #v2 - Title and Status #Fleet Status result=$(sudo elastic-agent status --output human | grep -m2 'fleet\\|status:') echo "<result>$result</result>" exit 0 #Elastic Agent Status result=$(sudo elastic-agent status --output human | grep -m3 'elastic-agent\\|status:' | tail -2) echo "<result>$result</result>" exit 0 #Endpoint-Default 1 Status result=$(sudo elastic-agent status --output human | grep -m4 'endpoint-\\|status:' | tail -2) echo "<result>$result</result>" exit 0 #Endpoint-Default 1.1 Status result=$(sudo elastic-agent status --output human | grep -m6 'endpoint-\\|status:' | tail -2) echo "<result>$result</result>" exit 0 #Endpoint-Default 1.2 Status result=$(sudo elastic-agent status --output human | grep -m8 'endpoint-\\|status:' | tail -2) echo "<result>$result</result>" exit 0 In the policy I added the files and process payload to execute the installation of the config profile vis jamfselfservice url: We use a workbench directory called JAMF_Managed, but you can curl it to where ever you want. The install goes pretty quiet... All thats missing, is dynamic way to get the version numbers of the installer to make it an auto-update script. But the key here is the post install shell command that installs the config profile after the install finishes to enable and system extension and grant full disk access for the executables. Currently working on a non-interactive uninstaller. I'm close, currently users have to remove the config profile 1st via the remove button in Self Service and then launch the uninstaller policy. I just need to figure out how to uninstall the config profile via shell script.... Hope that helps
Apologies if this redundant- I was able to get the installer to go on silently- 1st I used mobile config generator in their Github: https://github.com/elastic/endpoint/blob/main/deployment/macos/mobiledevicemanagement/mobile_config_gen.py I made that config profile "user removable" and deployable via self service. then created a policy that executed the below script as a script payload: # Checks Architecture arch_name="$(uname -m)" tarname="$4" tarnameintel="$5" installtoken="$6" # Makes JAMF managed Dir if [ -a /Applications/JAMF_Managed/ ]; then echo "JAMF_Managed - Dir exists." else mkdir /Applications/JAMF_Managed fi # Steps to complete on ARM (Apple)-based Macs if [[ "${arch_name}" = "arm64" ]]; then # Downloads the Elastic Agent and saves it to your computer in the directory specified sudo curl -Lo /Applications/JAMF_Managed/"$tarname".tar.gz https://artifacts.elastic.co/downloads/beats/elastic-agent/"$tarname".tar.gz # Uses the Tar command to decompress the Elastic Agent and prepare it for installation sudo tar xzvf /Applications/JAMF_Managed/"$tarname".tar.gz -C /Applications/JAMF_Managed # Enters the Elastic Agent directory and Enrolls sudo /Applications/JAMF_Managed/"$tarname"/elastic-agent install --url=[[your_fleet_URL_here]]:443 --enrollment-token=$installtoken -f -n fi # Steps to complete on Intel-based Macs if [[ "${arch_name}" = "x86_64" ]]; then # Downloads the Elastic Agent and saves it to your computer in the directory specified sudo curl -Lo /Applications/JAMF_Managed/"$tarnameintel".tar.gz https://artifacts.elastic.co/downloads/beats/elastic-agent/"$tarnameintel".tar.gz # Uses the Tar command to decompress the Elastic Agent and prepare it for installation sudo tar xzvf /Applications/JAMF_Managed/"$tarnameintel".tar.gz -C /Applications/JAMF_Managed # Enters the Elastic Agent directory and Enrolls sudo /Applications/JAMF_Managed/"$tarnameintel"/elastic-agent install --url=[[your_fleet_URL_here]]:443 --enrollment-token=$installtoken -f -n fi rm -rf /Applications/JAMF_Managed/"$tarname" rm -rf /Applications/JAMF_Managed/"$tarname".tar.gz I also created extension attributes too: #v2 - Title and Status #Fleet Status result=$(sudo elastic-agent status --output human | grep -m2 'fleet\\|status:') echo "<result>$result</result>" exit 0 #Elastic Agent Status result=$(sudo elastic-agent status --output human | grep -m3 'elastic-agent\\|status:' | tail -2) echo "<result>$result</result>" exit 0 #Endpoint-Default 1 Status result=$(sudo elastic-agent status --output human | grep -m4 'endpoint-\\|status:' | tail -2) echo "<result>$result</result>" exit 0 #Endpoint-Default 1.1 Status result=$(sudo elastic-agent status --output human | grep -m6 'endpoint-\\|status:' | tail -2) echo "<result>$result</result>" exit 0 #Endpoint-Default 1.2 Status result=$(sudo elastic-agent status --output human | grep -m8 'endpoint-\\|status:' | tail -2) echo "<result>$result</result>" exit 0 In the policy I added the files and process payload to execute the installation of the config profile vis jamfselfservice url: We use a workbench directory called JAMF_Managed, but you can curl it to where ever you want. The install goes pretty quiet... All thats missing, is dynamic way to get the version numbers of the installer to make it an auto-update script. But the key here is the post install shell command that installs the config profile after the install finishes to enable and system extension and grant full disk access for the executables. Currently working on a non-interactive uninstaller. I'm close, currently users have to remove the config profile 1st via the remove button in Self Service and then launch the uninstaller policy. I just need to figure out how to uninstall the config profile via shell script.... Hope that helps

