Jamf Nation Community

This is how I managed this, hope it will help you.

On the MacBook, start Composer:
Drag and Drop the FireEye agent .dmg file in composer, Click Convert to Source
Click "IMAGE_HX_AGENT_XXX" and create the directory /private/var/tmp/
Drag and drop both agent_config.json and xagtSetup_XX.mpgk files in /tmp as below :

Create a postinstall script:
Right-Click on Scripts > Add Schell Script > postinstall

Add this command in the script, modify it depending on the version you want to package (adjust the file name depending of the version) :
#!/bin/sh
installer -pkg /private/var/tmp/xagtSetup_27.30.0.mpkg -target /

Click "IMAGE_HX_AGENT" and Save the configuration

Build the pkg file
Save the file in the desktop
The package has been generated

You can test the package installing it manually on the MacBook.

Hi,

I try this few times. Installation is successful but don't see agent running under ps aux | grep xagt.

Also, I added this to post install script but no luck (https://www.jamf.com/jamf-nation/discussions/25530/help-with-scripting-install-a-package-within-a-dmg)

**If those processes aren't running, then check that your postinstall script has:

/usr/bin/sudo launchctl load -w "/Library/LaunchAgents/com.fireeye.xagtnotif.plist"
/usr/bin/sudo launchctl load -w "/Library/LaunchDaemons/com.fireeye.xagt.plist"**

fyi..I am using this installer package ver xagtSetup_31.28.0.pkg.

I ran into this same thing, so I asked the infosec. if the Mac clients registered on his console. They confirmed that all was well.

But it is not showing up under registered devices in console. If I install manually then it shows.

Can we see how you packaged it?

This is fixed. I got newer documentation from our provider. Not sure if its ok to post it here.

Capturing and Installing the Endpoint Security Agent JAMF Package

@idodd I just ran into the same issue with ver 31.28.4. I was deoying 30.19 that I packaged awhile back and it works but doing 31.28 isnt showing up in FE vonsole even after Jamf says it installed successfully. Can you tell me what fixed the issue for you?
UPDATE: Nevermind, I figured out my problem was actually a typo I had in my post install script

@idodd any chance you can share with us what the issue was and how you fixed it? I am trying to deploy the HX agent 30.19.3 myself, but I am pretty new to using Jamf. I have the dmg with the pkg and json file. Should I just follow the directions as posted by @JamBoost? Thanks in advance.

Hello Everyone.
Anxious to try out this packaging for FireEye but my first road block was the FireEye Agent fails while trying to convert to source. It runs though the conversion but fails on 'Completing package extraction....(100% Complete). Error is Converting to source failed.
Composer version is 10.23.0. FE Version is 31.28.4

Anyone come across this?

Thank you.

Hello again,
Forget my message. I tired to convert our Any Connect pkg to source and received the same error. I did check with our Team and learned both pkgs are custom installers with config files inside. Guess there is some switch to 'lock' the pkg. Anyways, it just means my installers are working and I need to deploy them via Jamf.

@mvu I've followed your instructions I believe to be exact, the issue I'm having is the package works when I run it locally. But when I deploy using JamfPro, it says it was successful, but when our FireEye team checks those devices, they say it's not reporting, but the machine I ran it own locally is reporting in?

What information you need from me to figure this out?

@omaromar I ran into this when we upgraded to version 32.30.0. We deployed it and with Jamf, and Jamf does show the latest version via the EA. I confirmed the agent was running in Activity Monitor, but the FireEye folks said the agent didn't update.

What version of macOS are you running?

Here is what I am doing. After installing FireEye, try a restart and see if it reports the new version with the FireEye Team. Also, go to System Preferences/Security & Privacy to see if you need a "Bitdefeneder SRL" Kernel Extension Approval. If so, you'll need to create and push this config profile.

In my FireEye package, I added the postscript listed above to load the agent and daemon. When i added this to the package, I didn't have to restart for Macs using 10.13 (maybe 10.14?) and up. Older Macs I still had to restart regardless.

