Deploying Cisco Amp v.1.9

raphhyyy
New Contributor III

I've read in all the other articles/discussions on people having the same issues as me in deploying the new version of AMP... but have yet to see a clear-cut solution on getting this deployed...

I've seen the "solution" of finding the hidden policy.xml file in the DMG, but am still a little confused about that part....

Can anyone (maybe not exactly) step-by-step have an easier way of deploying this?

61 REPLIES 61

mm2270
Legendary Contributor III

Here is what I came up with. Works for me.

First, I created a folder in /private/tmp/ called "ampmac_connector"
I then located and copied the hidden .policy.xml file using Terminal, from the mounted disk image into /private/tmp/ampmac_connector/

cp /Volumes/ampmac_connector/ampmac_connector/.policy.xml /private/tmp/ampmac_connector/policy.xml

Note that in the above, I'm renaming it without the leading period. I'll explain why in a sec.

Also copy the .pkg from that mounted disk image into the same /private/tmp/ampmac_connector/ location. You don't need Terminal for that. Just copy it in the Finder.

Now open Composer, close out of any dialogs asking to create a new package if that comes up.
With the Finder open to /private/tmp/ drag that ampmac_connector folder into Composer's sidebar. This should create a new source. Initially it will take on the name of one of the folder, so rename the source to something else if you like, such as "Cisco AMP" or whatever makes sense for you.

Now, in Composer itself, turn down the folder disclosure triangles so you can drill down into /private/tmp/ampmac_connector/ in it and reveal the files that were copied in. It should look something like this:

a2adca52646e43a6bfaf01f26856a999

Click on that policy.xml files name, and when it highlights for renaming, add the leading period back in the name. It should now look like this:

ed90bf67790147cbb849c72b0abbb816

If needed, you can change the permissions on the files to make sure they are fully readable by all accounts. They should be ok as is, since it was copied in from the /tmp/ directory, but best to check them just in case.

Now, in the source, turn down the arrows to show the Scripts folder. Right or Control click on that to get the menu, and choose both the Add Shell script > preinstall and Add Shell Script > postinstall. This will add both of those script types in.

Here are the 2 scripts I'm using. The preinstall is just a cleanup one, in case there happened to be a previous folder/installer lingering around in that /tmp/ folder.

Preinstall:

#!/bin/sh
## preinstall

BASE="/private/tmp/ampmac_connector"

if [ -d "$BASE" ]; then
    ## Cleanup an old installation directory if found
    rm -Rfd "$BASE"
fi

The postinstall is what does the installation work:

#!/bin/sh
## postinstall

BASE="/private/tmp/ampmac_connector"

PKG="${BASE}/ciscoampmac_connector.pkg"
XML="${BASE}/.policy.xml"

if [[ -e "$PKG" && -e "$XML" ]]; then
    /usr/sbin/installer -pkg "$PKG" -tgt /
    RES=$?
else
    echo "Package or XML was missing. Aborting installation…"
    exit 1
fi

if [ $RES == 0 ]; then
    ## Cleanup folder payload
    rm -Rfd "$BASE"
    exit 0
else
    echo "Installation may have failed with exit code $RES"
    exit $RES
fi

Now just build as a pkg, upload to your Jamf distro and test it out.

I have found this method to work, because it invokes the installer from that ampmac_connector directory, which has the hidden .policy.xml file in it, and it is able to locate it and use it.

Post back if you have any issues with the above.

raphhyyy
New Contributor III

Dude! @mm2270
That executed perfectly... bravo!

Followed your instructions and it worked like a charm!
Saved me from a major headache.

You would think Cisco would post something like this when changing installer types...

robstratton
New Contributor II

@mm2270 This workflow for distribution worked great for me as well, thank you for this step-by-step!

Prior to this auto deployment and installing manually on a machine I had to create a new configuration profile with 1) Privacy Preferences Policy Control to allow full disk access and 2) Approved Kernel Extensions in order to grant AMP access in Mac Mojave. My prior configuration profile worked and after the manual install, there was no further action needed.

After this deploying this package though, AMP is no longer has the kernel approved access. Full disk access is still working with the ampdaemon identifier, however approved kernel extension is no longer working with the Cisco team ID: TDNYQP7VRK. AMP still wants the user to manually approve this kernel extension.

Does anyone have a configuration that works for providing AMP the access it needs using this package distribution method?

