Carbon Black Defense 3.1 & Jamf 10.7.1

tangoadmin
New Contributor

It appears composer is no longer able to package the CB_install.pkg and unattended .sh file. Our previous install involved packaging the .sh file and pkg from a temp location and dumping that on to a client machine then running a script file that pointed to the .sh and pkg location with company code and policy name.

Does anyone have and updated method for this or a different way to deliver CB defense? I have an open ticket with support but so far they're stumped.

10 REPLIES 10

nikjamf
New Contributor III

Hi, did you have any update on this workflow? Thnaks

ThijsX
Valued Contributor
Valued Contributor

Hi, it worked for me! even with the new 3.2 sensor.

I have a pre-install script that dumps the files in /tmp/ and then as postinstall the "unattended" script with our company variables.

nikjamf
New Contributor III

Would you like to sahre the pre-install script, We just start testing CB in our company before to purchased and last week the CB representative were not very helpfull how to install it from JAMF. I create my temp folder under /Users/temp/ not sure is a right location for cb .dmg file/ .sh , are you using JAMF Composer tu build your .pkg ?

ThijsX
Valued Contributor
Valued Contributor

@nikjamf

Sure.
I use packages.app for the most packages i create.
Make sure the files included in your package correspond to the namings in the pre/post install scripts.

Pre-install

#!/bin/bash

# Determine working directory
install_dir=`dirname $0`

cp "$install_dir/CbDefense.pkg" "$3/tmp/CbDefense.pkg"

Post-install

#!/bin/bash
#
# Copyright (c) 2011-2018 Carbon Black, Inc. All rights reserved.
#
# Tool for an unattended install / upgrade of Carbon Black Defense Sensor for macOS.
#
# Serves as an example how to create custom deploy packages and setup various options to install Cb Defense PKG in unattended mode.
#
# The script can also be used as-is:
# 1. either embedded in a custom package (along with the matching PKG) and used with software deployment tool of choice,
# 2. or pushed to a target device (via a file share, file download, etc) and executed on a command line, on the target device.
#
# For maximum compatibility, always use this tool with Cb Defense Install PKG for the matching sensor major.minor release,
# ideally, extracted from the same Cb Defense DMG.
#
#
#
# required parameters:
# - location of CbDefense PKG file
# - CompanyCode
#
# optional parameters:
# - Proxy Server
# - Proxy Server Creds
# - Last Attempt Proxy Server
# - Disable auto-update
# - Disable auto-update jitter
# - Pem File (cert. for the Backend Server)
# - File Upload Limit
# - Group Name
# - User name
# - Background Scan
# - Protection
# - RateLimit
# - ConnectionLimit
# - QueueSize
# - LearningMode
# - POC
# - AllowDowngrade
# - Disable Live Response
# - skip 10.13+ KEXT approval check

VERSION=3.2.1.10

#options
CBD_INSTALLER="/tmp/CbDefense.pkg"
COMPANY_CODE=" COMPANY CODE HERE "

#optional args
PROXY_SERVER=""
PROXY_CREDS=""
LAST_ATTEMPT_PROXY_SERVER=""
DISABLE_AUTOUPDATE=0
DISABLE_AUTOUPDATE_JITTER=0
BACKEND_SERVER_PEM=""
FILE_UPLOAD_LIMIT="" # empty for default
GROUP_NAME=" POLICY NAME HERE "
USER_NAME=""
BSCAN=""
PROTECTION=""
POC=""
DISABLE_LIVE_RESPONSE=0
ALLOW_INSTALL_UPGRADE_WITHOUT_KEXT_PREAPPROVAL=1

CB_DEFENSE_ALLOW_DOWNGRADE=0

# throttle args
unset RATE_LIMIT
unset CONNECTION_LIMIT
unset QUEUE_SIZE
unset LEARNING_MODE

#other vars
CBD_INSTALL_TMP="/tmp/cbdefense-install"
ME=`basename ${0}`
LOG="/tmp/${ME}.log"

