Cortex 7.7.2 Deploy via JAMF

This Topic I post as a Solution for everyone. So please let me know if anyone face any issue to deploy that your environment.

how does this actually install if it is in a compressed zip file? i have the configuration profile created and it deploys correctly.  but i dont see how just putting a zip file on the system will allow the software to install since the pkg for the installer is inside and requires input if ran individually. 

.zip file should work. It is working for me fine. I upload .zip file on my Jamf pro admin tool.

yes, i uploaded to through jamfadmin site but how is it deployed to the user afterwards? or does the physical software not need to be installed?

Yes you need to deploy that .zip file via a policy to mac endpoints. You need to use that .zip file as package.

Hi All ,

How do we disable tamper protection for cortex xdr ? any idea

Regards

Ajay

Why you need disable tamper protection. Can you please provide a little more? what you are trying to do. I don't have to do anything for that.

I am trying to update the cortex  version 7.8.1  for the all the macs in the estate while executing the policy i am getting this error 

Installation failed. The installer reported: Self Prot state: enabled
installer: Error - Disable agent tampering protection and run this installation package again.

Hi @sabastaj 

You can use following script to disable cortex via Jamf

echo $4 | sudo "/Library/Application Support/PaloAltoNetworks/Traps/bin/cytool" runtime stop all

Here you have to pass Cortex password on $4 variable. If you need help on that you can search how to pass variable via JAMF with policy. Or you can partner with your Cortex admin to get cortex password.

Another thing why you need use Jamf to upgrade cortex. You guys can do upgrade via Cortex console to upgrade and that should work if you have unified profile installed on the endpoint. 

thanks for this info this helped will let you know if i need anything 

@sabastaj I just perform upgrade from cortex console that worked great on macOS Monterey and also Ventura. So you should be good if you use unified profile and push upgrade from console. But still you need to package for new version that way your newly Image machine will get new package. Let me know if you have any more question on this.

My Cortex guy absolutely HATES updating devices via the console and won't give me access to do it myself. I am hoping that he will give me the password to do this via Jamf. It's maddening when he tells my boss I need to update all the Mac's, but won't give me access or the password.

Unfortunatley if you want to update then you will need the password. You can script out that and pass as variable via Jamf. Otherwise your cortex guy need to update from console,

Correct me if I'm wrong, but as long as I'm running macOS 12 and up, all T2, I don't need the Intel version of the profile, right? No point in Kernel Extension approvals, it is all System Extension now.

@Ninyo yes, you will not need Intel profile and Kernel Extension. All you will need only one profile which you can download from palo page.

Ok, something is up (as in not working)... I have the profile all set, but I do not have a .zip file, but a PKG, and I think that is at least one issue...I can see CXDR in the menu, but not activated / enabled...

You have to use the .zip file because there has some other related files which required for this deployment.

I just re-packaged in Composer to a temp directory with the install pkg command in a postinstall script. The old install the installer and invoke dance. Installs great. Same with Global Protect, but have to include the xml apply choices as well for that…. Lots of security agent software vendors do this for whatever reason: Palo Alto Networks, Fire Eye, Nessus….

@macguitarman .zip works well and didn't need to use composer to package cortex and not any postscript. Only script I used to deactivate installed cortex before run the installer.

@sharif_khan , what script do you use for deactivating cortex? That would be a script that I would find useful.

There is a tool in the cortex /bin folder, I’ll get that path and script to you in a bit. You have to have the uninstall password. I get some errors in the script when run manually, but the end result is the process is stopped and the app and pieces are removed… I am debugging the script, I’ll get it to you soon….

It is on this thread if you scroll up. But here I paste that again for you.

You can use following script to disable cortex via Jamf

echo $4 | sudo "/Library/Application Support/PaloAltoNetworks/Traps/bin/cytool" runtime stop all

Here you have to pass Cortex password on $4 variable. If you need help on that you can search how to pass variable via JAMF with policy. Or you can partner with your Cortex admin to get cortex password.

Another thing why you need use Jamf to upgrade cortex. You guys can do upgrade via Cortex console to upgrade and that should work if you have unified profile installed on the endpoint. 

Thank you! I wish there was a way to do this without the password. Our Cortex admin won't give it out.

For update you have to use password with cytool command. Otherwise, your cortex needs to update them from cortex console.for new install you don't have to use cortex password, I hope that gives your ans.