Configuration Policy and Lightspeed Smart Agent

jschaff
New Contributor II

I have been working on setting up our Lightspeed smart agent to push out using JAMF over the last couple of weeks and keep running into problems. My current dilemma is with Lightspeed Relay Agent 1.6 and the system extension. I have a configuration policy setup to allow both the KEXT and the system extension (KEXT was for Relay agent 1.5.2) and the Lightspeed Relay cert. When I grab a computer fresh out of the box and set it up, the agent installs but the system extension still asks for user authentication to approve it. I have played around with the setting, such as allowing user auth or no user auth, using the various system extension types drop down and adding Lightspeed Systems to the Allowed system extensions. The weird part to all of this is if I redistribute the configuration profile to the test computer while it is asking for the system extension to be allowed, it will authorize it no problem, however, if I do not do the redistribution, a user has to manually click on allow and enter their password. I am wanting to make it so that the system extension does not need user approval and will just automatically authorize without user intervention like when I redistribute the configuration profile. Anyone have any ideas that could help achieve this?
6b9bf0840b4d49fc886a32b05a550b8b

1c7f997806ad48e8b5b62e27d04fd261

8d292663324c4d59a377c96447bb66bc

16 REPLIES 16

eissey
New Contributor II

I'm having the same issue. I noticed it only happens with Big Sur and newer. The config file is failing to install.

GabeShack
Valued Contributor III

We just recently dumped out of lightspeed due to their lack of documentation and skilled support for the Apple platforms. I was apparently the first person to point out that their "classroom" app requires each student to click allow screen recording to work properly. They had never seen this issue before and said it must be new. When I pointed out that it was an apple system requirement going back to 10.14, which is over 3 years old, it made me think maybe they just don't have many mac customers.

Working with GoGuardian now, who is apparently in the process of developing a more robust mac collection of applications. I've heard rumors of them trying to work closely with Apple to get the best experience. Here's hoping.

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

Doing the same thing, dumping Relay and going with GG for everything

clarkep
New Contributor III

Does GG work on different browsers now or is it still only Chrome? Would you block the ability to use other browsers?

When you need IT...get PJ. C. Working as a tech in a private school for over 15 years.

GG App for Mac works on any Browser. The Windows installation instructions basically creates a Active Directory Group policy that blocks Cortana, Edge, and Internet Explorer and forces users to log into Chrome before they can use the internet. Then the extension is what filters the user. DNS catches the rest but if DNS is more strict, DNS will take over.

GabeShack
Valued Contributor III

We actually locked the middle school devices into just using chrome since its hard to manage keeping people logged into their google accounts in the other browsers.  We created a few profiles that make them have to sign in to use chrome and to ONLY use district provided google credentials.  We also block all other browsers at the middle school and make chrome the default browser.  It works mostly and the teachers can now use the teacher program to keep the kids on task during school hours and on our network.

Gabe Shackney
Princeton Public Schools

ChrisWhiteHavSD
New Contributor II

Case in point to Relay Rocket Smart Agent JAMF deployment. This is Lightspeeds documentation

 

Deploy or Remove Relay Smart Agent with JAMF

 

Jun 3, 2020Knowledge
DETAILS

These steps are only suggested for Installing or Removing Relay Smart Agent. Since JAMF is a 3rd Party Management Tool, please go to JAMF Knowledge Base for more details or further information.

