Jamf Nation Community

kjenkins · ‎07-31-2019

Has anyone found an easy way to deploy the Rapid7 Mac Insight Agent using Jamf

coryhowell2 · ‎07-31-2019

I used Composer to put the agent_installer.sh file onto our Macs in the /private/tmp/ directory. I had an issue with the permissions on the script so I have a post install script file in the composer package to change the permissions on the script file chmod u+x. In the Jamf policy I have Files and Processes setup to execute the command along with installing the package made in composer. sh /private/tmp/agent_installer.sh install_start --token <your token>
I got the agent_installer.sh and the token from my InfoSec team. Rapid 7 would be able to give you that information as well I'm sure. replace <your token> with the token setup for your company.

kjenkins · ‎08-01-2019

Thanks for the help.

KJ

PCSysops · ‎09-17-2019

Thank you, this helped alot. I decided to just create the package in composer, then have a script run after the pkg was pushed to change permissions and execute the agent_installer.sh

cnoboa · ‎01-08-2020

Hello,

Has anyone found a way to uninstall the Rapid7 Agent via script?

spanigrahi11 · ‎05-16-2024

#!/bin/bash

# Stop Rapid7 services
sudo launchctl stop ir_agent.service
sudo launchctl stop com.rapid7.ir_agent

# Remove LaunchDaemon plist
sudo rm -f /Library/LaunchDaemons/com.rapid7.ir_agent.plist

# Disable Rapid7 service
sudo launchctl disable system/ir_agent

# Remove Rapid7 directory and its contents
sudo rm -rf /opt/rapid7/ir_agent
sudo rm -rf /opt/rapid7/

# Print uninstallation completed message
echo "Rapid7 uninstallation completed."

chase_g · ‎01-08-2020

@cnoboa I have had success using basically the same install package I built in composer and just changed my pre-install script to do the command: sudo ./agent_installer.sh uninstall
And that seems to work. So you should be able to do the same with a script that points to the location of the agent_installer.sh script with the uninstall command.

soms · ‎02-13-2020

I'm having this same issue, I'm relatively new to composer and osx so I'm looking on how I can achieve this. How do you use composer to package the agent_installer.sh and have it moved to /private/tmp

PCSysops · ‎02-26-2020

@soms First create the folder in your location. For example /private/tmp/Rapid7. Put all your files into your folder. Open Composer, and drag the folder from finder into composer. Then you can create a package. In Jamf, set it to install in your policy and it will just install the files to the path you set up. I set a script to run afterwards to install the agent with the token. Make sure you chmod u+x in the script like @coryhowell2 said.

markopolo · ‎05-07-2020

I set a script to run afterwards to install the agent with the token. Make sure you chmod u+x in the script like @coryhowell2 said.

Where exactly do I put the "chmod u+x"? Do I run as separate command after the installer like this?

lassekivikas · ‎05-11-2020

@mcantwell I think coryhowell2 meant that you need to create a script in the settings for the chmod, and then back to the policy, from the left side bar (fourth from the top) choose the script you just made and choose the priority to 'after'. Now the script will run after everything else.

I am currently doing this exact same thing, and I was wondering that if I have a package with the agent_installer, and then I have the install command in the 'Files and Processes', doesn't that mean that the package (with the agent_installer.sh) will run before the executable command in the 'Files and Processes' which should activate the agent_installer?

NOLA2ATX78 · ‎11-02-2020

so here's is my conundrum: When I deploy my policy I am using a .pkg with dropping the agent_installer.sh in the correct folder, plus the uninstall command. Then I am running the actual install from a command in "Files and Processes" using the following command: sudo ./agent_installer.sh install_start --token xxxxxxxxxxxxxxxxxx. But when automagically deployed it doesn't recognize the command, however if I flush the log and then go into terminal and do a sudo jamf policy manually the policy works beautifully. Am I missing something?

tphet · ‎06-22-2023

I am seeing a similar behavior. When I run the policy via "sudo jamf policy" in terminal it works. But when I push it out to test machines and have it install during Check-In, I get this error when running the script "Script result: tput: No value for $TERM and no -T specified".

