I've read in all the other articles/discussions on people having the same issues as me in deploying the new version of AMP... but have yet to see a clear-cut solution on getting this deployed...
I've seen the "solution" of finding the hidden policy.xml file in the DMG, but am still a little confused about that part....
Can anyone (maybe not exactly) step-by-step have an easier way of deploying this?
@ubcoit - The script is perfect, Thank You! However, once the scripts successfully finishes, I get an ID4 error "System Extensions Failed to Load - Reinstall the Connector"
AMP configuration profiles need to be installed and the system rebooted prior to installing AMP.
@ubcoit I figured it out, my AMP admin sent me the wrong url....its pointing to an older AMP install. My bad.....
Just wanted to express my THANKS to @ubcoit and @iJake for the above script and to @t.jones for the Configuration Profile info. Both solutions with some customization for my environment worked like a charm and now AMP installs and bypasses all user interaction........sweet.......
@mortopc4 Glad you got it working. I can't take the credit for the script, @iJake did all the heavy lifting. :)
Quick question. Would this script work to upgrade from different versions? Say going from 1.7.0 to current?
Quick question. Would this script work to upgrade from different versions? Say going from 1.7.0 to current?
Presumably, if you set this up correctly, it should download the latest version and install it. you would just need to run the policy on whatever devices need the upgrade.
This discussion was brought to my attention by AMP team so I wanted to share the gist of how we install AMP via Jamf internally at Cisco.
ciscoAMPPath="/Applications/Cisco AMP/AMP for Endpoints Connector.app/Contents/Info.plist"
redirectingURL="https://console.amp.cisco.com/install_packages/REDACTED/download?product=MacProduct"
localInstallerVolume="/Volumes/ampmac_connector"
localInstallerPackage="ciscoampmac_connector.pkg"
tmpFolder="/Library/CiscoIT/tmp"
checkAndGetURLs()
{
dmgURL=$(curl --head "$redirectingURL" | grep "Location:" | awk '{print $2}')
if [[ -z $dmgURL ]]
then
writeLog "Unable to retrieve DMG url. Exiting..."
exit 1
fi
writeLog "DMG URL found. Continuing..."
dmgFile=$(basename "$(echo $dmgURL | awk -F '?' '{print $1}')")
dmgName=$(writeLog "${dmgFile%.*}")
}
downloadInstaller()
{
mkdir -p "$tmpFolder"
writeLog "Downloading $dmgFile..."
/usr/bin/curl -L -s "$redirectingURL" -o "$tmpFolder"/"$dmgFile" --location-trusted
}
installPackage()
{
if [[ -e "$tmpFolder"/"$dmgFile" ]]
then
hdiutil mount "$tmpFolder"/"$dmgFile" -nobrowse -quiet
if [[ -e "$localInstallerVolume"/"$localInstallerPackage" ]]
then
writeLog "$localInstallerPackage found. Installing..."
/usr/sbin/installer -pkg "$localInstallerVolume"/"$localInstallerPackage" -target /
if [[ $(echo $?) -gt 0 ]]
then
writeLog "Installer encountered error. Exiting..."
hdiutil unmount "$localInstallerVolume"
rm -f "$tmpFolder"/"$dmgFile"
exit 1
else
writeLog "Successfully installed "$localInstallerPackage". Exiting..."
hdiutil unmount "$localInstallerVolume"
rm -f "$tmpFolder"/"$dmgFile"
exit 0
fi
fi
else
writeLog "$dmgFile failed to download. Exiting..."
exit 1
fi
}Essentially, we download the latest DMG directly from the AMP console, mount it, and run the PKG installer from the mounted DMG. That's it. We've used this method on over 50K machines all properly reporting into the AMP console. No need to update and repackage when new versions are released.
Hi iJake,
How does Cisco deploy the PPPC and Approved Kernel Extensions via Jamf?
I'm trying to do this on Big Sur with AMP v1.16 and it seem things have changed from Catalina.
Hi iJake,
How does Cisco deploy the PPPC and Approved Kernel Extensions via Jamf?
I'm trying to do this on Big Sur with AMP v1.16 and it seem things have changed from Catalina.
It's all documented here: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/216089-advisory-for-amp-for-endpoints-mac-conne.html
It's all documented here: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/216089-advisory-for-amp-for-endpoints-mac-conne.html
Thanks iJake.
How are you signing your config file? Dev account?
@Echterling This is what my configuration profile looks like. My deployment is based on this post and its working fine.
Does this work for Big Sur?
Could someone check my work and see if I've built these correctly?
I'm still getting the "requests to allow" prompts in security and privacy when installing it.
Also, any suggestion on how to push the config for full disk access?
macOS Big Sur
Cisco Amp v1.16.0841
Could someone check my work and see if I've built these correctly?
I'm still getting the "requests to allow" prompts in security and privacy when installing it.
Also, any suggestion on how to push the config for full disk access?
macOS Big Sur
Cisco Amp v1.16.0841
@winterboerI don't have time to confirm your profiles right now but I don't see a Content Filter. Also, it's suggested to make individual profiles for each settings, kernel, system, pppc and content filter so that you can scope things better per version of macOS. Something else to keep in mind, the profiles need to be installed and the system rebooted prior to installing AMP or you will still get the prompts. At least that is my experience.
Could someone check my work and see if I've built these correctly?
I'm still getting the "requests to allow" prompts in security and privacy when installing it.
Also, any suggestion on how to push the config for full disk access?
macOS Big Sur
Cisco Amp v1.16.0841
@winterboerHere are my profiles, all separate for scoping. These work for us, provided they are installed to Big Sur and the system rebooted before Cisco AMP is installed. Note, Kernel extensions aren't scoped to Big Sur.