CBD_INSTALL_LOGS_PREFIX='/tmp/confer'
CBD_APP_INSTALL_PREFIX='/Applications/Confer.app'

install_upgrade=''

function show_version()
{
    echo "${0} version ${VERSION}"
}

function usage()
{
    cat <<EOF

This tool installs or upgrades macOS Carbon Black Defense Sensor on this machine.

usage: ${0} options

OPTIONS:
     -h          Show this message
     -v          Show version of this script. Major and minor version should match the version of Cb Defense PKG file to be deployed.
     -i          Path to CbDefense Install.pkg (required)
     -c          Company Code used to register the device (required)
     -p          Proxy server and port, e.g. 10.5.6.7:54443 (optional)
     -x          Proxy credentials, if required, e.g. username:password (optional), requires -p
     -l          Last Attempt proxy server and port, used if every other connectivity method fails, e.g. 10.5.6.7:54443 (optional)
     -b          [deprecated] [optional] Backend Server address for OnPrem Install
     -m          Backend Server PEM file for OnPrem Install (optional)
     -u          Disable autoupdate (optional).  Auto-update is enabled by default.
     -t          File upload limit in MB (optional).  Default is no limit.
     -g          Group name (optional). The group to add the device to during registration.
     -o          User name / e-mail address override (optional). Used during registration and for identifying the device.
     -s          Background scan enable ("on") or disable ("off") (optional). Default is enabled. Cloud policy overrides this setting.
     -d          Protection after install disabled ("off") (sensor bypass mode), until reenabled later from Policy page.  This is optional.  Default is protection enabled after install.
     --downgrade Allow unattended downgrade. (optional)
     --disable-upgrade-jitter Disable auto-upgrade jitter (optional)
     --disable-live-response Disable live response (optional)
     --skip-kext-approval-check (optional)  Allows for >=3.1 sensor install/upgrade to run on macOS >=10.13 even if KEXT approval has not been done prior to the install/upgrade. KEXT approval can then be deferred until after the sensor install/upgrade.

Network Throttle Advanced Options (optional)
     --ratelimit
     --connectionlimit
     --queuesize
     --learningmode

Demo-mode only options (optional:
     --enable-poc POC fast startup (optional). Default is disabled.



EXAMPLES:
        ${0} -i /tmp/CbDefenseInstall.pkg -c 652797N7
        ${0} -i /tmp/CbDefenseInstall.pkg -c 652797N7 -p 10.0.3.3:123
        ${0} -i /tmp/CbDefenseInstall.pkg -c 652797N7 -p 10.0.3.3:123 -x myproxyuser:myproxypassword
        ${0} -i /tmp/CbDefenseInstall.pkg -c 652797N7 -u
        ${0} -i /tmp/CbDefenseInstall.pkg -c 652797N7 --downgrade
        ${0} -i /tmp/CbDefenseInstall.pkg -c 652797N7 -u -m /tmp/mycompany.pem
        ${0} -i /tmp/CbDefenseInstall.pkg -c 652797N7 -u -t 12 -s off -d off
        ${0} -i /tmp/CbDefenseInstall.pkg -c 652797N7 -g 'Administrators' -o 'adminuser2'
        ${0} -i /tmp/CbDefenseInstall.pkg -c 652797N7 --learningmode=30
        ${0} -i /tmp/CbDefenseInstall.pkg -c 652797N7 --skip-kext-approval-check

EOF

}


### parse options

while getopts “ht:vt:i:c:p:l:x:b:m:s:t:g:o:d:u-:” OPTION
do
    case $OPTION in
        h)
            usage
            exit 1
            ;;
        v)
            show_version
            exit 0
            ;;
        i)
            CBD_INSTALLER=${OPTARG}
            ;;
        c)
            COMPANY_CODE=${OPTARG}
            ;;
        p)
            PROXY_SERVER=${OPTARG}
            ;;
        x)
            PROXY_CREDS=${OPTARG}
            ;;
        l)
            LAST_ATTEMPT_PROXY_SERVER=${OPTARG}
            ;;
        b)
            #deprecated
            ;;
        m)
            BACKEND_SERVER_PEM=${OPTARG}
            ;;
        s)
            BSCAN=${OPTARG}
            ;;
        t)
            FILE_UPLOAD_LIMIT=${OPTARG}
            ;;
        g)
            GROUP_NAME=${OPTARG}
            ;;
        o)
            USER_NAME=${OPTARG}
            ;;
        u)
            DISABLE_AUTOUPDATE=1
            ;;
        d)
            PROTECTION=${OPTARG}
            ;;