Hoping to find a solution..

dwynn · ‎04-16-2021

@soms Can you share the script you use to install the package? I have the installer in private/tmp/Rapid7. Now I just need the chmod + token script.

PCSysops · ‎04-27-2021

@dwynn

This is what I use, and works with no issue. Put your Rapid7 token in and you should be good. I have the script set to run after the package is pushed.

!/bin/bash

cd /private/tmp/Rapid7

chmod u+x agent_installer.sh

sudo sh ./agent_installer.sh install_start --token=us:"token given to you"

dwynn · ‎04-29-2021

@PCSysops We have over 30 operating companies in our Jamf instance. Each one will need to put the company attribute into the install command like so:

insight_installer.sh install_start --token us:xxxxxxxxxx --attributes "CompanyAttribute Agent"

So what I did was in composer create the InsightVM package with "chmod u+x /private/tmp/InsightVM/insight_installer.sh" in a post install script.

Then create in the policy in Jamf Pro. Configure "Files and Proccess" and add /private/tmp/InsightVM/insight_installer.sh install_start --token us:xxxxxxxx --attributes "CompanyAttribute Agent" into Execute Command.

I hope this helps anybody else coming across this issue.

tphet · ‎06-22-2023

@dwynn - Question: How are you triggering the deployment? Are you installing the policy upon Recurring Check-In?

dwynn · ‎06-22-2023

I have it set up in the Self-Service portal and some set it for Recurring Check-in. What kind of issue are you having?

tphet · ‎06-22-2023

Ah, I'm hoping to set it for Recurring Check-In. I'm able to install the agent if I manually go to the computer and type in "sudo jamf policy", but when I trigger it for Recurring Check-In I get this:

dwynn · ‎06-22-2023

You need to create a pkg with Composer. Here are the instructions. The name of your .sh file will vary. In this example I use "insight_installer.sh"

Create a new folder at /private/tmp called InsightVM and extract all install files to this directory. Drag the directory into Composer.
Create a Post Install script for the package. Paste this command: chmod u+x /private/tmp/InsightVM/insight_installer.sh
Create the Package and upload it to Jamf Pro
Then create a policy in Jamf Pro. Add the PKG you just uploaded and Configure "Files and Proccess" and add /private/tmp/InsightVM/insight_installer.sh install_start --token us:xxxxxxxx --attributes "CompanyAttribute Agent" into Execute Command.

You might not use any --attributes "CompanyAttribute Agent". If not just leave that out.

For Apple Silicon the command is: /private/tmp/InsightVM/insight_installer-arm.sh install_start --token us:xxxxxxxx --attributes "CompanyAttribute Agent"

dwynn · ‎06-22-2023

Here is a video on how to create with Composer:

https://www.loom.com/share/cd2e812d83b343698f5ef061e4cef00c?sid=c494e355-f8ed-45db-8dba-b8df9946dfcc

ckulesza · ‎06-02-2021

I am very new to doing this type of packaging. Can someone give me the steps they used in Composer to create the package that has the folder it is in and such. I am being asked to roll this out to our company. In the near future.

Thanks

DJRizzo · ‎10-22-2021

Could anyone tell me how to verify the agent was installed correctly? Thanks!

dwynn · ‎10-22-2021

You can run the command: ps aux | grep ir_agent

https://docs.rapid7.com/insight-agent/agent-controls/

JevermannNG · ‎04-04-2023

Hey @DJRizzo

not sure if the question is still open but we use the following EA to collect the Rapid7 Status:

#!/bin/bash

if [ -e /opt/rapid7/ir_agent/ir_agent ]; then
    versionCheck=$(/opt/rapid7/ir_agent/components/insight_agent/insight_agent --version | awk '/Semantic/ {print $3}')
    sleep 2
    lastExecuted=$(date -r $(cat /opt/rapid7/ir_agent/components/insight_agent/common/config/agent.jobs.tem_realtime.json | awk '/remote_execution_last_collection_time/ {print$2}' | sed s/,//g))
	sleep 2
    echo "<result>Version: $versionCheck Date: $lastExecuted</result>"
else
	echo "<result>Agent Not Installed</result>"
fi

ckulesza · ‎10-22-2021

I had my infosec team verify from the rapid7 console.