This seems very similar to the script I posted earlier on this thread. I might give those extension attributes a try though.

I'm not sure why you'd need to remove the config profile to uninstall it. I have the profile scoped, with the full disk access and system extension bits, to all machines all the time and it hasn't been an issue.

I had to mess with uninstallation a bunch pretty recently because some installs were inconsistent and wouldn't update from the server. This is the uninstall script I ended up with: (note: I have it run inventory at the end so Jamf sees Elastic missing and puts the machine in scope for the installation policy, which I also trigger at the end)

#!/bin/zsh /Library/Elastic/Agent/elastic-agent uninstall -f if [[ -e /Library/LaunchDaemons/co.elastic.elastic-agent.plist ]]; then echo "Elastic Agent is still installed, removing manually..." launchctl bootout system/co.elastic.elastic-agent launchctl bootout system/co.elastic.endpoint rm /Library/LaunchDaemons/co.elastic.elastic-agent.plist rm -R /Library/Elastic/Agent fi if [[ -e /Library/Elastic/Endpoint/elastic-endpoint ]]; then echo "Elastic Endpoint is still installed, attempting to uninstall..." cd /tmp cp /Library/Elastic/Endpoint/elastic-endpoint elastic-endpoint /tmp/elastic-endpoint uninstall rm elastic-endpoint fi if [[ -e /Applications/ElasticEndpoint.app ]]; then echo "Elastic Endpoint is still installed or the app got left behind, attempting to remove..." rm /Library/LaunchDaemons/co.elastic.endpoint.plist rm -R /Library/Elastic rm -R /Applications/ElasticEndpoint.app fi jamf recon sleep 10 jamf policy -id 54 exit 0

 


This seems very similar to the script I posted earlier on this thread. I might give those extension attributes a try though.

I'm not sure why you'd need to remove the config profile to uninstall it. I have the profile scoped, with the full disk access and system extension bits, to all machines all the time and it hasn't been an issue.

I had to mess with uninstallation a bunch pretty recently because some installs were inconsistent and wouldn't update from the server. This is the uninstall script I ended up with: (note: I have it run inventory at the end so Jamf sees Elastic missing and puts the machine in scope for the installation policy, which I also trigger at the end)

