Error When Deploying AMP for Endpoints Policy

JDaher
New Contributor III

Hello,

I know there's a discussion about this in another tread (https://community.jamf.com/t5/jamf-pro/deploying-cisco-amp-v-1-9/m-p/213222#M201846) but it is a bit old and perhaps not relevant to this specific issue.

I downloaded the AMP agent from our console. It downloads as a .dmg file. I converted it to a .pkg file and attempted to deploy it via Jamf policy. I get this error:

Executing Policy AMP for Endpoints v1.16.0.841
Downloading amp_BW_Protect_v1.16.0.841.pkg...
Downloading https://use1-jcds.services.jamfcloud.com//download/ba805935816b4ce58100361adc837690/amp_BW_Protect_v......
Verifying package integrity...
Installing amp_BW_Protect_v1.16.0.841.pkg...
Installation failed. The installer reported: installer: Package name is ampmac_connector
installer: Upgrading at base path /
installer: The upgrade failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. The package is attempting to install content to the system volume.)
Blessing macOS System on /...
Creating Reboot Script...

I have seen that error in other attempted policy deployments, but have not found a solution posted here. 

If I try to deploy the .dmg file as obtained from Cisco this is what appears in the Jamf log, but the application doesn't install in the system:

Executing Policy AMP for Endpoints v1.16.0.841
Downloading https://use1-jcds.services.jamfcloud.com//download/ba805935816b4ce58100361adc837690/amp_BW_Protect_v......
Verifying DMG...
Verifying package integrity...
Installing amp_BW_Protect_v1.16.0.841.dmg...
Closing package...
Blessing macOS System on /...

Anybody knows what's going on? Any alternative methods of deployment are welcome as well. 

Thank you 

1 ACCEPTED SOLUTION

JDaher
New Contributor III

Thank you @sgunther for bringing this up, and thank you @ubcoit for coming to the rescue once again. It stopped working for me as well a few weeks ago, but hadn't had the time to look into it. The "-i" was not in the script I used a few weeks ago. I just added it and everything is working again. Once more, thanks a bunch. 

View solution in original post

11 REPLIES 11

cvangorp
New Contributor III

Check out iJake's post in this discussion Posted on ‎02-05-2020 09:36 AM .

https://community.jamf.com/t5/jamf-pro/deploying-cisco-amp-v-1-9/td-p/213222

I've deployed via this script method and it works great

JDaher
New Contributor III

Thank you @cvangorp. I am not well versed in scripting so I'm sure I'm missing something. I copied the script as edited by @ubcoit into Jamf.

edited redirectingURL="$4" to redirectingURL="$My URL for connector from the Cisco Console"

Created a policy to deploy it. The only payload in the policy is the script. 

I get this error: 


Executing Policy Cisco AMP for Endpoints - Install via Script
Running script Cisco AMP for Endpoints - Deploy via Script...
Script exit code: 1
Script result: + ciscoAMPPath='/Applications/Cisco AMP/AMP for Endpoints Connector.app/Contents/Info.plist'
+ redirectingURL='://My URL for connector from the Cisco Console'
+ localInstallerVolume=/Volumes/ampmac_connector
+ localInstallerPackage=ciscoampmac_connector.pkg
+ tmpFolder=/Library/CiscoAMPtmp
+ checkAndGetURLs
++ curl --head '://My URL for connector from the Cisco Console'
++ grep Location:
++ awk '{print $2}'
curl: (1) Protocol "" not supported or disabled in libcurl
+ dmgURL=
+ [[ -z '' ]]+ echo 'Unable to retrieve DMG url. Exiting...'
Unable to retrieve DMG url. Exiting...
+ exit 1
Error running script: return code was 1.

 

The error suggests to me that the script is unable to pull the .dmg file (?), but I tested the URL and I am able to download the connector using a web browser. 

Any idea what's going on? 

Thanks for your help, I appreciate it.

cvangorp
New Contributor III

You shouldn't have to edit the script at all.  Yes @ubcoit script is what I am using.  I would leave $4 in the script this allows you to have separate jamf policies if you have separate amp(now cisco secure) policies (groups) and thus use 1 script in multiple policies just changing the URL.

You paste your URL (from download connector) in the policy in box parameter 4 box see my screenshot.

 

Screen Shot 2021-09-23 at 4.03.17 PM.png

 

 

ubcoit
Contributor II

Did you verify that the url works from the AMP console? Just paste it into a web browser.

Mines still running, no issues or changes that I recall, other than having to update the url from time to time (they expire) which is why I used $4 so I can just update the policy.

ubcoit_0-1632427948489.png

 

JDaher
New Contributor III

Got it! 

I think the problem was that while testing this, I first set it up as you both suggested (leaving the script unedited and adding the URL in parameter #4 in Jamf); but then subsequently I edited the script and added the URL there but forgot to delete it from parameter #4 in Jamf. I understand it works both ways but you probably can't have the URL in the script and also in parameter #4 in Jamf. 

Thanks so much for your time, @ubcoit and @cvangorp. I really appreciate it. 

sgunther
New Contributor

Hopefully I'm not reviving a dead thread for no reason but I am getting the same error. My deployment was always set with the script with the Connect Download URL in the $4 parameter in the policy. It seems in the last two weeks it stopped working and no one noticed as we haven't deployed any new device. I thought maybe just the URL was expired so I went to the AMP page and got a new URL which i replaced in $4 but still getting the Unable to retrieve URL error. 

 

Any ideas?

@sguntherDid you add the -i to grep?

dmgURL=$(curl --head "$redirectingURL" | grep "Location:" | awk '{print $2}')

to
dmgURL=$(curl --head "$redirectingURL" | grep -i "Location:" | awk '{print $2}')

Thank you for the amazingly fast response! That did it! Any reason for the change? 

ubcoit
Contributor II

@sgunther  I believe the url changed and Location became location, lowercase. -i means any case.  I swear it was already above but I think it might have been edited out, or was a totally different forum posting.

Glad it's all sorted.

JDaher
New Contributor III

Thank you @sgunther for bringing this up, and thank you @ubcoit for coming to the rescue once again. It stopped working for me as well a few weeks ago, but hadn't had the time to look into it. The "-i" was not in the script I used a few weeks ago. I just added it and everything is working again. Once more, thanks a bunch. 

Yes, thank you to @ubcoit for the quick fix.  We noticed our once reliable Cisco Amp install script no longer working.  Adding the -i to ignore the case of Location fixed it immediately.