Posted on 03-14-2019 11:54 AM
I've read in all the other articles/discussions on people having the same issues as me in deploying the new version of AMP... but have yet to see a clear-cut solution on getting this deployed...
I've seen the "solution" of finding the hidden policy.xml file in the DMG, but am still a little confused about that part....
Can anyone (maybe not exactly) step-by-step have an easier way of deploying this?
Posted on 03-14-2019 12:24 PM
Here is what I came up with. Works for me.
First, I created a folder in /private/tmp/
called "ampmac_connector"
I then located and copied the hidden .policy.xml file using Terminal, from the mounted disk image into /private/tmp/ampmac_connector/
cp /Volumes/ampmac_connector/ampmac_connector/.policy.xml /private/tmp/ampmac_connector/policy.xml
Note that in the above, I'm renaming it without the leading period. I'll explain why in a sec.
Also copy the .pkg from that mounted disk image into the same /private/tmp/ampmac_connector/
location. You don't need Terminal for that. Just copy it in the Finder.
Now open Composer, close out of any dialogs asking to create a new package if that comes up.
With the Finder open to /private/tmp/
drag that ampmac_connector
folder into Composer's sidebar. This should create a new source. Initially it will take on the name of one of the folder, so rename the source to something else if you like, such as "Cisco AMP" or whatever makes sense for you.
Now, in Composer itself, turn down the folder disclosure triangles so you can drill down into /private/tmp/ampmac_connector/
in it and reveal the files that were copied in. It should look something like this:
Click on that policy.xml
files name, and when it highlights for renaming, add the leading period back in the name. It should now look like this:
If needed, you can change the permissions on the files to make sure they are fully readable by all accounts. They should be ok as is, since it was copied in from the /tmp/ directory, but best to check them just in case.
Now, in the source, turn down the arrows to show the Scripts folder. Right or Control click on that to get the menu, and choose both the Add Shell script > preinstall and Add Shell Script > postinstall. This will add both of those script types in.
Here are the 2 scripts I'm using. The preinstall is just a cleanup one, in case there happened to be a previous folder/installer lingering around in that /tmp/ folder.
Preinstall:
#!/bin/sh
## preinstall
BASE="/private/tmp/ampmac_connector"
if [ -d "$BASE" ]; then
## Cleanup an old installation directory if found
rm -Rfd "$BASE"
fi
The postinstall is what does the installation work:
#!/bin/sh
## postinstall
BASE="/private/tmp/ampmac_connector"
PKG="${BASE}/ciscoampmac_connector.pkg"
XML="${BASE}/.policy.xml"
if [[ -e "$PKG" && -e "$XML" ]]; then
/usr/sbin/installer -pkg "$PKG" -tgt /
RES=$?
else
echo "Package or XML was missing. Aborting installation…"
exit 1
fi
if [ $RES == 0 ]; then
## Cleanup folder payload
rm -Rfd "$BASE"
exit 0
else
echo "Installation may have failed with exit code $RES"
exit $RES
fi
Now just build as a pkg, upload to your Jamf distro and test it out.
I have found this method to work, because it invokes the installer from that ampmac_connector
directory, which has the hidden .policy.xml file in it, and it is able to locate it and use it.
Post back if you have any issues with the above.
Posted on 03-14-2019 12:44 PM
Dude! @mm2270
That executed perfectly... bravo!
Followed your instructions and it worked like a charm!
Saved me from a major headache.
You would think Cisco would post something like this when changing installer types...
Posted on 06-07-2019 08:38 AM
@mm2270 This workflow for distribution worked great for me as well, thank you for this step-by-step!
Prior to this auto deployment and installing manually on a machine I had to create a new configuration profile with 1) Privacy Preferences Policy Control to allow full disk access and 2) Approved Kernel Extensions in order to grant AMP access in Mac Mojave. My prior configuration profile worked and after the manual install, there was no further action needed.
After this deploying this package though, AMP is no longer has the kernel approved access. Full disk access is still working with the ampdaemon identifier, however approved kernel extension is no longer working with the Cisco team ID: TDNYQP7VRK. AMP still wants the user to manually approve this kernel extension.
Does anyone have a configuration that works for providing AMP the access it needs using this package distribution method?