        -)
            case "${OPTARG}" in
                downgrade)
                    val="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
                    CB_DEFENSE_ALLOW_DOWNGRADE=1
                    ;;

                downgrade=*)
                    CB_DEFENSE_ALLOW_DOWNGRADE=1
                    ;;

                disable-upgrade-jitter)
                    val="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
                    DISABLE_AUTOUPDATE_JITTER=1
                    ;;

                disable-upgrade-jitter=*)
                    DISABLE_AUTOUPDATE_JITTER=1
                    ;;

                disable-live-response)
                    val="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
                    DISABLE_LIVE_RESPONSE=1
                    ;;

                disable-live-response=*)
                    DISABLE_LIVE_RESPONSE=1
                    ;;

                ratelimit)
                    val="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
                    RATE_LIMIT=${val}
                    ;;

                ratelimit=*)
                    val=${OPTARG#*=}
                    opt=${OPTARG%=$val}
                    RATE_LIMIT=${val}
                    ;;

                connectionlimit)
                    val="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
                    CONNECTION_LIMIT=${val}
                    ;;

                connectionlimit=*)
                    val=${OPTARG#*=}
                    opt=${OPTARG%=$val}
                    CONNECTION_LIMIT=${val}
                    ;;


                queuesize)
                    val="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
                    QUEUE_SIZE=${val}
                    ;;

                queuesize=*)
                    val=${OPTARG#*=}
                    opt=${OPTARG%=$val}
                    QUEUE_SIZE=${val}
                    ;;


                learningmode)
                    val="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
                    LEARNING_MODE=${val}
                    ;;

                learningmode=*)
                    val=${OPTARG#*=}
                    opt=${OPTARG%=$val}
                    LEARNING_MODE=${val}
                    ;;


                enable-poc)
                    val="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
                    POC='on'
                    ;;

                enable-poc=*)
                    val=${OPTARG#*=}
                    opt=${OPTARG%=$val}
                    POC=${val}
                    ;;

                skip-kext-approval-check)
                    ALLOW_INSTALL_UPGRADE_WITHOUT_KEXT_PREAPPROVAL=1
                    ;;
                skip-kext-approval-check=*)
                    val=${OPTARG#*=}
                    opt=${OPTARG%=$val}
                    ALLOW_INSTALL_UPGRADE_WITHOUT_KEXT_PREAPPROVAL=${val}
                    ;;

                *)
                    if [ "$OPTERR" = 1 ] && [ "${optspec:0:1}" != ":" ]; then
                        echo "ERROR: Unknown long option --${OPTARG}" >&2
                        usage
                        exit
                    fi
                    ;;
            esac ;;
        ?)
            echo "Invalid option: -${OPTARG}"
            usage
            exit
            ;;
    esac
done


function print_vals() {
    echo "CBD_INSTALLER=${CBD_INSTALLER}"
    echo "COMPANY_CODE=${COMPANY_CODE}"
    echo "PROXY_SERVER=${PROXY_SERVER}"
    echo "PROXY_CREDS=${PROXY_CREDS}"
    echo "LAST_ATTEMPT_PROXY_SERVER=${LAST_ATTEMPT_PROXY_SERVER}"
    echo "BACKEND_SERVER_PEM=${BACKEND_SERVER_PEM}"
    echo "DISABLE_AUTOUPDATE=${DISABLE_AUTOUPDATE}"
    echo "DISABLE_AUTOUPDATE_JITTER=${DISABLE_AUTOUPDATE_JITTER}"
    echo "FILE_UPLOAD_LIMIT=${FILE_UPLOAD_LIMIT}"
    echo "GROUP_NAME=${GROUP_NAME}"
    echo "USER_NAME=${USER_NAME}"
    echo "BSCAN=${BSCAN}"
    echo "PROTECTION=${PROTECTION}"
    echo "RATE_LIMIT=${RATE_LIMIT}"
    echo "CONNECTION_LIMIT=${CONNECTION_LIMIT}"
    echo "QUEUE_SIZE=${QUEUE_SIZE}"
    echo "LEARNING_MODE=${LEARNING_MODE}"
    echo "POC=${POC}"
    echo "DISABLE_LIVE_RESPONSE=${DISABLE_LIVE_RESPONSE}"
    echo "CB_DEFENSE_ALLOW_DOWNGRADE=${CB_DEFENSE_ALLOW_DOWNGRADE}"
    echo "ALLOW_INSTALL_UPGRADE_WITHOUT_KEXT_PREAPPROVAL=${ALLOW_INSTALL_UPGRADE_WITHOUT_KEXT_PREAPPROVAL}"

