Skip to main content

Has anyone found an easy way to deploy the Rapid7 Mac Insight Agent using Jamf

so here's is my conundrum: When I deploy my policy I am using a .pkg with dropping the agent_installer.sh in the correct folder, plus the uninstall command. Then I am running the actual install from a command in "Files and Processes" using the following command: sudo ./agent_installer.sh install_start --token xxxxxxxxxxxxxxxxxx. But when automagically deployed it doesn't recognize the command, however if I flush the log and then go into terminal and do a sudo jamf policy manually the policy works beautifully. Am I missing something?



I am seeing a similar behavior. When I run the policy via "sudo jamf policy" in terminal it works. But when I push it out to test machines and have it install during Check-In, I get this error when running the script "Script result: tput: No value for $TERM and no -T specified".

 

Hoping to find a solution..

 

 


@PCSysops We have over 30 operating companies in our Jamf instance. Each one will need to put the company attribute into the install command like so:



insight_installer.sh install_start --token us:xxxxxxxxxx --attributes "CompanyAttribute Agent"



So what I did was in composer create the InsightVM package with "chmod u+x /private/tmp/InsightVM/insight_installer.sh" in a post install script.



Then create in the policy in Jamf Pro. Configure "Files and Proccess" and add /private/tmp/InsightVM/insight_installer.sh install_start --token us:xxxxxxxx --attributes "CompanyAttribute Agent" into Execute Command.



I hope this helps anybody else coming across this issue.



@dwynn - Question: How are you triggering the deployment? Are you installing the policy upon Recurring Check-In?


@dwynn - Question: How are you triggering the deployment? Are you installing the policy upon Recurring Check-In?


I have it set up in the Self-Service portal and some set it for Recurring Check-in. What kind of issue are you having?


I have it set up in the Self-Service portal and some set it for Recurring Check-in. What kind of issue are you having?


Ah, I'm hoping to set it for Recurring Check-In. I'm able to install the agent if I manually go to the computer and type in "sudo jamf policy", but when I trigger it for Recurring Check-In I get this: 

 


Ah, I'm hoping to set it for Recurring Check-In. I'm able to install the agent if I manually go to the computer and type in "sudo jamf policy", but when I trigger it for Recurring Check-In I get this: 

 


You need to create a pkg with Composer. Here are the instructions. The name of your .sh file will vary. In this example I use "insight_installer.sh"

 

 

  1. Create a new folder at /private/tmp called InsightVM and extract all install files to this directory. Drag the directory into Composer.
  2. Create a Post Install script for the package. Paste this command: chmod u+x /private/tmp/InsightVM/insight_installer.sh
  3. Create the Package and upload it to Jamf Pro
  4. Then create a policy in Jamf Pro. Add the PKG you just uploaded and Configure "Files and Proccess" and add /private/tmp/InsightVM/insight_installer.sh install_start --token us:xxxxxxxx --attributes "CompanyAttribute Agent" into Execute Command.

You might not use any --attributes "CompanyAttribute Agent". If not just leave that out.

 

For Apple Silicon the command is: /private/tmp/InsightVM/insight_installer-arm.sh install_start --token us:xxxxxxxx --attributes "CompanyAttribute Agent"

 


Ah, I'm hoping to set it for Recurring Check-In. I'm able to install the agent if I manually go to the computer and type in "sudo jamf policy", but when I trigger it for Recurring Check-In I get this: 

 


Here is a video on how to create with Composer:

https://www.loom.com/share/cd2e812d83b343698f5ef061e4cef00c?sid=c494e355-f8ed-45db-8dba-b8df9946dfcc

 


We just purchased Rapid7 so I don't have any documentation or anything yet but I've been provided two scripts and token.

I'm seeing here that people are talking about creating a pkg to run the script. I'm curious why would a package need to be created? Can the script not be put into Jamf and let a policy run it?


