Help

Force install Qualys

Eskobar
Contributor

Posted on ‎11-15-2022 01:44 AM

Hello,

We have deployed Qualys agent on macs for security & monitoring purposes.

Admin users can disable it following these instructions:    https://success.qualys.com/support/s/article/000001832#:~:text=Navigate%20to%20Cloud%20Agent%20%2D%3...

Any idea how to ban user from uninstalling/deleting a specific app/agent ?

Thanks

 

0 Kudos
Reply
7 REPLIES 7

Hugonaut
Valued Contributor II

‎11-15-2022 07:59 AM - edited ‎11-15-2022 08:02 AM

@Eskobar 

 

I recommend setting up a workflow similar to this one ~ https://community.jamf.com/t5/jamf-protect/faster-re-install-of-jamf-protect/m-p/268968

 

The idea is to have a script run at every check-in that determines the status of said qualys agents, if the script determines the agent to be missing or anything you determine from qualys uninstalled, it will re-install. This is set to your check-in time so it can run every 5 or more minutes if you so choose. (Predicated upon the amount of policies you have set to trigger at recurring check-in, I'd advise start with every 15 minutes)

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month
0 Kudos
Reply

sdagley
Esteemed Contributor II

‎11-15-2022 01:59 PM - edited ‎11-15-2022 02:00 PM

@Eskobar I'd propose a variant of @Hugonaut 's approach. Rather than have the re-install triggered during the periodic check-in with Jamf Pro, use a LaunchDaemon to periodically check for the presence of the Qualys installation (the existence of /usr/local/qualys/cloud-agent/bin/qagent_uninstall.sh perhaps) and if it isn't found use the jamf binary to trigger re-installation (e.g. 'jamf policy -event InstallQualys' to trigger a policy with the custom trigger 'InstallQualys'). This way you're only running a policy to remediate a Mac when it's necessary, and not checking for Qualys state on every check-in.

Reply

Hugonaut
Valued Contributor II
In response to sdagley

Posted on ‎11-15-2022 02:02 PM

touché sir!

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month
0 Kudos
Reply

sdagley
Esteemed Contributor II
In response to Hugonaut

Posted on ‎11-15-2022 02:09 PM

I may have a LaunchDaemon addiction :-)

0 Kudos
Reply

Eskobar
Contributor

Posted on ‎11-24-2022 12:33 AM

@sdagley How the extension attribute should be made, below one not working

 

Eskobar_0-1669278785954.png

 

0 Kudos
Reply

Eskobar
Contributor
In response to Eskobar

Posted on ‎11-24-2022 01:42 AM

@sdagley @Hugonaut 

What should be done if the app and its components are in place but related processes is suspended ?

 

 

the client willScreenshot 2022-11-24 at 10.29.40.png stop communicating with server !!!

0 Kudos
Reply

sdagley
Esteemed Contributor II
In response to Eskobar

Posted on ‎11-28-2022 01:00 PM

@Eskobar An EA needs to return its response in a result tag:

#!/bin/sh

CheckFileName="/Library/LaunchDaemons/com.qualys.cloud-agent.plist"
result="False"

if [ -e "${CheckFileName}" ]; then
	result="True"
fi

echo "<result>$result</result>"
0 Kudos
Reply