@winterboerHere are my profiles, all separate for scoping. These work for us, provided they are installed to Big Sur and the system rebooted before Cisco AMP is installed. Note, Kernel extensions aren't scoped to Big Sur.
I had to upgrade JAMF to the latest build and now can test what you've posted. Thank you very much for the help.
Hi everyone, thanks for the info, this post has been most helpful.
One more question from another Jamf newb - how do you ensure the Configuration Profiles install and reboot the machine before the Policy runs the script to install AMP?
Observation:
when installing AMP 1.16.1 via @iJake 's script on MacOS Monterey (last Beta before release: Build 21A5552a), the standard script kept failing with the latest URL. It worked fine in a browser though.
When running the script manually, I kept getting the "Unable to retrieve DMG url. Exiting..." error. So after changing the script a little and changing the download URL in the policy, doing the following made it work:
1. removed the "?product=MacProduct" part of the download URL as provided by Cisco's console. Not sure why this made it work...
2. changed the case of the 'L' of "Location" to lowercase so that it shows:
dmgURL=$(curl --head "$redirectingURL" | grep "location:" | awk '{print $2}')
This worked because it seems as if the http headers return 'location:' and not 'Location:' which the script looks for with grep. I assume there's a grep switch to ignore case, but my script-foo is weak, so just got it working and rolling with it for now until some script guru can come up with a proper fix 🙂
Hope this helps if anyone else comes across this issue
Observation:
when installing AMP 1.16.1 via @iJake 's script on MacOS Monterey (last Beta before release: Build 21A5552a), the standard script kept failing with the latest URL. It worked fine in a browser though.
When running the script manually, I kept getting the "Unable to retrieve DMG url. Exiting..." error. So after changing the script a little and changing the download URL in the policy, doing the following made it work:
1. removed the "?product=MacProduct" part of the download URL as provided by Cisco's console. Not sure why this made it work...
2. changed the case of the 'L' of "Location" to lowercase so that it shows:
dmgURL=$(curl --head "$redirectingURL" | grep "location:" | awk '{print $2}')
This worked because it seems as if the http headers return 'location:' and not 'Location:' which the script looks for with grep. I assume there's a grep switch to ignore case, but my script-foo is weak, so just got it working and rolling with it for now until some script guru can come up with a proper fix 🙂
Hope this helps if anyone else comes across this issue
@tsylwest the syntax you’re looking for is grep -i “string” That turns on grep’s case insensitivity mode.
@tsylwest the syntax you’re looking for is grep -i “string” That turns on grep’s case insensitivity mode.
@mm2270 Thanks for the tip 😊 much appreciated, will give that a go!
I didn't remove "?product=MacProduct" but I did add the "-i" after grep and it fixed the script for me.
I think the web page that it gets must have changed "Location" to "location" ... it's not a change in curl
Observation:
when installing AMP 1.16.1 via @iJake 's script on MacOS Monterey (last Beta before release: Build 21A5552a), the standard script kept failing with the latest URL. It worked fine in a browser though.
When running the script manually, I kept getting the "Unable to retrieve DMG url. Exiting..." error. So after changing the script a little and changing the download URL in the policy, doing the following made it work:
1. removed the "?product=MacProduct" part of the download URL as provided by Cisco's console. Not sure why this made it work...
2. changed the case of the 'L' of "Location" to lowercase so that it shows:
dmgURL=$(curl --head "$redirectingURL" | grep "location:" | awk '{print $2}')
This worked because it seems as if the http headers return 'location:' and not 'Location:' which the script looks for with grep. I assume there's a grep switch to ignore case, but my script-foo is weak, so just got it working and rolling with it for now until some script guru can come up with a proper fix 🙂
Hope this helps if anyone else comes across this issue
I guess I don't know how to use the script that @iJake has kindly offered up. I've loaded it up in jamf and see this. What am I missing or doing wrong?
I guess I don't know how to use the script that @iJake has kindly offered up. I've loaded it up in jamf and see this. What am I missing or doing wrong?
@winterboerMight want to remove your AMP URL from that photo. Might not. 😉 Your download works, I see it's 32 MB. I'm deploying 1.15.6.842 (29.2 MB) tested and still working this morning. Perhaps something has changed with a newer version?
Also, as noted above, Location changed to location (which I edited in my script). Perhaps you just need to add a -i to the grep command.
++grep Location: to ++grep -i Location:
Line 13 in my script:
dmgURL=$(curl --head "$redirectingURL" | grep -i "Location:" | awk '{print $2}')
@winterboerMight want to remove your AMP URL from that photo. Might not. 😉 Your download works, I see it's 32 MB. I'm deploying 1.15.6.842 (29.2 MB) tested and still working this morning. Perhaps something has changed with a newer version?
Also, as noted above, Location changed to location (which I edited in my script). Perhaps you just need to add a -i to the grep command.
++grep Location: to ++grep -i Location:
Line 13 in my script:
dmgURL=$(curl --head "$redirectingURL" | grep -i "Location:" | awk '{print $2}')
Thank you very much for the reminder. I've cleaned it. I'll mod the script and see what happens.
@winterboerMight want to remove your AMP URL from that photo. Might not. 😉 Your download works, I see it's 32 MB. I'm deploying 1.15.6.842 (29.2 MB) tested and still working this morning. Perhaps something has changed with a newer version?
Also, as noted above, Location changed to location (which I edited in my script). Perhaps you just need to add a -i to the grep command.
++grep Location: to ++grep -i Location:
Line 13 in my script:
dmgURL=$(curl --head "$redirectingURL" | grep -i "Location:" | awk '{print $2}')
@ubcoit Thank you for your help, it works as expected.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.