We just purchased Rapid7 so I don't have any documentation or anything yet but I've been provided two scripts and token.

I'm seeing here that people are talking about creating a pkg to run the script. I'm curious why would a package need to be created? Can the script not be put into Jamf and let a policy run it?


Did not work for me. Had to cache policy, then install via script with the token. 


We just purchased Rapid7 so I don't have any documentation or anything yet but I've been provided two scripts and token.

I'm seeing here that people are talking about creating a pkg to run the script. I'm curious why would a package need to be created? Can the script not be put into Jamf and let a policy run it?


No, the script has to be in a directory on the Mac, e.g. /usr/local/bin/Rapid7/

I created a PKG which places both Rapid7 Installer Scripts in that place. In two seoarated Policies, one for x86 and one for arm Macs, I send the PKG to the Mac followed by the following Script which helps me to run the specified Agent Installer Script on the Mac:

#!/bin/bash

echo "### Token: $4 #####"
sleep 2

cd /usr/local/bin/Rapid7/
chmod u+x agent_installer-x86_64.sh && echo "### chmod done #####"
sleep 2

cd /usr/local/bin/Rapid7/
./agent_installer-x86_64.sh install_start --token $4
echo "### The following script has been executed: Rapid7-Agent-Installer-Preparation-x86_64.sh #####"
sleep 2

echo "### List of /usr/local/bin/Rapid7/
$(ls -l /usr/local/bin/Rapid7/) #####"
sleep 2

exit 0

 

The Script has the following options under Parameter 4 (I placed the Rapid7 Token there):

 

Rapid7 provides a documentation how to distribute Rapid7 via Jamf Pro.

 


This is what I'm using a  post install. rapid7-munkipkg 

#!/bin/bash
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

arch=$(/usr/bin/arch)

if [ "$arch" == "arm64" ]; then
echo "Apple Silicon Detected"
chmod +x /private/tmp/rapid7/agent_installer-arm64.sh
/bin/sh /private/tmp/rapid7/agent_installer-arm64.sh install_start --token us:yourcodehere
else
echo "Intel Detected"
chmod +x /private/tmp/rapid7/agent_installer-x86-64.sh
/bin/sh /private/tmp/rapid7/agent_installer-x86_64.sh install_start --token us:yourcodehere
fi

# Detect Rapid7 is running

if pgrep -x "ir_agent" >/dev/null; then
echo "Install Successful"
# Clean Up
rm -rf /private/tmp/rapid7
exit 0
else
echo "Install Failed"
# Clean Up
rm -rf /private/tmp/rapid7
exit 1
fi

This is what I'm using a  post install. rapid7-munkipkg 

#!/bin/bash
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

arch=$(/usr/bin/arch)

if [ "$arch" == "arm64" ]; then
echo "Apple Silicon Detected"
chmod +x /private/tmp/rapid7/agent_installer-arm64.sh
/bin/sh /private/tmp/rapid7/agent_installer-arm64.sh install_start --token us:yourcodehere
else
echo "Intel Detected"
chmod +x /private/tmp/rapid7/agent_installer-x86-64.sh
/bin/sh /private/tmp/rapid7/agent_installer-x86_64.sh install_start --token us:yourcodehere
fi

# Detect Rapid7 is running

if pgrep -x "ir_agent" >/dev/null; then
echo "Install Successful"
# Clean Up
rm -rf /private/tmp/rapid7
exit 0
else
echo "Install Failed"
# Clean Up
rm -rf /private/tmp/rapid7
exit 1
fi

Hey, hope you are well, 

I've been tasked with deploying Rapid 7, and all seems to be working, BUT people are telling me you need a config profile to grant Full Disk Access for the ir_agent, and I am having no luck finding any info around this, or which identifiers to use. Are you using one?


Hey, hope you are well, 

I've been tasked with deploying Rapid 7, and all seems to be working, BUT people are telling me you need a config profile to grant Full Disk Access for the ir_agent, and I am having no luck finding any info around this, or which identifiers to use. Are you using one?