}


function validate_options() {

    #print_vals

    ###validate options
    if [[ -z ${CBD_INSTALLER} ]] || [[ -z ${COMPANY_CODE} ]] ; then
        echo "ERROR: Path to CbDefense PKG file and company code are required parameters"
        usage
        exit 1
    fi
    if [[ ${#COMPANY_CODE} -lt 10 ]]; then
        echo "ERROR: Please enter the company code as specified in the backend"
        exit 1
    fi


    #proxy
    if [[ -n ${PROXY_CREDS} ]] ; then
        # check for required option
        if [[ -z ${PROXY_SERVER} ]] ; then
            usage
            exit 1
        fi

    fi

    # backend
    # if PEM, need server
    if [[ -n ${BACKEND_SERVER_PEM} ]] ; then
        # check for required file
        if [[ ! -f "${BACKEND_SERVER_PEM}" ]] ; then
            echo "ERROR: Backend server PEM file not found: ${BACKEND_SERVER_PEM}"
            exit 2
        fi
    fi
}


function validate_hs_kext_approval() {

    echo -n "KEXT check: macOS >=10.13 detected, checking KEXT pre-approval..."

    if [[ -z ${ALLOW_INSTALL_UPGRADE_WITHOUT_KEXT_PREAPPROVAL} ]] || [[ ${ALLOW_INSTALL_UPGRADE_WITHOUT_KEXT_PREAPPROVAL} -eq 0 ]] ; then

        # Perform KEXT pre-approval check.
        # NOTE: Apple does not currently provide a solid API to check this.
        # The mechanism utilized here relies on internal schemas and is "best-effort" check, until Apple provides a better interface.
        # If the queries appear no longer working, the internal mechanism of KEXT approval tracking may have changed, and the approval status may be unknown.
        # The queries also do not take into account other mechanisms of KEXT approval (entire SIP disablement, etc)
        # In such cases of KEXT approval status being unknown, the override flag is still required for safety.

        KEXT_TEAM_ID_31='7AGZNQ2S2T'
        KEXT_BUNDLE_ID_31='com.carbonblack.defense.kext'
        KEXT_POLICY_DB_INTERNAL='/var/db/SystemPolicyConfiguration/KextPolicy' #internal
        DB_CMD='/usr/bin/sqlite3'

        kext_approval_unknown=0
        kext_approved=0

        # Check to see if db_cmd exists
        if [ ! -f ${DB_CMD} ] ; then
            echo "Error: unable to check internal dbs: no ${DB_CMD}"
            kext_approval_unknown=1
        fi
        # check to see if the DBs to be queried exists
        if [ ! -f ${KEXT_POLICY_DB_INTERNAL} ] ; then
            echo "Error: unable to check internal dbs, no ${KEXT_POLICY_DB_INTERNAL}"
            kext_approval_unknown=1
        fi

