Elastic agent

MacJunior
Contributor III

Hey all, 

Anybody managed to install Elastic agent via jamf pro? 

during the installation process, it asks whether I want to instal it in /Library/agent and I have yes/no options 

That is pausing the installation process and I need away to auto answer with yes !

Thoughts?

22 REPLIES 22

Bretterson
Contributor

I haven't managed to get it to install correctly yet, but it sounds like you're missing an argument: -f

https://gist.github.com/peasead/33394868ddbd773c39bedde4011b4f6a?permalink_comment_id=4350069#gistco...

Bretterson
Contributor

We just got this working. I modified the script so it checks for system architecture to determine whether the Intel or ARM (Apple silicon) installer should be used. Let me if you need a copy.

MacJunior
Contributor III

Interesting .. yes please share it with me 

I'm 99% sure this works, but I've only tested it once since replacing the URLs in the script with parameters (for slightly easier/cleaner updates). If it doesn't work for you, try replacing {$4} and {$5} with the actual URLs:

 

#!/bin/bash -eux
# Single script to install the Elastic Agent (Intel and ARM versions) on macOS

# Checks architecture
arch_name="$(uname -m)"

# Create a temporary directory
tempdir=$(mktemp -d)
cd $tempdir

# Steps to complete on Intel-based Macs
if [[ "${arch_name}" = "x86_64" ]]; then 

    # Downloads the Elastic Agent and saves it to your computer in the directory specified
    curl -OL {$4}

    # Uses the Tar command to decompress the Elastic Agent and prepare it for installation
    tar zxf elastic-agent-8.4.1-darwin-x86_64.tar.gz

    # Enters the Elastic Agent directory that was decompressed in the previous step
    cd elastic-agent-8.4.1-darwin-x86_64
    
# Steps to complete on ARM (Apple)-based Macs
elif [[ "${arch_name}" = "arm64" ]]; then

    # Downloads the Elastic Agent and saves it to your computer in the directory specified
    curl -OL {$5}

    # Uses the Tar command to decompress the Elastic Agent and prepare it for installation
    tar zxvf elastic-agent-8.4.1-darwin-aarch64.tar.gz

    # Enters the Elastic Agent directory that was decompressed in the previous step
    cd elastic-agent-8.4.1-darwin-aarch64

fi

# Uses "super user do" to install the Elastic Agent, sends data to Elastic Cloud, and enrolls it in Fleet so that updates to the Agent can be managed
sudo ./elastic-agent install -f --kibana-url=fleet-server-address --enrollment-token=enrollment-token

# Clean up, clean up
rm -rf $tempdir

 

 

In the policy, set parameter 4 to the URL for the Intel package and 5 to the URL for the ARM/Apple version.

MacJunior
Contributor III

@Bretterson  it works perfectly, thanks

Sure thing! Though I just realized I should probably make it so the parameters replace the file name rather than the URL. The way I have it now, to update it you have to replace the URL parameter as well as the file name a few times in the script itself. Here's an updated version (that I just tested successfully):

 

#!/bin/bash -eux
# Single script to install the Elastic Agent (Intel and ARM versions) on macOS

# Checks architecture
arch_name="$(uname -m)"

# Create a temporary directory
tempdir=$(mktemp -d)
cd $tempdir

# Steps to complete on Intel-based Macs
if [[ "${arch_name}" = "x86_64" ]]; then 

    # Downloads the Elastic Agent and saves it to your computer in the directory specified
    curl -OL https://artifacts.elastic.co/downloads/beats/elastic-agent/${4}.tar.gz

    # Uses the Tar command to decompress the Elastic Agent and prepare it for installation
    tar zxf ${4}.tar.gz

    # Enters the Elastic Agent directory that was decompressed in the previous step
    cd ${4}
    
# Steps to complete on ARM (Apple)-based Macs
elif [[ "${arch_name}" = "arm64" ]]; then

    # Downloads the Elastic Agent and saves it to your computer in the directory specified
    curl -OL https://artifacts.elastic.co/downloads/beats/elastic-agent/${5}.tar.gz