EDIT: Not sure why it worked prior, but all I needed to do was add two more bundle ID's in the approved kernel extension configuration: 'com.cisco.amp.fileop' & 'com.cisco.amp.nke'

George-x_chan
New Contributor III

@mm2270 @rhernandez_hg Hi Guys,

I'm struggling to copy the policy.xml file ?

administrator$ cp /Volumes/ampmac_connector/ampmac_connector/.policy.xml /private/tmp/ampmac_connector/policy.xml
cp: /Volumes/ampmac_connector/ampmac_connector/.policy.xml: No such file or directory

Any ideas?

Thanks
George.

it's the following command:

cp /Volumes/ampmac_connector/.policy.xml /private/tmp/ampmac_connector/policy.xml

notice that it's only 1x ampmac_connector?

It'll probably differ from version to version, so you might have to pay attention to that part

Morgan_Cooledge
New Contributor

@robstratton What does your PPPC look like to allow full disk access? I am very new to this and I am trying to learn how to configure this to allow AMP to work for us.

Morgan_Cooledge
New Contributor

@George-x.chan I found that the file path to the .policy.xml file on my test machine did not actually go through two /ampmac_connector/ folders but only one. So try this instead.

cp /Volumes/ampmac_connector/.policy.xml /private/tmp/ampmac_connector/policy.xml

George-x_chan
New Contributor III

@Morgan.Cooledge thanks ! i've got it sorted now :)

Also for PPPC, i used https://github.com/jamf/PPPC-Utility to
create the configuration profile then uploaded to Jamf.

674777a704a148f389ed103af3e36e30

also, that depreciated in Big Sur. You might want to swap it to system extensions.

Cisco Secure Endpoint Mac Connector Advisory: System Extensions, MDM, and Orbital - Cisco

Surajit
New Contributor III

Hello everyone, Does anyone have any EA to check the installed AMP Connector Version ?

coryhowell2
New Contributor III

@surajitbpn

I haven't fully tested this yet but this should work.

#!/bin/bash 

if [[ -d /Applications/Cisco AMP/AMP for Endpoints Connector.app  ]]
    then 
        RESULT=$(defaults read /Applications/Cisco AMP/AMP for Endpoints Connector.app/Contents/Info CFBundleShortVersionString)
        echo "<result>${RESULT}</result>"
    else
        echo "<result>Not Installed</result>"
fi

Surajit
New Contributor III

Thank you @coryhowell2 , this works perfectly!
Got it verified by Cisco Support as well.
I just added the build version & we are using it on production.

#!/bin/bash
if [[ -d /Applications/Cisco AMP/AMP for Endpoints Connector.app  ]]
    then 
        RESULT=$(defaults read /Applications/Cisco AMP/AMP for Endpoints Connector.app/Contents/Info CFBundleShortVersionString)
        BUILD=$(defaults read /Applications/Cisco AMP/AMP for Endpoints Connector.app/Contents/Info CFBundleVersion)
        echo "<result>${RESULT} build ${BUILD}</result>"
    else
        echo "<result>Not Installed</result>"
fi

iJake
Valued Contributor

This discussion was brought to my attention by AMP team so I wanted to share the gist of how we install AMP via Jamf internally at Cisco.

ciscoAMPPath="/Applications/Cisco AMP/AMP for Endpoints Connector.app/Contents/Info.plist"
redirectingURL="https://console.amp.cisco.com/install_packages/REDACTED/download?product=MacProduct"
localInstallerVolume="/Volumes/ampmac_connector"
localInstallerPackage="ciscoampmac_connector.pkg"
tmpFolder="/Library/CiscoIT/tmp"

checkAndGetURLs()
{
dmgURL=$(curl --head "$redirectingURL" | grep "Location:" | awk '{print $2}')
if [[ -z $dmgURL ]]
  then
    writeLog "Unable to retrieve DMG url. Exiting..."
    exit 1
fi

writeLog "DMG URL found. Continuing..."