#!/bin/zsh /Library/Elastic/Agent/elastic-agent uninstall -f if [[ -e /Library/LaunchDaemons/co.elastic.elastic-agent.plist ]]; then echo "Elastic Agent is still installed, removing manually..." launchctl bootout system/co.elastic.elastic-agent launchctl bootout system/co.elastic.endpoint rm /Library/LaunchDaemons/co.elastic.elastic-agent.plist rm -R /Library/Elastic/Agent fi if [[ -e /Library/Elastic/Endpoint/elastic-endpoint ]]; then echo "Elastic Endpoint is still installed, attempting to uninstall..." cd /tmp cp /Library/Elastic/Endpoint/elastic-endpoint elastic-endpoint /tmp/elastic-endpoint uninstall rm elastic-endpoint fi if [[ -e /Applications/ElasticEndpoint.app ]]; then echo "Elastic Endpoint is still installed or the app got left behind, attempting to remove..." rm /Library/LaunchDaemons/co.elastic.endpoint.plist rm -R /Library/Elastic rm -R /Applications/ElasticEndpoint.app fi jamf recon sleep 10 jamf policy -id 54 exit 0

 


I'll give yours a try, heres what I have so far-

I didn't think I needed to remove the profile either but when i watch the uninstaller process, the files don't remove until i uninstall the config profile... heres my script so far :

Thanks!

 

#Unload Launch Daemons and Kills Process sudo launchctl unload /Library/LaunchDaemons/co.elastic.elastic-agent.plist sudo launchctl unload /Library/LaunchDaemons/co.elastic.endpoint.plist sudo profiles remove -type='configuration' -identifier='UID goes here' -verbose agentvar=$(pgrep elastic-agent) endpointvar=$(pgrep elastic-endpoint) filebeatvar=$(pgrep filebeat) echo "this is var 1:$agentvar" echo "this is var 2:$endpointvar" echo "this is var 3:$filebeatvar" sudo kill -9 $agentvar sudo kill -9 $endpointvar sudo kill -9 $filebeatvar #Deletes Files sudo rm -rf /Library/Elastic/* sudo rm -rf /Library/Elastic sudo rm -rf /Applications/Elastic\\ Security.app sudo rm -rf /Applications/ElasticEndpoint.app sudo rm -rf /Library/LaunchDaemons/co.elastic.endpoint.plist sudo rm -rf /Library/LaunchDaemons/co.elastic.elastic-agent.plist

 


This seems very similar to the script I posted earlier on this thread. I might give those extension attributes a try though.

I'm not sure why you'd need to remove the config profile to uninstall it. I have the profile scoped, with the full disk access and system extension bits, to all machines all the time and it hasn't been an issue.

I had to mess with uninstallation a bunch pretty recently because some installs were inconsistent and wouldn't update from the server. This is the uninstall script I ended up with: (note: I have it run inventory at the end so Jamf sees Elastic missing and puts the machine in scope for the installation policy, which I also trigger at the end)

#!/bin/zsh /Library/Elastic/Agent/elastic-agent uninstall -f if [[ -e /Library/LaunchDaemons/co.elastic.elastic-agent.plist ]]; then echo "Elastic Agent is still installed, removing manually..." launchctl bootout system/co.elastic.elastic-agent launchctl bootout system/co.elastic.endpoint rm /Library/LaunchDaemons/co.elastic.elastic-agent.plist rm -R /Library/Elastic/Agent fi if [[ -e /Library/Elastic/Endpoint/elastic-endpoint ]]; then echo "Elastic Endpoint is still installed, attempting to uninstall..." cd /tmp cp /Library/Elastic/Endpoint/elastic-endpoint elastic-endpoint /tmp/elastic-endpoint uninstall rm elastic-endpoint fi if [[ -e /Applications/ElasticEndpoint.app ]]; then echo "Elastic Endpoint is still installed or the app got left behind, attempting to remove..." rm /Library/LaunchDaemons/co.elastic.endpoint.plist rm -R /Library/Elastic rm -R /Applications/ElasticEndpoint.app fi jamf recon sleep 10 jamf policy -id 54 exit 0

 


I actually figured out a work around for the uninstaller.

I just wrapped my uninstaller sh command inside a function, and the call the function 2x with a sleep 10 in between. That seems to work for me, and I don't need to remove the config profile. 