        # Try to execute checks
        if [[ ${kext_approval_unknown} -eq 0 ]] ; then
            col1=team_id
            col2=bundle_id
            table1=kext_policy
            table2=kext_policy_mdm
            user_approved=`${DB_CMD} ${KEXT_POLICY_DB_INTERNAL} "SELECT count(${col1}) FROM ${table1} WHERE ${col1}="${KEXT_TEAM_ID_31}" AND ${col2}="${KEXT_BUNDLE_ID_31}"" 2>/dev/null`
            # If the query fails just print a message and don't fail
            if [ ${?} -ne 0 ] ; then
                printf "Info: Could not query kext_policy table
"
            fi
            mdm_approved=`${DB_CMD} ${KEXT_POLICY_DB_INTERNAL} "SELECT count(${col1}) FROM ${table2} WHERE ${col1}="${KEXT_TEAM_ID_31}" AND ${col2}="${KEXT_BUNDLE_ID_31}"" 2>/dev/null`
            if [ ${?} -ne 0 ] ; then
                echo "Info: Could not query kext_policy_mdm table
"
            fi
        fi

        # Evaluate if KEXT is preapproved
        # A failed query, non-zero return is not necessarilly a fauilure if the other succeeded
        if [[ -n ${user_approved} ]] && [[ ${user_approved} -gt 0 ]] ; then
            kext_approved=1
            echo "...OK (user pre-approved)"
        fi
        if [[ -n ${mdm_approved} ]] && [[ ${mdm_approved} -gt 0 ]] ; then
            kext_approved=1
            echo "...OK (MDM pre-approved)"
        fi

        if [ ${kext_approved} -eq 0 ] ; then
            echo "Error: KEXT does not appear to be pre-approved on this device by MDM or user."
            cat <<EOF

Exiting the sensor ${install_upgrade} because KEXT pre-approval was not detected.
Please use one of the following options to workaround this:


h4oOfetTYyvhweTYl0p6

Using this option will ensure that Cb Defense sensor version ${VERSION} remains fully operational immediately after the ${install_upgrade}.


sKci3zAFKkekYWjuw7nS

EOF
            exit 9
        fi
    else
        echo "...SKIP (--skip-kext-approval-check is used)"
        echo "Please ensure to approve the Cb Defense KEXT shortly after the sensor ${install_upgrade}."
    fi

}

function validate_run() {

    ###validate OS
    os=`uname`
    if [[ ${os} != 'Darwin' ]] ; then
        echo "ERROR: Unsupported OS, required macOS 10.8 or later"
        exit 3
    fi

    ###check the actual version
    ###Note: installer will do that for us, but in the unattended mode, the message would be obscured
    version=`/usr/bin/sw_vers  | grep ProductVersion | cut -d':' -f2 | awk '{gsub(/^[ 	]+|[ 	]+$/,"");print}'`
    major=`echo ${version} | cut -d'.' -f1`
    minor=`echo ${version} | cut -d'.' -f2`
    patch=`echo ${version} | cut -d'.' -f3`

    if [[ -n ${version} ]] ; then
        echo -n "Detected macOS version: ${major}.${minor}.${patch}..."

        if [[ ${major} -lt 10 ]] ||
        ( [[ ${major} -eq 10 ]] && [[ ${minor} -lt 8 ]] ) ; then
            echo "ERROR: Unsupported OS, required macOS 10.8 or later"
            exit 3
        fi

        if [[ ${major} -eq 10 ]] && [[ ${minor} -gt 7 ]] && [[ ${minor} -lt 10 ]] ; then
            echo "WARNING: macOS 10.8-10.9 are not officially supported, use at your own risk"
        elif [[ ${major} -eq 10 ]] && [[ ${minor} -gt 14 ]] ; then
            echo "WARNING: Unsupported OS, required max. macOS 10.14"
        else
            echo "...OK"
        fi
    fi

    ###validate install framework
    if [[ ! -x /usr/sbin/installer ]] ; then
        echo "ERROR: Installer framework not found"
        exit 4
    fi

    ###validate privileges
    user=`whoami`
    if [[ ${user} != "root" ]] ; then
        echo "ERROR: root privileges are required to install CbDefense Sensor."
        #setup
        exit 1
    fi


    ###validate pkg
    if [[ ! -f "${CBD_INSTALLER}" ]] ; then
        echo "ERROR: CbDefense Installer ${CBD_INSTALLER} file not found"
        exit 2
    fi