To deploy to an iPad that is currently without protection:

  1. Deploy Relay Smart Agent
  2. Verify successful deployment of the Smart Agent
  3. Deploy the configuration to enable the plug-in filter

To update an agent:

  1. Remove the configuration that adds the plug-in filter settings
  2. Verify successful removal of the configuration
  3. Update the Smart Agent
  4. Verify successful deployment of the Smart Agent
  5. Redeploy the configuration to enable plug-in filtering

To remove protection:

  1. Remove the policy that adds the plug-in filter settings
  2. Verify successful removal of the configuration
  3. Remove the agent

jschaff
New Contributor II

Sorry to update this over a month later.  I worked with someone from JAMF and the solution to the problem I was having was to separate the KEXT and System Extension profiles and deliver each to the appropriate computer.  So the System extension profile goes to 10.15+ computers and the KEXT goes to everything below 10.14.  This seems to have taken care of most of the issue we were having as far as deployment.  Problems with Lightspeed are a whole other matter and we could start a whole other thread or 2 on that topic.  I did find issue even after separating the profiles, it a computer somehow ended up in groups that set it to have both profiles.  To fix those problems, I have to work through making sure groups did not overlap and once the computer had the appropriate profile it usually worked.

clarkep
New Contributor III

How did you end up deploying the cert that ends up in the user's keychain to be automatically trusted? I am trying to deploy this to standard user laptops (students). Since they aren't admins, they cannot mark certs to be always trusted.

When you need IT...get PJ. C. Working as a tech in a private school for over 15 years.

jschaff
New Contributor II

We ended up not being able to push the cert.  Instead we have to use a configuration policy that allows either a system extension or a KEXT (based on operating system) to allow everything to be installed properly.  We also had to use 1.5.2 and 1.7 for the version of the smart agent as 1.6 was pulled for causing more issues than it fixed...  1.5.2 is only used on 10.14 and below with the KEXT configuration policy and 1.7 is used for all devices 10.15+ with the system extension configuration policy.  Do not add both payloads to the same configuration policy or you will have a headache trying to figure out why the installs are not working properly.

eissey
New Contributor II

1) Create a New Config Profile in Jamf Pro

2)Select Certificate Payload on the left, Make the Certificate Name is spelled exactly "Lightspeed Filter Agent" , upload the ca.cer certificate file you extracted

That should do the trick

clarkep
New Contributor III

Thanks for the hint, do you deploy as computer or user level? It still keeps the cert as untrusted, so it is still asking me for admin credentials. 

When you need IT...get PJ. C. Working as a tech in a private school for over 15 years.

jschaff
New Contributor II

We found when we pushed the cert that the smart agent would not recognize it and re-install the cert with the untrusted settings, which is why we ended up ditching that idea.  I failed to mention we also created a setting that force restarts the computer after the smart agent is installed.  We found the best outcomes for installing the smart agent is to use the script provided by Lightspeed for MDM deployment, where it curls the .dmg from the Lightspeed AWS portal and then opens the package, installs it, and deletes the .dmg.  You have to push the configuration policy with the KEXT or system extension before running the deployment policy with the script.  From there we give a 5 minute timer and the computer force restarts.  The cert does not seem to be an issue once we started doing it this way.  A big part of it was using the script and using the appropriate KEXT or system extension configuration policy based on the OS needs.   

We are still dealing with this issue. 1.7.0 was released yesterday taking care of the KTEXT issue, but on Big Sur machines Lightspeed Engineers are telling us we must have 3 certs to make it work properly until they can figure out how to deploy the certs within the agent. Based on the instructions they sent us (linked below) we are stuck on how to add the certs as well.

https://help.lightspeedsystems.com/s/article/Lightspeed-Filter-Agent-for-MacOS-Installation-Instruct...

I am having zero luck getting this to work with Jamf. I straight up asked Jamf support "how do I deploy .PEM files?" The rep sends me a link to use AppleConfigurator 2 and doesn't even reference PEM. I see no way of deploying .PEM unless I am missing something. Lightspeed's documentation just says to contact your MDM. Jamf rep says "I'm not sure I can get Lightspeed to work..." Meanwhile, I can get it to work outside of Jamf...spectacular. 

When you need IT...get PJ. C. Working as a tech in a private school for over 15 years.

I just had the lovely task of needing to deploy smart agent. I deployed all the PEM's by creating a DMG in composer in /usr/local/etc. It seems to be working from what I can tell.