Installing Cylance Package

jonathanla
New Contributor III

I'm having some difficulty figuring out how to use Casper to install Cylance on every Mac in our organization. I've tried to create a shell script that will run it (not through Casper yet) but when I try on a test Mac it fails.

I have the Cylance.pkg and a cylance_install_token file in the same folder as the script. I copied the verbiage from a larger script that someone in our InfoSeec team had created a while ago to install this and other security software and it works there. Maybe I missed something?

If I can get this script to actually install it then I can go to the next step and figure out how to use Casper to push it out.

!/bin/sh

Cylance AV Client Install

echo "Installing Cylance AV Agent for Mac. ";
echo "Cylance AV Agent Start: " date" " >> $LOG; installer -pkg CylancePROTECT.pkg -target LocalSystem
echo "Cylance AV Agent Stop: " date" " >> $LOG;
echo "Completed Cylance AV Agent for Mac Installation. ";

The output I get from Terminal is

BUR-JMENDEL4-i:~ jmendel$ /Users/jmendel/Desktop/Cylance Installer/Cylance.sh Installing Cylance AV Agent for Mac.

/Users/jmendel/Desktop/Cylance Installer/Cylance.sh: line 5: $LOG: ambiguous redirect
installer: Error the package path specified was invalid: 'CylancePROTECT.pkg'.
/Users/jmendel/Desktop/Cylance Installer/Cylance.sh: line 7: $LOG: ambiguous redirect
Completed Cylance AV Agent for Mac Installation.

BUR-JMENDEL4-i:~ jmendel$

1 ACCEPTED SOLUTION

Chris_Hafner
Valued Contributor II

@jonathanla Try this

• Open /private/tmp (On a computer with composer)
• Create a folder called "Cylance" (Just a suggestion on name)
• Drag the cylancePROTECT.pkg into this new folder.
• Create a shell script as suggested (example below) and call it something like "install_cylance_with_token.sh"

#!/bin/sh
#!/bin/bash

echo PLACE_TOKEN_HERE > /private/tmp/Cylance/cyagent_install_token 
sudo installer -pkg /private/tmp/Cylance/CylancePROTECT.pkg -target /

exit 0

• Copy the script into that new directory (/private/tmp/Cylance)
• Open Composer
• Drag the entire "Cylance" directory into Composer (the "Cylance" folder that you created in /private/tmp/)
• Check permissions on everything in that composer list.
• Package what you have in composer as a .pkg or a .dmg as you prefer. I see no benefit to having this packaged as a .dmg so...
• Upload this new package to Casper Admin with whatever notes and settings you prefer. In all likelihood, this will need to be installed after boot, but I'm not positive. • Create a policy as described above, using the "execute command" field in "Files and Processes" as described. In the case of my example, that would be:

/private/tmp/Cylance/install_cylance_with_token.sh

This is what I've done this morning to check. It's working well for me.

P.S. I did consider simply trying to edit the source of the installer as there seems to be a script in the package where we could stick the token, but this process seems simpler.

View solution in original post

106 REPLIES 106

davidacland
Honored Contributor II
Honored Contributor II

The two errors you're getting are:

  • ambiguous redirect - You are using the $LOG variable but it's not set anywhere
  • package path invalid - There isn't a path to the CylancePROTECT.pkg so the script doesn't know where to look for it

Ignoring the echo commands, does the package install ok with:

installer -pkg /full/path/to/CylancePROTECT.pkg -target /

jonathanla
New Contributor III

I've made the changes and added sudo because without that it was saying it needed to be run as root. However with sudo it requires a password that I want the users to avoid seeing or having to enter.

davidacland
Honored Contributor II
Honored Contributor II

The jamf binary runs as root on the client devices so when you get to that stage you won't need sudo or for them to enter an admin password.

jonathanla
New Contributor III

Thanks. Now that we've determined that it works manually do you have suggestions for the best way to have it set to run unattended on every Mac in our company?

davidacland
Honored Contributor II
Honored Contributor II

The easiest method would be to add the package as-is to your distribution point and deploy via a policy. If it works using the installer command, it should be ok with a policy. Did the cylance_install_token file have something to do with it?

jonathanla
New Contributor III

It requires the cylance_install_token file to be in the same folder as the pkg

davidacland
Honored Contributor II
Honored Contributor II

Ok. In that case, create a new package that deploys the installer package and the cylance_install_token into a folder on the target Macs hard drive (I normally use /tmp for things like this) and up-load the new package to the distribution point.