    # Uses the Tar command to decompress the Elastic Agent and prepare it for installation
    tar zxvf ${5}.tar.gz

    # Enters the Elastic Agent directory that was decompressed in the previous step
    cd ${5}

fi

date

# Uses "super user do" to install the Elastic Agent, sends data to Elastic Cloud, and enrolls it in Fleet so that updates to the Agent can be managed
sudo ./elastic-agent install -f --url=https://siemfleet1a.hq.overdrive.com:8220 --enrollment-token=bEQ5emhZTUIweHJYSkJOanlPQVc6TG1mTTZFZWNTX0dWX2xFZ0VhUGdDdw==

# Clean up, clean up
rm -rf $tempdir

 

Now I have parameter 4 set to "elastic-agent-8.4.1-darwin-x86_64" and 5 as "elastic-agent-8.4.1-darwin-aarch64".

Tada!

MacJunior
Contributor III

@Bretterson Have you managed to grey out the elastic-agent in Login items in Ventura!?

i tried using a service management profile where I used the BundleID and TeamID but still not working !!

I'm not currently running Ventura on my test machine, but I don't have anything for Elastic in "Login items." I'm pretty sure we haven't pushed Elastic Security yet, just the agent. I'll try to look into it and let you know.

MacJunior
Contributor III

I managed to grey it out in the login windows using LabelPrefix co.elastic

Just in case it shows up later in the login items in Ventura.

I was able to do the same yesterday. Good call on the prefer rather than regular label!

ben-rampartco
New Contributor

Is there any way to setup full disk access for the Endpoint agent?

Elastic has a Python script that'll create a configuration profile for you. It includes full disk access: https://github.com/elastic/endpoint/blob/main/deployment/macos/mobiledevicemanagement/mobile_config_...

Im having trouble getting this to deploy, and there isnt really much info about it on that GitHub page, have you gotten this to work? 

Yep, I used it successfully.

Just because I'm a little unclear what you mean by deploy, you aren't trying to deploy the Python script itself, are you? Because it's something you run locally to create a profile you can upload to Jamf.

No not the script directly. I used the script to build the .mobileconfig profile, I just cant get the config profile to reach the machine.

Ok, so, what's happening..? I'm pretty sure all I did was upload the profile to Jamf and scope it.

renfroc
New Contributor

I love this community so much. Thank you all for your work

jwng
New Contributor III
Apologies if this redundant- 
I was able to get the installer to go on silently-
1st I used mobile config generator in their Github:

https://github.com/elastic/endpoint/blob/main/deployment/macos/mobiledevicemanagement/mobile_config_gen.py

I made that config profile "user removable" and deployable via self service.
then created a policy that executed the below script as a script payload:


# Checks Architecture
arch_name="$(uname -m)"
tarname="$4"
tarnameintel="$5"
installtoken="$6"
 
# Makes JAMF managed Dir
if [ -a /Applications/JAMF_Managed/ ];
then
echo "JAMF_Managed - Dir exists."
else
mkdir /Applications/JAMF_Managed
fi
 
# Steps to complete on ARM (Apple)-based Macs
if [[ "${arch_name}" = "arm64" ]]; then
 
# Downloads the Elastic Agent and saves it to your computer in the directory specified
sudo curl -Lo /Applications/JAMF_Managed/"$tarname".tar.gz https://artifacts.elastic.co/downloads/beats/elastic-agent/"$tarname".tar.gz
 
# Uses the Tar command to decompress the Elastic Agent and prepare it for installation
sudo tar xzvf /Applications/JAMF_Managed/"$tarname".tar.gz -C /Applications/JAMF_Managed
 
# Enters the Elastic Agent directory and Enrolls
sudo /Applications/JAMF_Managed/"$tarname"/elastic-agent install --url=[[your_fleet_URL_here]]:443 --enrollment-token=$installtoken -f -n
fi
 
# Steps to complete on Intel-based Macs
if [[ "${arch_name}" = "x86_64" ]]; then
 
# Downloads the Elastic Agent and saves it to your computer in the directory specified
sudo curl -Lo /Applications/JAMF_Managed/"$tarnameintel".tar.gz https://artifacts.elastic.co/downloads/beats/elastic-agent/"$tarnameintel".tar.gz
 