EDIT: Not sure why it worked prior, but all I needed to do was add two more bundle ID's in the approved kernel extension configuration: 'com.cisco.amp.fileop' & 'com.cisco.amp.nke'
Posted on 07-25-2019 03:03 AM
@mm2270 @rhernandez_hg Hi Guys,
I'm struggling to copy the policy.xml file ?
administrator$ cp /Volumes/ampmac_connector/ampmac_connector/.policy.xml /private/tmp/ampmac_connector/policy.xml
cp: /Volumes/ampmac_connector/ampmac_connector/.policy.xml: No such file or directory
Any ideas?
Thanks
George.
Posted on 11-05-2021 10:55 AM
it's the following command:
cp /Volumes/ampmac_connector/.policy.xml /private/tmp/ampmac_connector/policy.xml
notice that it's only 1x ampmac_connector?
It'll probably differ from version to version, so you might have to pay attention to that part
Posted on 07-25-2019 09:35 AM
@robstratton What does your PPPC look like to allow full disk access? I am very new to this and I am trying to learn how to configure this to allow AMP to work for us.
Posted on 07-25-2019 09:38 AM
@George-x.chan I found that the file path to the .policy.xml file on my test machine did not actually go through two /ampmac_connector/ folders but only one. So try this instead.
cp /Volumes/ampmac_connector/.policy.xml /private/tmp/ampmac_connector/policy.xml
Posted on 07-26-2019 04:47 AM
@Morgan.Cooledge thanks ! i've got it sorted now :)
Also for PPPC, i used https://github.com/jamf/PPPC-Utility to
create the configuration profile then uploaded to Jamf.
Posted on 11-05-2021 10:57 AM
also, that depreciated in Big Sur. You might want to swap it to system extensions.
Cisco Secure Endpoint Mac Connector Advisory: System Extensions, MDM, and Orbital - Cisco
Posted on 08-08-2019 05:46 AM
Hello everyone, Does anyone have any EA to check the installed AMP Connector Version ?
Posted on 08-08-2019 10:09 AM
I haven't fully tested this yet but this should work.
#!/bin/bash
if [[ -d /Applications/Cisco AMP/AMP for Endpoints Connector.app ]]
then
RESULT=$(defaults read /Applications/Cisco AMP/AMP for Endpoints Connector.app/Contents/Info CFBundleShortVersionString)
echo "<result>${RESULT}</result>"
else
echo "<result>Not Installed</result>"
fi
Posted on 08-20-2019 07:14 AM
Thank you @coryhowell2 , this works perfectly!
Got it verified by Cisco Support as well.
I just added the build version & we are using it on production.
#!/bin/bash
if [[ -d /Applications/Cisco AMP/AMP for Endpoints Connector.app ]]
then
RESULT=$(defaults read /Applications/Cisco AMP/AMP for Endpoints Connector.app/Contents/Info CFBundleShortVersionString)
BUILD=$(defaults read /Applications/Cisco AMP/AMP for Endpoints Connector.app/Contents/Info CFBundleVersion)
echo "<result>${RESULT} build ${BUILD}</result>"
else
echo "<result>Not Installed</result>"
fi
Posted on 02-05-2020 09:36 AM
This discussion was brought to my attention by AMP team so I wanted to share the gist of how we install AMP via Jamf internally at Cisco.
ciscoAMPPath="/Applications/Cisco AMP/AMP for Endpoints Connector.app/Contents/Info.plist"
redirectingURL="https://console.amp.cisco.com/install_packages/REDACTED/download?product=MacProduct"
localInstallerVolume="/Volumes/ampmac_connector"
localInstallerPackage="ciscoampmac_connector.pkg"
tmpFolder="/Library/CiscoIT/tmp"
checkAndGetURLs()
{
dmgURL=$(curl --head "$redirectingURL" | grep "Location:" | awk '{print $2}')
if [[ -z $dmgURL ]]
then
writeLog "Unable to retrieve DMG url. Exiting..."
exit 1
fi
writeLog "DMG URL found. Continuing..."
dmgFile=$(basename "$(echo $dmgURL | awk -F '?' '{print $1}')")
dmgName=$(writeLog "${dmgFile%.*}")
}
downloadInstaller()
{
mkdir -p "$tmpFolder"
writeLog "Downloading $dmgFile..."