In the policy, deploy the package, which will drop the actual package into the folder you've specified, along with the file, then add an extra command in the "files and processes" section of the policy, using the "execute command" text field to run installer -pkg /path/to/package -target /

jonathanla
New Contributor III

Can I use one of the Casper tools to create the package?

davidacland
Honored Contributor II
Honored Contributor II

Absolutely. Composer is for building packages.

wayfaircasper
New Contributor II

@jonathanla is this installing your install token as well?!

Im currently attempting to deploy this remotely as well. from the cylance site i found this:

"The following shell scripts can be used to install & deploy Cylance on OSX using Casper:
UNATTENDED_INSTALL.SH
1 #!/bin/bash 
2 echo xxxxxxxxxxxxxx > /private/cylanceinstall/cyagent_install_token 
3 sudo installer -pkg /private/cylanceinstall/CylanceAgent.pkg -target /
For the unattended_install.sh, replace the xxxxxxxxxxxxxx with your install token. The unattended_install.sh is packaged with the installer pkg, and placed in /private to wait for execution from another shell script.
TRIGGER.SH
1 #!/bin/bash 
2 sudo cd /private/cylanceinstall 
3 source /private/cylanceinstall/unattended_install.sh 
4 sleep 60 5 sudo rm -rf /private/cylanceinstall
The trigger.sh script is executed from the server side to run unattended_install.sh, sleep for 60 seconds (waiting for the installation to complete), then remove the deployment package."

kempt
New Contributor

Has anyone gotten this to deploy successfully? If so, what did you do exactly to achieve this? @wayfaircasper I'm encountering issues when I try to follow the directions posted on Cylance's site.

Chris_Hafner
Valued Contributor II

I have... then again it was just a POC with a single token that I was distributing to a small test fleet of about 20 computers. I'll admit that for the POC I simply grabbed the installer and token via Composer snapshot that I cleaned up and packaged. Nothing scripted and nothing complicated. Again, I used only my POC token but all units were properly recognized on their web console.

This was a month or so ago so I'm not what differences there may have been. We won't be deploying for a few more months, so I haven't pursued beyond the POC.

wayfaircasper
New Contributor II

@kempt I got it working, but not exactly the way that Cylance says to install it.

I used their:
UNATTENDED_INSTALL.SH
1 #!/bin/bash 2 echo xxxxxxxxxxxxxx > /Customlocation/cylanceinstall/cyagent_install_token 3 sudo installer -pkg /Customlocation/cylanceinstall/CylanceAgent.pkg -target /

With one policy I have this Script and the CylancePROTECT.pkg that are moved into a directory on the users machine, Next in the policy i add "File and Processes", and under the "Execute Command" I have the following line: /Customlocation/unattended_install.sh

This just runs the unattended Install, that creates the token and installs the software. it does it silently and seems to work as expected.

let me know if you need any help.

jonathanla
New Contributor III

Sorry to have dropped this for a while. I'm coming back to this now.

I used Composer to snapshot the install of the Cylance package. During the install, a modal window pops up wanting the token key. I can open a text file, copy and paste the key in and then continue with the install. After I finish the snapshot and upload it in Casper Admin I build a policy with that package and it will install Cylance, however, it will be without any token key and will keep prompting for a key in another modal window. This would not be optimal for the user experience.

Why won't it keep the token key in the package? Is there a file somewhere's I can find it and add it to the snapshot?

jonathanla
New Contributor III

@wayfaircasper

Would you mind uploading some screenshots of your policy that you created to run it unattended? I think this might be the better option to install this way.

Thanks.

wayfaircasper
New Contributor II

@jonathanla

This may not be the correct way to do this but it is how i got it working.

This is my package before it's actually packaged in composer:
4b69baab794e47a3b3a6368147c46771

The policy runs and this package and all contents are delivered and extracted to the target machine:
next this is how my policy is set up:
de3959c9daa8438e83a28fa8e7b0cbb8
1deb02552c704dc8ac60b4f36a15c859

You can see that the policy moves the files over, then runs a script that imitates the actual install process.

I use the commands in the above comments, that has not changed.

Again this may not be the expected way to install cylance but it's been working for me. let me know if this helps at all.