For some inexplicable reason they don't mention the FDA being needed in their documentation. Their logging also doesn't reveal that anything is failing if you don't have FDA allowed. Talk to their support though. They provided us with the mobileconfig file that they use internally. This was after we rolled it out not knowing FDA was needed and I happened to notice that it was showing up in the system settings wanting access. We weren't too happy about that and it wasn't noticed during testing.


For some inexplicable reason they don't mention the FDA being needed in their documentation. Their logging also doesn't reveal that anything is failing if you don't have FDA allowed. Talk to their support though. They provided us with the mobileconfig file that they use internally. This was after we rolled it out not knowing FDA was needed and I happened to notice that it was showing up in the system settings wanting access. We weren't too happy about that and it wasn't noticed during testing.


Thanks will get my infosec team to reach out and grab that. thanks for the reply


No, the script has to be in a directory on the Mac, e.g. /usr/local/bin/Rapid7/

I created a PKG which places both Rapid7 Installer Scripts in that place. In two seoarated Policies, one for x86 and one for arm Macs, I send the PKG to the Mac followed by the following Script which helps me to run the specified Agent Installer Script on the Mac:

#!/bin/bash

echo "### Token: $4 #####"
sleep 2

cd /usr/local/bin/Rapid7/
chmod u+x agent_installer-x86_64.sh && echo "### chmod done #####"
sleep 2

cd /usr/local/bin/Rapid7/
./agent_installer-x86_64.sh install_start --token $4
echo "### The following script has been executed: Rapid7-Agent-Installer-Preparation-x86_64.sh #####"
sleep 2

echo "### List of /usr/local/bin/Rapid7/
$(ls -l /usr/local/bin/Rapid7/) #####"
sleep 2

exit 0

 

The Script has the following options under Parameter 4 (I placed the Rapid7 Token there):

 

Rapid7 provides a documentation how to distribute Rapid7 via Jamf Pro.

 


@JevermannNGHow did you get the documentation from Rapid7?  They told us they don't have it...


@JevermannNGHow did you get the documentation from Rapid7?  They told us they don't have it...


https://docs.rapid7.com/insight-agent/certificate-package-installation-method#install-on-mac-and-linux


https://docs.rapid7.com/insight-agent/certificate-package-installation-method#install-on-mac-and-linux


Yeah, I have that.  Those are just single install instruction though, not what I would consider comprehensive mass deployment documentation (like they have for Windows).

Considering the comment below about FDA and that Rapid7 has a mobile config file in use internally, I do think they ought to have better documentation...

- Chris


Yeah, I have that.  Those are just single install instruction though, not what I would consider comprehensive mass deployment documentation (like they have for Windows).

Considering the comment below about FDA and that Rapid7 has a mobile config file in use internally, I do think they ought to have better documentation...

- Chris


Agreed, I ended up creating the script below, and install cached and it worked for me. 

 

#!/bin/sh

# Install Rapid7 Agent

cd /private/tmp

chmod u+x agent_installer-arm64.sh

sleep 10

sudo ./agent_installer-arm64.sh install_start --token us:**********************

exit


Agreed, I ended up creating the script below, and install cached and it worked for me. 

 

#!/bin/sh

# Install Rapid7 Agent

cd /private/tmp

chmod u+x agent_installer-arm64.sh

sleep 10

sudo ./agent_installer-arm64.sh install_start --token us:**********************

exit


Thanks, for this.  It's been helpful to see all the different approaches people have taken.


Brand new to the world of packaging for Macs. We have a mix of Intel Macs and M1s in our environment. Can anyone confirm whether or not I'll need to download both versions of the macOS installer from Rapid7, then target our devices according to chip type (Intel or M1)? Thanks.