/usr/bin/sudo launchctl load -w "/Library/LaunchAgents/com.fireeye.xagtnotif.plist"
/usr/bin/sudo launchctl load -w "/Library/LaunchDaemons/com.fireeye.xagt.plist"**

@omaromar I was playing around with this and ended up adding the uninstall FireEye script to the package. Before, it looked like the package ran successfully, but the EA reports "Not Installed" for some machines.

On a computer that you know has FireEye installed correctly, go to: Library/FireEye/xagt. Here, you'll find the "uninstall.tool" script that does a good job of deleting everything FireEye. From there, you'll just need to repackage and add one postflight line to the script.

Hello @mvu

This is what I have at the moment, sent it to five machines, and will check tomorrow to see if 1) Jamf says it was successful and 2) If our FireEye team can see them reporting in the console. I appreciate your help and guidance on this, let me know if what I have is okay or needs correcting.

Thanks,
Omar

@omaromar Your package will work most of the time. But we found it failed in some instances, even though Jamf Pro said it installed correctly. Comb over my last post about adding the uninstall script/tool to the package, and then adding a line in the post flight to run this.

Also, are you running a FireEye Extension attribute in your Jamf Pro? After you run a sudo jamf recon or when the computer checks in, you'll know if it's running version 32.30.0 or some may say "Not Installed."

Extension Attribute Here

Haha, I was drafting an additional response to say for I'm using the "uninstall.tool" script which seems to work well in removing FireEye from devices. Also, I'm running an Extension Attribute, I have it in a Smart Computer Group, is that okay? Was going to paste the Extension Attribute I was using, but you beat me to it, LOL.

Hello @mvu,
Something else FireEye suggests is enabling FDE (Full Disk Encryption) for the agent. I stumbled upon this and wanted to share and get anyone's opinion on this.

https://www.jamf.com/jamf-nation/discussions/29996/pppc-and-every-app-known-to-it#responseChild181090

@omaromar I don't know about FDE, but yes, you do need TeamID/PPPC Approval set up before FireEye can install and run.

@mvu, I have that in "Configuration Profiles" already. This is from their documentation, of course I can do this locally, looks like I would need to do this Globally as well. Just wondering how it's done via Jamf | Pro?

You'll need to create a PPPC for xagt.app using the PPPC Utility application. Once you spit that out, upload the file to Jamf Pro.

Setting up FE for the first time .. two quick questions:
- Do I need a PPPC for both xagt.app and xagtnotif.app for full disk access?
- Why add the uninstall tool? I assume either it will remove old version if they exist (if run in the post install) and/or be available to remotely uninstall (files and processes) if needed?

Maybe someone else can chime on the PPPC?

For the uninstall tool, I added it on the last version upgrade. I noticed when we upgraded the FireEye Agent, some Macs failed to upgrade. So, I added the line to do a clean uninstall first, then install the latest/greatest version of the agent. This provided a consistent install across the board, so please test in your environment.

@mvu I created this TCC profile in PPPC Utility, but xagt.app does not show up in the Full Disk Access section. Does that matter?

I would still push the TCC Profile just in case. You can test both ways.

@cwell For a while, at least, PPPC permissions granted via profile wouldn't reflect those permissions/changes in the Security/Privacy Prefpane GUI.

For example, you granted ABC.app Full Disk Access with a configuration profile on computer A. On computer A, launch the Security/Privacy Prefpane, Privacy - Full Disk Access, and you'll notice ABC.app doesn't appear there as an entry. However, the app should still function as normal with Full Disk Access. I hope this gets tweaked in an update, but this has been the case for some time.

I hope that helps!

I'm working on getting this set in our MDM now, and I wanted to verify something. When I add the xagt to our Privacy Preferences Policy - Config, the app or service I'm allowed to give it access to is "SystemPolicyAllFiles". I'm assuming this equates to Full Disk Access, but I wanted to be sure. Can anyone let me know if that's the case?

Also, when looking at it in the PPPC utility itself, the option is All Files. Again, does this equate to Full Disk Access?

Does someone have an example of how to script the uninstall w/ password?