Please let me know if this helps, or if i can explain it better.

sedwards00
New Contributor

@wayfaircasper

Could you possibly share your unattended_install file. I'm testing it and I cannot get it to work.

wayfaircasper
New Contributor II

@sedwards00

It's actually written above in one of my posts but heres a screenshot (obviously place your token in the right spot in the script)

b87dff7d841e4ef18b406665134e463a

Are you getting any errors when it fails?

jonathanla
New Contributor III

Sorry @wayfaircasper

I'm still not following your process. Can we start at the beginning?

  1. You use Composer to install Cylance and during the install when it asks for the token you copy and past it in that field and then finish up the Composer snapshot which you have saved as CylanceAgent1.pkg

Chris_Hafner
Valued Contributor II

@jonathanla Try this

• Open /private/tmp (On a computer with composer)
• Create a folder called "Cylance" (Just a suggestion on name)
• Drag the cylancePROTECT.pkg into this new folder.
• Create a shell script as suggested (example below) and call it something like "install_cylance_with_token.sh"

#!/bin/sh
#!/bin/bash

echo PLACE_TOKEN_HERE > /private/tmp/Cylance/cyagent_install_token 
sudo installer -pkg /private/tmp/Cylance/CylancePROTECT.pkg -target /

exit 0

• Copy the script into that new directory (/private/tmp/Cylance)
• Open Composer
• Drag the entire "Cylance" directory into Composer (the "Cylance" folder that you created in /private/tmp/)
• Check permissions on everything in that composer list.
• Package what you have in composer as a .pkg or a .dmg as you prefer. I see no benefit to having this packaged as a .dmg so...
• Upload this new package to Casper Admin with whatever notes and settings you prefer. In all likelihood, this will need to be installed after boot, but I'm not positive. • Create a policy as described above, using the "execute command" field in "Files and Processes" as described. In the case of my example, that would be:

/private/tmp/Cylance/install_cylance_with_token.sh

This is what I've done this morning to check. It's working well for me.

P.S. I did consider simply trying to edit the source of the installer as there seems to be a script in the package where we could stick the token, but this process seems simpler.

wayfaircasper
New Contributor II

@Chris_Hafner

Thank you for the reply,

This is also how i am doing this, my tmp folder is called something different, and apparently i was not clear enough in the beginning. But the main key here is that you dont install cylance during the composer package creation, just have the install package in the correct tmp folder with the correct script.

my apologize, let me know if i can be of any further help.

Chris_Hafner
Valued Contributor II

@wayfaircasper It was clear enough to me, which is why I built to process to test. I've also adopted it because it's really darned simple!

Thanks for coming up with that!

jonathanla
New Contributor III

@Chris_Hafner

Thanks for posting it in more detail. I'm fairly new at this and it helps to walk through every detail so that it makes sense to me.

Open /private/tmp (On a computer with composer)
• Create a folder called "Cylance" (Just a suggestion on name)

(should I also copy the CylanceProtect.pkg installer in here?

• Create a shell script as suggested (example below) and call it somethign like "install_cylance_with_token"

!/bin/sh

!/bin/bash

echo PLACE_TOKEN_HERE > /private/tmp/Cylance/cyagent_install_token

What am I supposed to be putting here? The actual key number? How does the policy read and add this to Cylance?

sudo installer -pkg /private/tmp/Cylance/CylancePROTECT.pkg -target /

exit 0
• Copy the script into that directory (/private/tmp/Cylance)

• Open Composer
• Drag the entire "Cylance" directory into Composer (the "Cylance" folder that you created in /private/tmp/
• Check permissions on everything in that composer list.
• Package what you have in composer as a .pkg or a .dmg as you prefer. I see no benifit to having this packaged as a .dmg so...
• Upload this new package to Casper Admin with whatever notes and settings you prefer. In all likelyhood, this will need to be installed after boot, but I'm not positive. • Create a policy as described above, using the "execute command" field in "Files and Processes" as described. In the case of my example, that would be:

/private/tmp/Cylance/install_cylance_with_token

Chris_Hafner
Valued Contributor II

Whoops, sorry about that! I've edited the post to clarify for the future. It was a good thing too, as there were also a few blatant misspellings! In any event, Yes, you should copy the cylancePROTECT.pkg into that new folder. And yes, you copy your "installation token" from the "Application" section (https://my-vs2.cylance.com/Application/) of your Cylance Dashboard into the script. Specifically, where the text says "PLACE_TOKEN_HERE". Make sure that the spaces between remain intact.

jonathanla
New Contributor III

xxx

jonathanla
New Contributor III

@Chris_Hafner

I followed the steps and it did install with the token. I did get this error in the logs though, but the install was succesful.