/usr/bin/curl -L -s "$redirectingURL" -o "$tmpFolder"/"$dmgFile" --location-trusted
}
installPackage()
{
if [[ -e "$tmpFolder"/"$dmgFile" ]]
then
hdiutil mount "$tmpFolder"/"$dmgFile" -nobrowse -quiet
if [[ -e "$localInstallerVolume"/"$localInstallerPackage" ]]
then
writeLog "$localInstallerPackage found. Installing..."
/usr/sbin/installer -pkg "$localInstallerVolume"/"$localInstallerPackage" -target /
if [[ $(echo $?) -gt 0 ]]
then
writeLog "Installer encountered error. Exiting..."
hdiutil unmount "$localInstallerVolume"
rm -f "$tmpFolder"/"$dmgFile"
exit 1
else
writeLog "Successfully installed "$localInstallerPackage". Exiting..."
hdiutil unmount "$localInstallerVolume"
rm -f "$tmpFolder"/"$dmgFile"
exit 0
fi
fi
else
writeLog "$dmgFile failed to download. Exiting..."
exit 1
fi
}
Essentially, we download the latest DMG directly from the AMP console, mount it, and run the PKG installer from the mounted DMG. That's it. We've used this method on over 50K machines all properly reporting into the AMP console. No need to update and repackage when new versions are released.
Posted on 09-20-2021 05:38 PM
Hi iJake,
How does Cisco deploy the PPPC and Approved Kernel Extensions via Jamf?
I'm trying to do this on Big Sur with AMP v1.16 and it seem things have changed from Catalina.
Posted on 09-20-2021 05:40 PM
It's all documented here: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/216089-advisory-for-amp-for-endpoi...
Posted on 09-21-2021 02:44 PM
Thanks iJake.
How are you signing your config file? Dev account?
Posted on 03-05-2020 03:50 PM
Thanks iJake.
Couple things with your script though as in it's current form it doesn't work. Perhaps you didn't intend to post the complete script.
You are missing the bin/bash at the top and you don't actually call any of the functions defined. The function for writeLog is also missing.
As a addition, the variable for redirectingURL could be set to $4 and then pushed from the policy instead of hard coding it into the script. That way you could use the same script for multiple policies should you have different AMP connectors. Careful though as there is a length limit in the jss for this value (can't remember what it is though).
Thanks again for the script as it sure makes things easier than packaging the connector.
Posted on 03-09-2020 06:27 PM
Yeah, I didn’t post the whole thing as there are parts that I didn’t need to share.
Fair point about the $4 parameter.
Posted on 04-08-2020 03:12 AM
Hi @iJake - thank you for putting the script here for us.
Just had one issue and that's with the line:
hdiutil mount "$tmpFolder"/"$dmgFile" -nobrowse -quiet
The mounted DMG displays on the desktop and in Finder of the logged on user when written like this for me.
I changed it to:
hdiutil attach "$tmpFolder"/"$dmgFile" -nobrowse -quiet
and it works without displaying in Finder or on the user desktop
I also noticed that I decided to make the corresponding detach statement instead of unmount, so
hdiutil unmount "$localInstallerVolume"
became
hdiutil detach "$localInstallerVolume" -force
Otherwise a really great script. Thanks again
Posted on 05-22-2020 06:57 AM
Any chance that someone with a functional script could post it as an example? I'm new to this and i'm can't seem to make it work.
Posted on 05-22-2020 08:14 AM
Sure thing, this is @iJakes code more or less. Below, redirectingURL="$4" is defined in the policy. $4 is the value you get for your connector from the Cisco Console. For example: https://console.amp.cisco.com/install_packages/abcdefghijklmnopqrstuvwxyz/download?product=MacProduct
#!/bin/bash
set -x
ciscoAMPPath="/Applications/Cisco AMP/AMP for Endpoints Connector.app/Contents/Info.plist"
redirectingURL="$4"
localInstallerVolume="/Volumes/ampmac_connector"
localInstallerPackage="ciscoampmac_connector.pkg"
tmpFolder="/Library/CiscoAMPtmp"
checkAndGetURLs()
{
dmgURL=$(curl --head "$redirectingURL" | grep "Location:" | awk '{print $2}')
if [[ -z $dmgURL ]]
then
echo "Unable to retrieve DMG url. Exiting..."
exit 1
fi
echo "DMG URL found. Continuing..."
dmgFile=$(basename "$(echo $dmgURL | awk -F '?' '{print $1}')")
dmgName=$(echo "${dmgFile%.*}")
}
downloadInstaller()
{
mkdir -p "$tmpFolder"
echo "Downloading $dmgFile..."