dmcnicholas1 · ‎04-29-2022

Hello, I was able to get the file copied to the /private/tmp folder and run the command. According to my security team the device is still not reporting in. Does the ir_agent need to be granted full disk access?

dwynn · ‎11-30-2022

What do the Policy Logs details say for that machine?

dmcnicholas1 · ‎11-30-2022

Actually, the issue was with the dashboard. Seems it took 48 hours to start reporting in. Now all of my devices are reporting with no issues.

kprimm · ‎02-23-2023

Hello,
We have about 40% of our devices not getting the Rapid7 portion of our enrollment for whatever reason. These devices are about 30% intel, 70% carbon chipsets. I have dinked around with a handful of scripts but the screenshot I uploaded is the original script that has successfully worked on a little over half of our devices. I went in and edited to some of the information above as in including the chmod and sudo portions mentioned by PCSysops but logs returned 'Failed' results as well, although they didn't return a permissions issue, they returned a "File not found" error instead.

Does this look familiar to anyone? Any advice is greatly appreciated.

Kerry

medu · ‎03-07-2023

Be sure to change permissions in the install script.

Ex.

#!/bin/bash

chmod u+x /private/tmp/Rapid7/agent_installer-arm64.sh

/private/tmp/Rapid7/agent_installer-arm64.sh install_start --token us:Your Token Goes Here

rm -rf /private/tmp/Rapid7

exit 0

JevermannNG · ‎04-04-2023

Hey @kprimm

Did you run the chmod command prior the script executing?

JevermannNG · ‎04-04-2023

Just wondering if I can use the following folder for the Rapid7 installation files because I want to keep them for the case of a re-installation:

/usr/local/bin/

jhuls · ‎07-19-2023

We just purchased Rapid7 so I don't have any documentation or anything yet but I've been provided two scripts and token.

I'm seeing here that people are talking about creating a pkg to run the script. I'm curious why would a package need to be created? Can the script not be put into Jamf and let a policy run it?

dmcnicholas1 · ‎07-19-2023

Did not work for me. Had to cache policy, then install via script with the token.

JevermannNG · ‎07-20-2023

No, the script has to be in a directory on the Mac, e.g. /usr/local/bin/Rapid7/

I created a PKG which places both Rapid7 Installer Scripts in that place. In two seoarated Policies, one for x86 and one for arm Macs, I send the PKG to the Mac followed by the following Script which helps me to run the specified Agent Installer Script on the Mac:

#!/bin/bash

echo "### Token: $4 #####"
sleep 2

cd /usr/local/bin/Rapid7/
chmod u+x agent_installer-x86_64.sh && echo "### chmod done #####"
sleep 2

cd /usr/local/bin/Rapid7/
./agent_installer-x86_64.sh install_start --token $4
echo "### The following script has been executed: Rapid7-Agent-Installer-Preparation-x86_64.sh #####"
sleep 2

echo "### List of /usr/local/bin/Rapid7/
$(ls -l /usr/local/bin/Rapid7/) #####"
sleep 2

exit 0

The Script has the following options under Parameter 4 (I placed the Rapid7 Token there):

Rapid7 provides a documentation how to distribute Rapid7 via Jamf Pro.

cslemp · ‎10-26-2023

@JevermannNGHow did you get the documentation from Rapid7? They told us they don't have it...

dmcnicholas1 · ‎10-26-2023

https://docs.rapid7.com/insight-agent/certificate-package-installation-method#install-on-mac-and-lin...

cslemp · ‎10-26-2023

Yeah, I have that. Those are just single install instruction though, not what I would consider comprehensive mass deployment documentation (like they have for Windows).

Considering the comment below about FDA and that Rapid7 has a mobile config file in use internally, I do think they ought to have better documentation...

- Chris

dmcnicholas1 · ‎10-26-2023

Agreed, I ended up creating the script below, and install cached and it worked for me.

#!/bin/sh

# Install Rapid7 Agent

cd /private/tmp

chmod u+x agent_installer-arm64.sh

sleep 10

sudo ./agent_installer-arm64.sh install_start --token us:**********************

exit

Jamf Nation Community

Rapid 7 Mac Insight Agent

!/bin/bash