dmgFile=$(basename "$(echo $dmgURL | awk -F '?' '{print $1}')")
dmgName=$(writeLog "${dmgFile%.*}")
}

downloadInstaller()
{
mkdir -p "$tmpFolder"
writeLog "Downloading $dmgFile..."
/usr/bin/curl -L -s "$redirectingURL" -o "$tmpFolder"/"$dmgFile" --location-trusted
}

installPackage()
{
if [[ -e "$tmpFolder"/"$dmgFile" ]]
  then
    hdiutil mount "$tmpFolder"/"$dmgFile" -nobrowse -quiet
    if [[ -e "$localInstallerVolume"/"$localInstallerPackage" ]]
      then
        writeLog "$localInstallerPackage found. Installing..."
        /usr/sbin/installer -pkg "$localInstallerVolume"/"$localInstallerPackage" -target /
        if [[ $(echo $?) -gt 0  ]]
          then
            writeLog "Installer encountered error. Exiting..."
            hdiutil unmount "$localInstallerVolume"
            rm -f "$tmpFolder"/"$dmgFile"
            exit 1
          else
            writeLog "Successfully installed "$localInstallerPackage". Exiting..."
            hdiutil unmount "$localInstallerVolume"
            rm -f "$tmpFolder"/"$dmgFile"
            exit 0
        fi
    fi
  else
    writeLog "$dmgFile failed to download. Exiting..."
    exit 1
fi
}

Essentially, we download the latest DMG directly from the AMP console, mount it, and run the PKG installer from the mounted DMG. That's it. We've used this method on over 50K machines all properly reporting into the AMP console. No need to update and repackage when new versions are released.

winterboer
New Contributor III

Hi iJake, 

How does Cisco deploy the PPPC and Approved Kernel Extensions via Jamf? 

I'm trying to do this on Big Sur with AMP v1.16 and it seem things have changed from Catalina.  

iJake
Valued Contributor

winterboer
New Contributor III

Thanks iJake.

How are you signing your config file? Dev account?

ubcoit
Contributor II

Thanks iJake.

Couple things with your script though as in it's current form it doesn't work. Perhaps you didn't intend to post the complete script.

You are missing the bin/bash at the top and you don't actually call any of the functions defined. The function for writeLog is also missing.

As a addition, the variable for redirectingURL could be set to $4 and then pushed from the policy instead of hard coding it into the script. That way you could use the same script for multiple policies should you have different AMP connectors. Careful though as there is a length limit in the jss for this value (can't remember what it is though).

Thanks again for the script as it sure makes things easier than packaging the connector.

iJake
Valued Contributor

Yeah, I didn’t post the whole thing as there are parts that I didn’t need to share.

Fair point about the $4 parameter.

dlondon
Valued Contributor

Hi @iJake - thank you for putting the script here for us.

Just had one issue and that's with the line:

hdiutil mount "$tmpFolder"/"$dmgFile" -nobrowse -quiet

The mounted DMG displays on the desktop and in Finder of the logged on user when written like this for me.

I changed it to:

hdiutil attach "$tmpFolder"/"$dmgFile" -nobrowse -quiet

and it works without displaying in Finder or on the user desktop

I also noticed that I decided to make the corresponding detach statement instead of unmount, so

hdiutil unmount "$localInstallerVolume"

became

hdiutil detach "$localInstallerVolume" -force

Otherwise a really great script. Thanks again

guliciuk
New Contributor III

Any chance that someone with a functional script could post it as an example? I'm new to this and i'm can't seem to make it work.

ubcoit
Contributor II

Sure thing, this is @iJakes code more or less. Below, redirectingURL="$4" is defined in the policy. $4 is the value you get for your connector from the Cisco Console. For example: https://console.amp.cisco.com/install_packages/abcdefghijklmnopqrstuvwxyz/download?product=MacProduct

#!/bin/bash

set -x

ciscoAMPPath="/Applications/Cisco AMP/AMP for Endpoints Connector.app/Contents/Info.plist"
redirectingURL="$4"
localInstallerVolume="/Volumes/ampmac_connector"
localInstallerPackage="ciscoampmac_connector.pkg"
tmpFolder="/Library/CiscoAMPtmp"

checkAndGetURLs()
{
dmgURL=$(curl --head "$redirectingURL" | grep "Location:" | awk '{print $2}')
if [[ -z $dmgURL ]]
  then
    echo "Unable to retrieve DMG url. Exiting..."
    exit 1
fi

echo "DMG URL found. Continuing..."

