Deployment FireEye

adm-laurf
New Contributor

Hello all,
I would like to deploy FireEye Agent using Jamf on all of our Mac.
We have a FireEye.DMG that integrates a .json and the .pkg file.

Do you know how can i integrate the .json in the deployment?

Should i repack the .pkg and integrate the .json using COMPOSER then i could add a postscript ?

Sincerely,

27 REPLIES 27

mvu
Valued Contributor

Give this a read. Others in Jamf Nation helped me with this.

https://www.jamf.com/jamf-nation/discussions/25530/help-with-scripting-install-a-package-within-a-dmg

JamelB
New Contributor III

This is how I managed this, hope it will help you.

On the MacBook, start Composer:
Drag and Drop the FireEye agent .dmg file in composer, Click Convert to Source
Click "IMAGE_HX_AGENT_XXX" and create the directory /private/var/tmp/
Drag and drop both agent_config.json and xagtSetup_XX.mpgk files in /tmp as below :

Create a postinstall script:
Right-Click on Scripts > Add Schell Script > postinstall

Add this command in the script, modify it depending on the version you want to package (adjust the file name depending of the version) :
#!/bin/sh
installer -pkg /private/var/tmp/xagtSetup_27.30.0.mpkg -target /

Click "IMAGE_HX_AGENT" and Save the configuration

Build the pkg file
Save the file in the desktop
The package has been generated
7eb70b7cf65a460e9329516f291746b4

9ca7d859468d47d7a8f50bd01291962f

You can test the package installing it manually on the MacBook.

idodd
New Contributor

Hi,

I try this few times. Installation is successful but don't see agent running under ps aux | grep xagt.

Also, I added this to post install script but no luck (https://www.jamf.com/jamf-nation/discussions/25530/help-with-scripting-install-a-package-within-a-dmg)

**If those processes aren't running, then check that your postinstall script has:

/usr/bin/sudo launchctl load -w "/Library/LaunchAgents/com.fireeye.xagtnotif.plist"
/usr/bin/sudo launchctl load -w "/Library/LaunchDaemons/com.fireeye.xagt.plist"**

fyi..I am using this installer package ver xagtSetup_31.28.0.pkg.

mvu
Valued Contributor

I ran into this same thing, so I asked the infosec. if the Mac clients registered on his console. They confirmed that all was well.

idodd
New Contributor

But it is not showing up under registered devices in console. If I install manually then it shows.

mvu
Valued Contributor

Can we see how you packaged it?

idodd
New Contributor

This is fixed. I got newer documentation from our provider. Not sure if its ok to post it here.

Capturing and Installing the Endpoint Security Agent JAMF Package

chase_g
New Contributor III

@idodd I just ran into the same issue with ver 31.28.4. I was deoying 30.19 that I packaged awhile back and it works but doing 31.28 isnt showing up in FE vonsole even after Jamf says it installed successfully. Can you tell me what fixed the issue for you?
UPDATE: Nevermind, I figured out my problem was actually a typo I had in my post install script

MichaelBlower
New Contributor II

@idodd any chance you can share with us what the issue was and how you fixed it? I am trying to deploy the HX agent 30.19.3 myself, but I am pretty new to using Jamf. I have the dmg with the pkg and json file. Should I just follow the directions as posted by @JamBoost? Thanks in advance.

pueo
Contributor

Hello Everyone.
Anxious to try out this packaging for FireEye but my first road block was the FireEye Agent fails while trying to convert to source. It runs though the conversion but fails on 'Completing package extraction....(100% Complete). Error is Converting to source failed.
Composer version is 10.23.0. FE Version is 31.28.4

Anyone come across this?

Thank you.

pueo
Contributor

Hello again,
Forget my message. I tired to convert our Any Connect pkg to source and received the same error. I did check with our Team and learned both pkgs are custom installers with config files inside. Guess there is some switch to 'lock' the pkg. Anyways, it just means my installers are working and I need to deploy them via Jamf.

omaromar
New Contributor

@mvu I've followed your instructions I believe to be exact, the issue I'm having is the package works when I run it locally. But when I deploy using JamfPro, it says it was successful, but when our FireEye team checks those devices, they say it's not reporting, but the machine I ran it own locally is reporting in?

What information you need from me to figure this out?

mvu
Valued Contributor

@omaromar I ran into this when we upgraded to version 32.30.0. We deployed it and with Jamf, and Jamf does show the latest version via the EA. I confirmed the agent was running in Activity Monitor, but the FireEye folks said the agent didn't update.

What version of macOS are you running?

Here is what I am doing. After installing FireEye, try a restart and see if it reports the new version with the FireEye Team. Also, go to System Preferences/Security & Privacy to see if you need a "Bitdefeneder SRL" Kernel Extension Approval. If so, you'll need to create and push this config profile.

In my FireEye package, I added the postscript listed above to load the agent and daemon. When i added this to the package, I didn't have to restart for Macs using 10.13 (maybe 10.14?) and up. Older Macs I still had to restart regardless.