/usr/bin/curl -L -s "$redirectingURL" -o "$tmpFolder"/"$dmgFile" --location-trusted
}
installPackage()
{
if [[ -e "$tmpFolder"/"$dmgFile" ]]
then
hdiutil attach "$tmpFolder"/"$dmgFile" -nobrowse -quiet
if [[ -e "$localInstallerVolume"/"$localInstallerPackage" ]]
then
echo "$localInstallerPackage found. Installing..."
/usr/sbin/installer -pkg "$localInstallerVolume"/"$localInstallerPackage" -target /
if [[ $(echo $?) -gt 0 ]]
then
echo "Installer encountered error. Exiting..."
hdiutil detach "$localInstallerVolume" -force
rm -Rf "$tmpFolder"
exit 1
else
echo "Successfully installed "$localInstallerPackage". Exiting..."
hdiutil detach "$localInstallerVolume" -force
rm -Rf "$tmpFolder"
exit 0
fi
fi
else
echo "$dmgFile failed to download. Exiting..."
exit 1
fi
}
checkAndGetURLs
downloadInstaller
installPackage
Posted on 05-22-2020 08:23 AM
Thanks @ubcoit ! You made my day. The repackaging solution is easyer, but on the long run, the script makes more sense, with changing/updating to newer AMP versions in mind. On my way to test and implement :D
Thanks again!
Posted on 05-29-2020 08:40 AM
Maybe I'll get around to creating a Cisco IT GitHub so I can easily share all this stuff :)
Posted on 06-02-2020 12:57 PM
So how. do you handle the blocked extension?
Posted on 06-03-2020 07:59 AM
You'll want a configuration profile with a Privacy Preferences Policy Control
and a Approved Kernel Extensions.
Posted on 06-04-2020 02:59 AM
@Echterling This is what my configuration profile looks like. My deployment is based on this post and its working fine.
Posted on 09-21-2021 02:45 PM
Does this work for Big Sur?
Posted on 12-14-2020 02:00 PM
@geoff.widdowson Thanks for posting the screenshot, that was extremely helpful. One quick question, and forgive me if it's a simple answer, but in the Privacy Preferences Policy Control tab, under Code Requirement, where do you generate the text from? I am still pretty new to JAMF and I have learned a lot on this thread.
EDIT
After looking into it, I see the PPPC generates it. I must have missed that on my read-through... Thanks again for the great info.
Posted on 12-15-2020 11:39 AM
To anyone looking at this going forward, Cisco changed how AMP interacts with System / Kernal Extensions. Please see below
https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/216089-advisory-for-amp-for-endpoints-mac-conne.html
It will show what to approve based on your OS version. It also provides the details needed to set up a socket filter (under the content filter tab)
Posted on 05-10-2021 08:59 AM
Looking at @ubcoit script, is there any changes that need to be made for 1.15, apart from Big Sur using ZSH as the default..?
Posted on 05-10-2021 10:57 AM
@mortopc4 I've made no changes to the script since posting, deploying 1.15.2 at the moment to 10.14, 10.15 and 11.x.
Posted on 05-11-2021 01:01 PM
@ubcoit - The script is perfect, Thank You! However, once the scripts successfully finishes, I get an ID4 error "System Extensions Failed to Load - Reinstall the Connector"
Posted on 05-11-2021 01:05 PM
AMP configuration profiles need to be installed and the system rebooted prior to installing AMP.
Posted on 05-11-2021 01:12 PM
@ubcoit I figured it out, my AMP admin sent me the wrong url....its pointing to an older AMP install. My bad.....
Posted on 05-12-2021 05:40 AM
Posted on 05-12-2021 07:58 AM
Posted on 05-12-2021 08:03 AM
@ubcoit Absolutely!! I updated my Thank You post to reflect this!!!
Again, THANK YOU ALL!!
Posted on 08-11-2021 12:16 PM
Quick question. Would this script work to upgrade from different versions? Say going from 1.7.0 to current?
Posted on 08-16-2021 12:57 PM
Presumably, if you set this up correctly, it should download the latest version and install it. you would just need to run the policy on whatever devices need the upgrade.