dmgFile=$(basename "$(echo $dmgURL | awk -F '?' '{print $1}')")
dmgName=$(echo "${dmgFile%.*}")
}

downloadInstaller()
{
mkdir -p "$tmpFolder"
echo "Downloading $dmgFile..."
/usr/bin/curl -L -s "$redirectingURL" -o "$tmpFolder"/"$dmgFile" --location-trusted
}

installPackage()
{
if [[ -e "$tmpFolder"/"$dmgFile" ]]
  then
    hdiutil attach "$tmpFolder"/"$dmgFile" -nobrowse -quiet
    if [[ -e "$localInstallerVolume"/"$localInstallerPackage" ]]
      then
        echo "$localInstallerPackage found. Installing..."
        /usr/sbin/installer -pkg "$localInstallerVolume"/"$localInstallerPackage" -target /
        if [[ $(echo $?) -gt 0  ]]
          then
            echo "Installer encountered error. Exiting..."
            hdiutil detach "$localInstallerVolume" -force
            rm -Rf "$tmpFolder"
            exit 1
          else
            echo "Successfully installed "$localInstallerPackage". Exiting..."
            hdiutil detach "$localInstallerVolume" -force
            rm -Rf "$tmpFolder"
            exit 0
        fi
    fi
  else
    echo "$dmgFile failed to download. Exiting..."
    exit 1
fi
}

checkAndGetURLs
downloadInstaller
installPackage

guliciuk
New Contributor III

Thanks @ubcoit ! You made my day. The repackaging solution is easyer, but on the long run, the script makes more sense, with changing/updating to newer AMP versions in mind. On my way to test and implement :D
Thanks again!

iJake
Valued Contributor

Maybe I'll get around to creating a Cisco IT GitHub so I can easily share all this stuff :)

TechToddMU
New Contributor II

So how. do you handle the blocked extension?

ubcoit
Contributor II

You'll want a configuration profile with a Privacy Preferences Policy Control
and a Approved Kernel Extensions.

geoff_widdowson
Contributor II

@Echterling This is what my configuration profile looks like. My deployment is based on this post and its working fine.

c96a40f6c10647e3b96c871361cf7dbc
363b605739af4c1a825859c241e75a27

Does this work for Big Sur?

jeremya
New Contributor II

@geoff.widdowson Thanks for posting the screenshot, that was extremely helpful. One quick question, and forgive me if it's a simple answer, but in the Privacy Preferences Policy Control tab, under Code Requirement, where do you generate the text from? I am still pretty new to JAMF and I have learned a lot on this thread.

EDIT
After looking into it, I see the PPPC generates it. I must have missed that on my read-through... Thanks again for the great info.

jeremya
New Contributor II

To anyone looking at this going forward, Cisco changed how AMP interacts with System / Kernal Extensions. Please see below https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/216089-advisory-for-amp-for-endpoints-mac-conne.html
It will show what to approve based on your OS version. It also provides the details needed to set up a socket filter (under the content filter tab)

mortopc4
New Contributor III

Looking at @ubcoit script, is there any changes that need to be made for 1.15, apart from Big Sur using ZSH as the default..?

ubcoit
Contributor II

@mortopc4 I've made no changes to the script since posting, deploying 1.15.2 at the moment to 10.14, 10.15 and 11.x.

mortopc4
New Contributor III

@ubcoit - The script is perfect, Thank You! However, once the scripts successfully finishes, I get an ID4 error "System Extensions Failed to Load - Reinstall the Connector"

ubcoit
Contributor II

@mortopc4

AMP configuration profiles need to be installed and the system rebooted prior to installing AMP.

mortopc4
New Contributor III

@ubcoit I figured it out, my AMP admin sent me the wrong url....its pointing to an older AMP install. My bad.....

mortopc4
New Contributor III

Just wanted to express my THANKS to @ubcoit and @iJake for the above script and to @t.jones for the Configuration Profile info. Both solutions with some customization for my environment worked like a charm and now AMP installs and bypasses all user interaction........sweet.......

ubcoit
Contributor II

@mortopc4 Glad you got it working. I can't take the credit for the script, @iJake did all the heavy lifting. :)

mortopc4
New Contributor III

@ubcoit Absolutely!! I updated my Thank You post to reflect this!!!

Again, THANK YOU ALL!!

mlitton
New Contributor II

Quick question. Would this script work to upgrade from different versions? Say going from 1.7.0 to current?

jeremya
New Contributor II

@mlitton 

Presumably, if you set this up correctly, it should download the latest version and install it. you would just need to run the policy on whatever devices need the upgrade.