#!/bin/bash elasticUninstall(){ /Library/Elastic/Agent/elastic-agent uninstall -f if [[ -e /Library/LaunchDaemons/co.elastic.elastic-agent.plist ]]; then echo "Elastic Agent is still installed, removing manually..." #Unload Launch Daemons and Kills Process sudo launchctl bootout system/co.elastic.elastic-agent sudo launchctl bootout system/co.elastic.endpoint sudo launchctl unload /Library/LaunchDaemons/co.elastic.elastic-agent.plist sudo launchctl unload /Library/LaunchDaemons/co.elastic.endpoint.plist sudo profiles remove -type='configuration' -identifier='Profile UID goes here' -verbose sudo rm -rf /Library/LaunchDaemons/co.elastic.elastic-agent.plist fi agentvar=$(pgrep elastic-agent) endpointvar=$(pgrep elastic-endpoint) filebeatvar=$(pgrep filebeat) echo "this is var 1:$agentvar" echo "this is var 2:$endpointvar" echo "this is var 3:$filebeatvar" sudo kill -9 $agentvar sudo kill -9 $endpointvar sudo kill -9 $filebeatvar if [[ -e /Library/Elastic/Endpoint/elastic-endpoint ]]; then echo "Elastic Endpoint is still installed, attempting to uninstall..." sudo launchctl unload /Library/LaunchDaemons/co.elastic.endpoint.plist sudo launchctl bootout system/co.elastic.endpoint sudo rm -rf /Library/LaunchDaemons/co.elastic.endpoint.plist fi #Deletes Files sudo rm -rf /Library/Elastic/* sudo rm -rf /Library/Elastic sudo rm -rf /Applications/Elastic\\ Security.app sudo rm -rf /Applications/ElasticEndpoint.app } elasticUninstall sleep 10 elasticUninstall exit 0

I actually figured out a work around for the uninstaller.

I just wrapped my uninstaller sh command inside a function, and the call the function 2x with a sleep 10 in between. That seems to work for me, and I don't need to remove the config profile. 

#!/bin/bash elasticUninstall(){ /Library/Elastic/Agent/elastic-agent uninstall -f if [[ -e /Library/LaunchDaemons/co.elastic.elastic-agent.plist ]]; then echo "Elastic Agent is still installed, removing manually..." #Unload Launch Daemons and Kills Process sudo launchctl bootout system/co.elastic.elastic-agent sudo launchctl bootout system/co.elastic.endpoint sudo launchctl unload /Library/LaunchDaemons/co.elastic.elastic-agent.plist sudo launchctl unload /Library/LaunchDaemons/co.elastic.endpoint.plist sudo profiles remove -type='configuration' -identifier='Profile UID goes here' -verbose sudo rm -rf /Library/LaunchDaemons/co.elastic.elastic-agent.plist fi agentvar=$(pgrep elastic-agent) endpointvar=$(pgrep elastic-endpoint) filebeatvar=$(pgrep filebeat) echo "this is var 1:$agentvar" echo "this is var 2:$endpointvar" echo "this is var 3:$filebeatvar" sudo kill -9 $agentvar sudo kill -9 $endpointvar sudo kill -9 $filebeatvar if [[ -e /Library/Elastic/Endpoint/elastic-endpoint ]]; then echo "Elastic Endpoint is still installed, attempting to uninstall..." sudo launchctl unload /Library/LaunchDaemons/co.elastic.endpoint.plist sudo launchctl bootout system/co.elastic.endpoint sudo rm -rf /Library/LaunchDaemons/co.elastic.endpoint.plist fi #Deletes Files sudo rm -rf /Library/Elastic/* sudo rm -rf /Library/Elastic sudo rm -rf /Applications/Elastic\\ Security.app sudo rm -rf /Applications/ElasticEndpoint.app } elasticUninstall sleep 10 elasticUninstall exit 0

Interesting that it works fine if you loop it and manages to remove the profile. I still find it strange that the profile is causing an issue for you; I wonder how yours differs from mine. Mine is computer level rather than user level, maybe that matters?

I'm also surprised your script doesn't give you a hard time about using "launctl unload", whenever I use unload these days it just complains about it being deprecated. Though they should already be unloaded by the time it gets to that spot in the script.