# Uses the Tar command to decompress the Elastic Agent and prepare it for installation
sudo tar xzvf /Applications/JAMF_Managed/"$tarnameintel".tar.gz -C /Applications/JAMF_Managed
 
# Enters the Elastic Agent directory and Enrolls
sudo /Applications/JAMF_Managed/"$tarnameintel"/elastic-agent install --url=[[your_fleet_URL_here]]:443 --enrollment-token=$installtoken -f -n
fi
 
rm -rf /Applications/JAMF_Managed/"$tarname"
rm -rf /Applications/JAMF_Managed/"$tarname".tar.gz
 
 
 
I also created extension attributes too:
#v2 - Title and Status
#Fleet Status
result=$(sudo elastic-agent status --output human | grep -m2 'fleet\|status:')
echo "<result>$result</result>"
exit 0
 
#Elastic Agent Status
result=$(sudo elastic-agent status --output human | grep -m3 'elastic-agent\|status:' | tail -2)
echo "<result>$result</result>"
exit 0
 
#Endpoint-Default 1 Status
result=$(sudo elastic-agent status --output human | grep -m4 'endpoint-\|status:' | tail -2)
echo "<result>$result</result>"
exit 0
 
#Endpoint-Default 1.1 Status
result=$(sudo elastic-agent status --output human | grep -m6 'endpoint-\|status:' | tail -2)
echo "<result>$result</result>"
exit 0
 
#Endpoint-Default 1.2 Status
result=$(sudo elastic-agent status --output human | grep -m8 'endpoint-\|status:' | tail -2)
echo "<result>$result</result>"
exit 0

 
In the policy I added the files and process payload to execute the installation of the config profile vis jamfselfservice url:

We use a workbench directory called JAMF_Managed, but you can curl it to where ever you want. The install goes pretty quiet... All thats missing, is dynamic way to get the version numbers of the installer to make it an auto-update script. But the key here is the post install shell command that installs the config profile after the install finishes to enable and system extension and grant full disk access for the executables.
 
Currently working on a non-interactive uninstaller. I'm close, currently users have to remove the config profile 1st via the remove button in Self Service and then launch the uninstaller policy. I just need to figure out how to uninstall the config profile via shell script....

Hope that helps
 
 
 
 

This seems very similar to the script I posted earlier on this thread. I might give those extension attributes a try though.

I'm not sure why you'd need to remove the config profile to uninstall it. I have the profile scoped, with the full disk access and system extension bits, to all machines all the time and it hasn't been an issue.

I had to mess with uninstallation a bunch pretty recently because some installs were inconsistent and wouldn't update from the server. This is the uninstall script I ended up with: (note: I have it run inventory at the end so Jamf sees Elastic missing and puts the machine in scope for the installation policy, which I also trigger at the end)

#!/bin/zsh

/Library/Elastic/Agent/elastic-agent uninstall -f

if [[ -e /Library/LaunchDaemons/co.elastic.elastic-agent.plist ]]; then
	echo "Elastic Agent is still installed, removing manually..."
    launchctl bootout system/co.elastic.elastic-agent
	launchctl bootout system/co.elastic.endpoint
	rm /Library/LaunchDaemons/co.elastic.elastic-agent.plist
	rm -R /Library/Elastic/Agent
fi

if [[ -e /Library/Elastic/Endpoint/elastic-endpoint ]]; then
	echo "Elastic Endpoint is still installed, attempting to uninstall..."
    cd /tmp
	cp /Library/Elastic/Endpoint/elastic-endpoint elastic-endpoint
	/tmp/elastic-endpoint uninstall
	rm elastic-endpoint
fi

if [[ -e /Applications/ElasticEndpoint.app ]]; then
	echo "Elastic Endpoint is still installed or the app got left behind, attempting to remove..."
	rm /Library/LaunchDaemons/co.elastic.endpoint.plist
	rm -R /Library/Elastic
	rm -R /Applications/ElasticEndpoint.app
fi

jamf recon
sleep 10
jamf policy -id  54

exit 0

 

jwng
New Contributor III

I'll give yours a try, heres what I have so far-

I didn't think I needed to remove the profile either but when i watch the uninstaller process, the files don't remove until i uninstall the config profile... heres my script so far :

Thanks!