    ###validate pkg is CbDefense on OSX > 10.6 (need pkgutil support)
    if [[ ${minor} -gt 6 ]] ; then
        if [[ -x /usr/sbin/pkgutil ]] ; then
            err=`/usr/sbin/pkgutil --check-signature "${CBD_INSTALLER}" | grep '(JA7945SK43)'`
            er=$?
            if [[ ${er} -ne 0 ]] ; then
                err=`/usr/sbin/pkgutil --check-signature "${CBD_INSTALLER}" | grep '(7AGZNQ2S2T)'`
                er=$?
                if [[ ${er} -ne 0 ]] ; then
                    echo "ERROR: CbDefense Installer cannot be verified: $err:$er"
                    exit 3
                fi
            fi
        fi
    fi

    ### KEXT approval safe-guard check on macOS >=10.13
    if [[ ${major} -ge 10 ]] && [[ ${minor} -ge 13 ]] ; then
        validate_hs_kext_approval
    fi

    echo "Compatibility validation OK."

}

function init() {
    echo
    echo "Running tool: ${0}, version ${VERSION}."
    echo "For maximum compatibility, ensure to use this tool for installing or upgrading to a matching ${VERSION} version of the corresponding Cb Defense PKG. Both the tool and the PKG should be extracted from the same Cb Defense DMG ${VERSION}."
    echo

    if [ -f "${CBD_APP_INSTALL_PREFIX}/cfg.ini" ] ; then
        install_upgrade='upgrade'
        echo "Previous sensor installation detected."
    else
        install_upgrade='installation'
        echo "Fresh sensor installation."
    fi

}

function setup() {

    ###setup temp
    rm -rf ${CBD_INSTALL_TMP}
    mkdir -p ${CBD_INSTALL_TMP}

    ###setup ini

    echo "[customer]" > ${CBD_INSTALL_TMP}/cfg.ini

    echo "Code=${COMPANY_CODE}" >> ${CBD_INSTALL_TMP}/cfg.ini

    # Proxy
    if [[ -n ${PROXY_SERVER} ]] ; then
        echo "Option: using Proxy Server: ${PROXY_SERVER}."
        echo "ProxyServer=${PROXY_SERVER}" >> ${CBD_INSTALL_TMP}/cfg.ini
    fi

    if [[ -n ${PROXY_CREDS} ]] ; then
        echo "Option: using Proxy Creds."
        echo "ProxyServerCredentials=${PROXY_CREDS}" >> ${CBD_INSTALL_TMP}/cfg.ini
    fi

    # Last Attempt Proxy
    if [[ -n ${LAST_ATTEMPT_PROXY_SERVER} ]] ; then
        echo "Option: using Last Attempt Proxy Server: ${LAST_ATTEMPT_PROXY_SERVER}."
        echo "LastAttemptProxyServer=${LAST_ATTEMPT_PROXY_SERVER}" >> ${CBD_INSTALL_TMP}/cfg.ini
    fi


    # onPrem server
    if [[ -n ${BACKEND_SERVER_PEM} ]] ; then
        echo "Option: using OnPrem backend server PEM: ${BACKEND_SERVER_PEM}."
        cp -f "${BACKEND_SERVER_PEM}" "${CBD_INSTALL_TMP}/customer.pem"
        if [[ ! -f "${CBD_INSTALL_TMP}/customer.pem" ]] ; then
            echo "ERROR: could not copy customer.pem"
            exit 5
        fi
        echo "PemFile=customer.pem" >> ${CBD_INSTALL_TMP}/cfg.ini
    fi


    # no AutoUpdate
    if [[ ${DISABLE_AUTOUPDATE} -eq 1 ]] ; then
        echo "Option: sensor cloud upgrade is disabled."
        echo "AutoUpdate=false" >> ${CBD_INSTALL_TMP}/cfg.ini
    fi

    # no AutoUpdate jitter
    if [[ ${DISABLE_AUTOUPDATE_JITTER} -eq 1 ]] ; then
        echo "Option: sensor cloud upgrade jitter is disabled."
        echo "AutoUpdateJitter=false" >> ${CBD_INSTALL_TMP}/cfg.ini
    fi