Executing Policy Cylance Unattended with Token
Mounting dmartin_share to /Volumes/CasperShare...
Verifying package integrity...
Copying Cylance.pkg...
Installing Cylance.pkg...
Successfully installed Cylance.pkg.
Running command /private/tmp/Cylance/install_cylance_with_token.sh...
Result of command:
installer: Package name is Cylance Agent
installer: Installing at base path /
installer: The install failed (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.)

jonathanla
New Contributor III

I uninstalled Cylance, flushed the logs and tried again and this time completed successfully without error.

Thanks @Chris_Hafner and @wayfaircasper for your help.

Jonathan

Chris_Hafner
Valued Contributor II

Post was solved while I was typing questions...

nicklaird
New Contributor

I see that this was already solved but figured I'd toss in how I accomplished this.

Using Composer to capture everything, I created a folder in /private named cylanceinstall and dropped my cylanceprotect.pkg and my UNATTENDED_INSTALL.sh in there, and turned that into a .pkg that would do the same on end-user machines. Then I created my CYLANCE_TRIGGER.sh, uploaded that to my JSS, and set it to run AFTER. I created a policy that included both my .pkg and the CYLANCE_TRIGGER.sh. The pkg gets pushed out first, creates the folder and dumps the .pkg and the unattended.sh into it, then the trigger.sh triggers the unattended.sh to run the install. I can't locate my unattended_install.sh at the moment, but I know it includes our token.

The CYLANCE_TRIGGER.sh script is as follows:

!/bin/bash

sudo cd /private/cylanceinstall
source /private/cylanceinstall/unattended_install.sh
sleep 60 sudo rm -rf /private/cylanceinstall
jamf recon

sedwards00
New Contributor

44674cd9b07448f28e78cff53acf54ae
I'm continuously getting this error when testing.

sedwards00
New Contributor

@Chris_Hafner

I got it to install but I still get errors from the logs:

Executing Policy Cylance Unattended with Token
Mounting dmartin_share to /Volumes/CasperShare...
Verifying package integrity...
Copying Cylance.pkg...
Installing Cylance.pkg...
Successfully installed Cylance.pkg.
Running command /private/tmp/Cylance/install_cylance_with_token.sh...
Result of command:
installer: Package name is Cylance Agent
installer: Installing at base path /
installer: The install failed (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.)

Also, periodically the agent would run in Offline Mode. Is this to be expected?

Chris_Hafner
Valued Contributor II

@jonathanla Was having the same issue. Perhaps, due to a previous installation of Cylance while he was testing this out. He uninstalled Cylance fully, and then re-installed via this method and stopped getting that error. Is your circumstance similar?

franton
Valued Contributor III

@sedwards00 Your unattended_install.sh has been saved as a real text format. Make sure it's actual txt and that error you posted will go away.

Chris_Hafner
Valued Contributor II

@franton Seen that one before?

jonathanla
New Contributor III

@Chris_Hafner I was able to get that error to go away but it has reappeared on every completed log.

installer: The install failed (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.)

sedwards00
New Contributor

@franton At first I made that mistake but since then I been saving it as plain text in TextEditor.

Chris_Hafner
Valued Contributor II

@jonathanla Interesting.

In the instructions above I followed the thread as everything was being described and completely spaced on one difference between what I wrote for instructions and what I did in my production environment. In the instructions above I had you add the following command:" /private/tmp/Cylance/install_cylance_with_token to the "Execute Command" field in the "Files and Processes" section of your JSS policy. This SHOULD work.

However, in my production environment, I added that command to a postinstall script, via composer and then wrapped the whole thing up as a .pkg. That way I could throw the .pkg on a flash drive if I ever wanted to. It is also a bit more "fool proof" as it won't rely on the JSS to get the rest of the policy right.

If you add a postinstall script to the Composer package, you MUST save it out as a .pkg and NOT .dmg.

Did I make sense?

franton
Valued Contributor III

@Chris_Hafner Once or twice ;)

Chris_Hafner
Valued Contributor II

@franton I laughed way too much at that comment. It must be a Monday. Hope to see you at JNUC this time, hopefully not self-funded.