 

#Unload Launch Daemons and Kills Process
sudo launchctl unload /Library/LaunchDaemons/co.elastic.elastic-agent.plist
sudo launchctl unload /Library/LaunchDaemons/co.elastic.endpoint.plist
sudo profiles remove -type='configuration' -identifier='UID goes here' -verbose

agentvar=$(pgrep elastic-agent)
endpointvar=$(pgrep elastic-endpoint)
filebeatvar=$(pgrep filebeat)
echo "this is var 1:$agentvar"
echo "this is var 2:$endpointvar"
echo "this is var 3:$filebeatvar"
sudo kill -9 $agentvar
sudo kill -9 $endpointvar
sudo kill -9 $filebeatvar

#Deletes Files
sudo rm -rf /Library/Elastic/*
sudo rm -rf /Library/Elastic
sudo rm -rf /Applications/Elastic\ Security.app
sudo rm -rf /Applications/ElasticEndpoint.app
sudo rm -rf /Library/LaunchDaemons/co.elastic.endpoint.plist
sudo rm -rf /Library/LaunchDaemons/co.elastic.elastic-agent.plist

 

jwng
New Contributor III

I actually figured out a work around for the uninstaller.

I just wrapped my uninstaller sh command inside a function, and the call the function 2x with a sleep 10 in between. That seems to work for me, and I don't need to remove the config profile. 

#!/bin/bash
elasticUninstall(){
/Library/Elastic/Agent/elastic-agent uninstall -f
if [[ -e /Library/LaunchDaemons/co.elastic.elastic-agent.plist ]]; then
	echo "Elastic Agent is still installed, removing manually..."
    #Unload Launch Daemons and Kills Process
	sudo launchctl bootout system/co.elastic.elastic-agent
	sudo launchctl bootout system/co.elastic.endpoint
	sudo launchctl unload /Library/LaunchDaemons/co.elastic.elastic-agent.plist
	sudo launchctl unload /Library/LaunchDaemons/co.elastic.endpoint.plist
	sudo profiles remove -type='configuration' -identifier='Profile UID goes here' -verbose
	sudo rm -rf /Library/LaunchDaemons/co.elastic.elastic-agent.plist
fi
agentvar=$(pgrep elastic-agent)
endpointvar=$(pgrep elastic-endpoint)
filebeatvar=$(pgrep filebeat)
echo "this is var 1:$agentvar"
echo "this is var 2:$endpointvar"
echo "this is var 3:$filebeatvar"
sudo kill -9 $agentvar
sudo kill -9 $endpointvar
sudo kill -9 $filebeatvar
if [[ -e /Library/Elastic/Endpoint/elastic-endpoint ]]; then
	echo "Elastic Endpoint is still installed, attempting to uninstall..."
    sudo launchctl unload /Library/LaunchDaemons/co.elastic.endpoint.plist
    sudo launchctl bootout system/co.elastic.endpoint
	sudo rm -rf /Library/LaunchDaemons/co.elastic.endpoint.plist
fi 
#Deletes Files
sudo rm -rf /Library/Elastic/*
sudo rm -rf /Library/Elastic
sudo rm -rf /Applications/Elastic\ Security.app
sudo rm -rf /Applications/ElasticEndpoint.app
}
elasticUninstall
sleep 10
elasticUninstall

exit 0

Interesting that it works fine if you loop it and manages to remove the profile. I still find it strange that the profile is causing an issue for you; I wonder how yours differs from mine. Mine is computer level rather than user level, maybe that matters?

I'm also surprised your script doesn't give you a hard time about using "launctl unload", whenever I use unload these days it just complains about it being deprecated. Though they should already be unloaded by the time it gets to that spot in the script.