    # protection
    if [[ -n ${PROTECTION} ]] ; then
        if [[ ${PROTECTION} == 'off' ]] || [[ ${PROTECTION} == 'false' ]] ; then
            echo "Option: disabling protection after install. Group policy can override this."
            echo "InstallBypass=true" >> ${CBD_INSTALL_TMP}/cfg.ini
        else
            echo "Option: Protection: using the default (enabled). Group policy can override this."
        fi
    else
        echo "Option: Protection: using the default (enabled). Group policy can override this."
    fi

    # upload limit (currently deprecated setting)
    if [[ -n ${FILE_UPLOAD_LIMIT} ]] ; then

        if [[ ${FILE_UPLOAD_LIMIT} -gt 0 ]] ; then
            echo "Option: using file upload limit: ${FILE_UPLOAD_LIMIT} (deprecated)."
            echo "FileUploadLimit=${FILE_UPLOAD_LIMIT}" >> ${CBD_INSTALL_TMP}/cfg.ini
        elif [[ ${FILE_UPLOAD_LIMIT} -eq 0 ]] ; then
            echo "FileUploadLimit=0" >> ${CBD_INSTALL_TMP}/cfg.ini
        fi
    fi

    # group name
    if [[ -n ${GROUP_NAME} ]] ; then
        echo "Option: using register group name: ${GROUP_NAME}."
        echo "GroupName=${GROUP_NAME}" >> ${CBD_INSTALL_TMP}/cfg.ini
    fi

    # user name
    if [[ -n ${USER_NAME} ]] ; then
        echo "Option: using register user name: ${USER_NAME}."
        echo "EmailAddress=${USER_NAME}" >> ${CBD_INSTALL_TMP}/cfg.ini
    fi

    # background scan
    if [[ -n ${BSCAN} ]] ; then
        BSCAN_VAL='false'
        if [[ ${BSCAN} == 'on' ]] || [[ ${BSCAN} == 'true' ]] ; then
            echo "Option: enabling background scan."
            echo "BackgroundScan=true" >> ${CBD_INSTALL_TMP}/cfg.ini
        elif [[ ${BSCAN} == 'off' ]] || [[ ${BSCAN} == 'false' ]] ; then
            echo "Option: disabling background scan."
            echo "BackgroundScan=false" >> ${CBD_INSTALL_TMP}/cfg.ini
        else
            echo "Option: invalid background scan setting: ${BSCAN}, using the default (off)."
        fi
    else
        echo "Option: Background scan: using the default (enabled). Group policy can override this."
    fi


    # rate-limit
    if [[ -n ${RATE_LIMIT} ]] ; then
        echo "Option: using RateLimit: ${RATE_LIMIT}."
        echo "RateLimit=${RATE_LIMIT}" >> ${CBD_INSTALL_TMP}/cfg.ini
    fi

    # connection-limit
    if [[ -n ${CONNECTION_LIMIT} ]] ; then
        echo "Option: using ConnectionLimit: ${CONNECTION_LIMIT}."
        echo "ConnectionLimit=${CONNECTION_LIMIT}" >> ${CBD_INSTALL_TMP}/cfg.ini
    fi

    # queue-size
    if [[ -n ${QUEUE_SIZE} ]] ; then
        echo "Option: using QueueSize: ${QUEUE_SIZE}."
        echo "QueueSize=${QUEUE_SIZE}" >> ${CBD_INSTALL_TMP}/cfg.ini
    fi

    # learning-mode
    if [[ -n ${LEARNING_MODE} ]] ; then
        echo "Option: using LearningMode: ${LEARNING_MODE}."
        echo "LearningMode=${LEARNING_MODE}" >> ${CBD_INSTALL_TMP}/cfg.ini
    fi

    # POC
    if [[ -n ${POC} ]] ; then
        if [[ ${POC} == 'on' ]] || [[ ${POC} == 'true' ]] ; then
            echo "Option: enabling POC mode."
            echo "POC=1" >> ${CBD_INSTALL_TMP}/cfg.ini
        else
            echo "Option: POC: using the default (disabled)."
        fi
    fi