Brand new to the world of packaging for Macs. We have a mix of Intel Macs and M1s in our environment. Can anyone confirm whether or not I'll need to download both versions of the macOS installer from Rapid7, then target our devices according to chip type (Intel or M1)? Thanks.


Hey, 

yes you will need both as there is no Universal installer. There is a script floating around on here that checks the architecture of the mac and then installs the right version, so you can make one package and target the entire fleet and let the script do the rest of the work


Hey, 

yes you will need both as there is no Universal installer. There is a script floating around on here that checks the architecture of the mac and then installs the right version, so you can make one package and target the entire fleet and let the script do the rest of the work


Thanks for that info. And one more point to confirm: once the Rapid7 Insight Agent is installed on a Mac, is there any reason to redeploy/reinstall a newer version of the Agent? My understanding (based on behavior on Windows devices) is that once the Agent is installed, it will update itself without user or administrator intervention. Just wanted to make sure that's the way it will work on Macs as well. Thanks! 


ISVM Agent auto updates on our Macs. 

 

I have two separate policies for the ISVM Install. You could just deploy both installers to the machine and let the scope take care of it. 

Scoped to Apple Silicon - /private/tmp/InsightVM/insight_installer-arm.sh install_start --token us:0000-0000-0000-0000-00000 --attributes "XXXX Agent"

 

Scoped to Intel - /private/tmp/InsightVM/insight_installer.sh install_start --token us:0000-0000-0000-0000-00000 --attributes "XXXX Agent"


Hello,



Has anyone found a way to uninstall the Rapid7 Agent via script?



#!/bin/bash

# Stop Rapid7 services
sudo launchctl stop ir_agent.service
sudo launchctl stop com.rapid7.ir_agent

# Remove LaunchDaemon plist
sudo rm -f /Library/LaunchDaemons/com.rapid7.ir_agent.plist

# Disable Rapid7 service
sudo launchctl disable system/ir_agent

# Remove Rapid7 directory and its contents
sudo rm -rf /opt/rapid7/ir_agent
sudo rm -rf /opt/rapid7/

# Print uninstallation completed message
echo "Rapid7 uninstallation completed."


Has anyone had success with the new Mac installation instructions below? I can install the .pkg just fine but my method of running the token install command under Files and Processes > Execute Command isn't working anymore.

 

https://docs.rapid7.com/insight-agent/mac-installation/


Has anyone had success with the new Mac installation instructions below? I can install the .pkg just fine but my method of running the token install command under Files and Processes > Execute Command isn't working anymore.

 

https://docs.rapid7.com/insight-agent/mac-installation/


Yes, but I use a script that starts either the ARM or Intel PKG Installation.


In Parameter 4 and 5 of the script is the input field for the Token and Rapid7 Installer Version.


#!/bin/bash

SystemArch=$(/usr/bin/arch)
echo "### SystemArch - $SystemArch #####"
sleep 2

# Rapid7 Token can be found in Parameter 4
echo "### Token: $4 #####"
sleep 2

# Rapid7 Path - Version can be found in Parameter 5
Rapid7Path="/opt/rapid7/ir_agent/components/insight_agent/$5/"
echo "### Rapid7Path - $Rapid7Path #####"
sleep 2

# Start Rapid7 Installer via Script
if [ "$SystemArch" == "arm64" ]; then
echo "### Apple Silicon Detected #####"
/usr/local/bin/jamf policy -event Rapid7-ARM
sleep 2
else
echo "### Intel Detected #####"
/usr/local/bin/jamf policy -event Rapid7-X86
sleep 2
fi
sudo -s $Rapid7Path/./configure_agent.sh --token $4 --start && echo "### Rapid7 Config Script Start #####"

# List Folder Content of Rapid7Path
echo "### List of Rapid7Path
$(ls -l $Rapid7Path)
#####"
sleep 2

# Finish Script
echo "### Jamf Recon - Start #####"
/usr/local/bin/jamf recon && echo "### Jamf Recon - Completed #####"
sleep 2

Reply