/usr/bin/sudo launchctl load -w "/Library/LaunchAgents/com.fireeye.xagtnotif.plist"
/usr/bin/sudo launchctl load -w "/Library/LaunchDaemons/com.fireeye.xagt.plist"**

mvu
Valued Contributor

@omaromar I was playing around with this and ended up adding the uninstall FireEye script to the package. Before, it looked like the package ran successfully, but the EA reports "Not Installed" for some machines.

On a computer that you know has FireEye installed correctly, go to: Library/FireEye/xagt. Here, you'll find the "uninstall.tool" script that does a good job of deleting everything FireEye. From there, you'll just need to repackage and add one postflight line to the script.

57b162883e1d4068a355a4a1275e8d85

863b34d84f9b42adbd389dbdb0b354c0

dc4ba55db1984b42af27365f85d31b4b

omaromar
New Contributor

Hello @mvu

This is what I have at the moment, sent it to five machines, and will check tomorrow to see if 1) Jamf says it was successful and 2) If our FireEye team can see them reporting in the console. I appreciate your help and guidance on this, let me know if what I have is okay or needs correcting.

Thanks,
Omar

0b4196e6f54d4eee8d1e5fa9dc3e3be3

dddcd3cb7027435a80e63cdd4aaa6be8

mvu
Valued Contributor

@omaromar Your package will work most of the time. But we found it failed in some instances, even though Jamf Pro said it installed correctly. Comb over my last post about adding the uninstall script/tool to the package, and then adding a line in the post flight to run this.

Also, are you running a FireEye Extension attribute in your Jamf Pro? After you run a sudo jamf recon or when the computer checks in, you'll know if it's running version 32.30.0 or some may say "Not Installed."

Extension Attribute Here

omaromar
New Contributor

Haha, I was drafting an additional response to say for I'm using the "uninstall.tool" script which seems to work well in removing FireEye from devices. Also, I'm running an Extension Attribute, I have it in a Smart Computer Group, is that okay? Was going to paste the Extension Attribute I was using, but you beat me to it, LOL.

omaromar
New Contributor

Hello @mvu,
Something else FireEye suggests is enabling FDE (Full Disk Encryption) for the agent. I stumbled upon this and wanted to share and get anyone's opinion on this.

https://www.jamf.com/jamf-nation/discussions/29996/pppc-and-every-app-known-to-it#responseChild181090

mvu
Valued Contributor

@omaromar I don't know about FDE, but yes, you do need TeamID/PPPC Approval set up before FireEye can install and run.

2826612691c840739697b9e777c55b9a

omaromar
New Contributor

@mvu, I have that in "Configuration Profiles" already. This is from their documentation, of course I can do this locally, looks like I would need to do this Globally as well. Just wondering how it's done via Jamf | Pro?
c2d2cbc621404d62a449f667be9daeb8

mvu
Valued Contributor

You'll need to create a PPPC for xagt.app using the PPPC Utility application. Once you spit that out, upload the file to Jamf Pro.

mlitton
New Contributor II

Setting up FE for the first time .. two quick questions:
- Do I need a PPPC for both xagt.app and xagtnotif.app for full disk access?
- Why add the uninstall tool? I assume either it will remove old version if they exist (if run in the post install) and/or be available to remotely uninstall (files and processes) if needed?

mvu
Valued Contributor

Maybe someone else can chime on the PPPC?

For the uninstall tool, I added it on the last version upgrade. I noticed when we upgraded the FireEye Agent, some Macs failed to upgrade. So, I added the line to do a clean uninstall first, then install the latest/greatest version of the agent. This provided a consistent install across the board, so please test in your environment.

cweill
New Contributor

@mvu I created this TCC profile in PPPC Utility, but xagt.app does not show up in the Full Disk Access section. Does that matter?

mvu
Valued Contributor

I would still push the TCC Profile just in case. You can test both ways.

gokoudes
New Contributor III
New Contributor III

@cwell For a while, at least, PPPC permissions granted via profile wouldn't reflect those permissions/changes in the Security/Privacy Prefpane GUI.

For example, you granted ABC.app Full Disk Access with a configuration profile on computer A. On computer A, launch the Security/Privacy Prefpane, Privacy - Full Disk Access, and you'll notice ABC.app doesn't appear there as an entry. However, the app should still function as normal with Full Disk Access. I hope this gets tweaked in an update, but this has been the case for some time.

I hope that helps!

mlarsen
New Contributor II

I'm working on getting this set in our MDM now, and I wanted to verify something. When I add the xagt to our Privacy Preferences Policy - Config, the app or service I'm allowed to give it access to is "SystemPolicyAllFiles". I'm assuming this equates to Full Disk Access, but I wanted to be sure. Can anyone let me know if that's the case?

Also, when looking at it in the PPPC utility itself, the option is All Files. Again, does this equate to Full Disk Access?