    # downgrade
    touch ${CBD_INSTALL_TMP}/params
    if [[ ${CB_DEFENSE_ALLOW_DOWNGRADE} -eq 1 ]] ; then
        echo "Option: sensor downgrade allowed."
        echo "CB_DEFENSE_ALLOW_DOWNGRADE=1" >> ${CBD_INSTALL_TMP}/params
    else
        echo "Option: sensor downgrade not allowed."
    fi

    # live response
    if [[ ${DISABLE_LIVE_RESPONSE} -eq 1 ]] ; then
        echo "Option: Live Response is disabled."
        echo "CbLRKill=true" >> ${CBD_INSTALL_TMP}/cfg.ini
    fi

}



function install() {

    ###run install / upgrade
    # run the installer in silent mode
    # it will detect fresh install case vs silent upgrade

    echo "Carbon Black Defense installation/upgrade in progress..."
    run_install_log=$(/usr/sbin/installer -verbose -pkg "${CBD_INSTALLER}" -target / 2>&1)
    err=${?}
    echo ${run_install_log} >> ${LOG}

    if [[ ${err} -eq 0 ]] ; then
        echo "Carbon Black Defense installed/upgraded successfully"
        exit 0
    else
        echo "Carbon Black Defense installation/upgrade error: ${err}"
        echo ${run_install_log}

        # expose the pre/post install logs to console
        echo
        for pre_log in ${CBD_INSTALL_LOGS_PREFIX}-preinstall-*.log ; do
            last_pre_log=${pre_log}
        done
        if [ -f ${last_pre_log} ] ; then
            echo "${last_pre_log}:"
            cat ${last_pre_log}
        fi

        echo
        for post_log in ${CBD_INSTALL_LOGS_PREFIX}-postinstall-*.log ; do
            last_post_log=${post_log}
        done
        if [ -f ${last_post_log} ] ; then
            echo "${last_post_log}:"
            cat ${last_post_log}
        fi

        exit 10
    fi


}


function main() {

    init
    validate_options
    validate_run
    setup
    install
}


# run everything
main

nikjamf
New Contributor III

On Pre-install script my files ,pkg & .sh are in /users/tmp folder on my machine,is that corespond to the script?

!/bin/bash

Determine working directory

install_dir=/users/tmp $0

cp "$install_dir/CbDefense.pkg" "$3/tmp/CbDefense.pkg"

for example!

I appreciate your help but I'm relatively new on scripting, I appologize for sully questions ! Do I need to create two separate policies with both scripts ?

Where we placed the "sudo /tmp/cbdefense_install_uattended.sh -i ‘/tmp/CbDefense Install.pkg’ -c ‘company token ‘ -g “Monitored”

ThijsX
Valued Contributor
Valued Contributor

@nikjamf Ping me on Slack so we can discuss further there.

nikjamf
New Contributor III

I just ping you on Slack my account is a NickP . Thanks for your help.

craig_morrison
New Contributor II

We too have started using CB Defense and I am having troubles automating the install...I am trying the script shown above

ThijsX
Valued Contributor
Valued Contributor

@craig.morrison Please explain what the troubles are, so i can help you out. But for that i need some more information!

ARF2101
New Contributor

Here is a deploy recipe that worked for me:

  1. Extract the pkg and bash script from the CB Installer dmg

  2. Upload the package

  3. Upload the script to JAMF & modify with installer path and your company code:
    CBD_INSTALLER="/Library/Application Support/JAMF/Waiting Room/CbDefense Install.pkg"
    COMPANY_CODE="XXXXXXXXXXXXXX"
    GROUP_NAME="Monitored" (Change if you're using a different group for new users)

  4. Create a Configuration Profile, following instructions in the Sensor Installation Guide a. Approved Kernel Extensions (Guide: Approving the Kernel Extension for macOS Sensor Version 3.1) b. Privacy Preferences Policy Control (Guide: Security Enhancements in macOS 10.14.5+)

  5. Create a Policy to perform the installation a. Packages: Each computer's default distribution point b. Action: Cache (installs to Waiting Room directory on target systems) c. Script: Add your script & set Priority: After d. Restart Options: Restart to load the kext, but the host will show up in the CB console prior to rebooting.

  6. Deploy Configuration Profile
    Deploy Installer Policy