Posted on 07-31-2019 11:44 AM
Has anyone found an easy way to deploy the Rapid7 Mac Insight Agent using Jamf
Posted on 07-31-2019 01:41 PM
I used Composer to put the agent_installer.sh
file onto our Macs in the /private/tmp/
directory. I had an issue with the permissions on the script so I have a post install script file in the composer package to change the permissions on the script file chmod u+x
. In the Jamf policy I have Files and Processes setup to execute the command along with installing the package made in composer.
sh /private/tmp/agent_installer.sh install_start --token <your token>
I got the agent_installer.sh
and the token
from my InfoSec team. Rapid 7 would be able to give you that information as well I'm sure. replace <your token>
with the token setup for your company.
Posted on 08-01-2019 05:25 AM
Thanks for the help.
KJ
Posted on 09-17-2019 12:37 PM
Thank you, this helped alot. I decided to just create the package in composer, then have a script run after the pkg was pushed to change permissions and execute the agent_installer.sh
Posted on 01-08-2020 07:43 AM
Hello,
Has anyone found a way to uninstall the Rapid7 Agent via script?
Posted on 05-16-2024 06:49 AM
#!/bin/bash
# Stop Rapid7 services
sudo launchctl stop ir_agent.service
sudo launchctl stop com.rapid7.ir_agent
# Remove LaunchDaemon plist
sudo rm -f /Library/LaunchDaemons/com.rapid7.ir_agent.plist
# Disable Rapid7 service
sudo launchctl disable system/ir_agent
# Remove Rapid7 directory and its contents
sudo rm -rf /opt/rapid7/ir_agent
sudo rm -rf /opt/rapid7/
# Print uninstallation completed message
echo "Rapid7 uninstallation completed."
Posted on 01-08-2020 02:20 PM
@cnoboa I have had success using basically the same install package I built in composer and just changed my pre-install script to do the command: sudo ./agent_installer.sh uninstall
And that seems to work. So you should be able to do the same with a script that points to the location of the agent_installer.sh script with the uninstall command.
Posted on 02-13-2020 05:13 PM
I'm having this same issue, I'm relatively new to composer and osx so I'm looking on how I can achieve this. How do you use composer to package the agent_installer.sh and have it moved to /private/tmp
Posted on 02-26-2020 11:37 AM
@soms First create the folder in your location. For example /private/tmp/Rapid7. Put all your files into your folder. Open Composer, and drag the folder from finder into composer. Then you can create a package. In Jamf, set it to install in your policy and it will just install the files to the path you set up. I set a script to run afterwards to install the agent with the token. Make sure you chmod u+x in the script like @coryhowell2 said.
Posted on 05-07-2020 02:43 PM
I set a script to run afterwards to install the agent with the token. Make sure you chmod u+x in the script like @coryhowell2 said.
Where exactly do I put the "chmod u+x"? Do I run as separate command after the installer like this?
Posted on 05-11-2020 12:48 AM
@mcantwell I think coryhowell2 meant that you need to create a script in the settings for the chmod, and then back to the policy, from the left side bar (fourth from the top) choose the script you just made and choose the priority to 'after'. Now the script will run after everything else.
I am currently doing this exact same thing, and I was wondering that if I have a package with the agent_installer, and then I have the install command in the 'Files and Processes', doesn't that mean that the package (with the agent_installer.sh) will run before the executable command in the 'Files and Processes' which should activate the agent_installer?
Posted on 11-02-2020 11:04 AM
so here's is my conundrum: When I deploy my policy I am using a .pkg with dropping the agent_installer.sh in the correct folder, plus the uninstall command. Then I am running the actual install from a command in "Files and Processes" using the following command: sudo ./agent_installer.sh install_start --token xxxxxxxxxxxxxxxxxx. But when automagically deployed it doesn't recognize the command, however if I flush the log and then go into terminal and do a sudo jamf policy manually the policy works beautifully. Am I missing something?
Posted on 06-22-2023 08:39 AM
I am seeing a similar behavior. When I run the policy via "sudo jamf policy" in terminal it works. But when I push it out to test machines and have it install during Check-In, I get this error when running the script "Script result: tput: No value for $TERM and no -T specified".
Hoping to find a solution..
Posted on 04-16-2021 12:42 PM
@soms Can you share the script you use to install the package? I have the installer in private/tmp/Rapid7. Now I just need the chmod + token script.
Posted on 04-27-2021 12:03 PM
This is what I use, and works with no issue. Put your Rapid7 token in and you should be good. I have the script set to run after the package is pushed.
cd /private/tmp/Rapid7
chmod u+x agent_installer.sh
sudo sh ./agent_installer.sh install_start --token=us:"token given to you"
Posted on 04-29-2021 09:20 AM
@PCSysops We have over 30 operating companies in our Jamf instance. Each one will need to put the company attribute into the install command like so:
insight_installer.sh install_start --token us:xxxxxxxxxx --attributes "CompanyAttribute Agent"
So what I did was in composer create the InsightVM package with "chmod u+x /private/tmp/InsightVM/insight_installer.sh" in a post install script.
Then create in the policy in Jamf Pro. Configure "Files and Proccess" and add /private/tmp/InsightVM/insight_installer.sh install_start --token us:xxxxxxxx --attributes "CompanyAttribute Agent" into Execute Command.
I hope this helps anybody else coming across this issue.
Posted on 06-22-2023 09:02 AM
@dwynn - Question: How are you triggering the deployment? Are you installing the policy upon Recurring Check-In?
Posted on 06-22-2023 09:17 AM
I have it set up in the Self-Service portal and some set it for Recurring Check-in. What kind of issue are you having?
Posted on 06-22-2023 10:39 AM
Ah, I'm hoping to set it for Recurring Check-In. I'm able to install the agent if I manually go to the computer and type in "sudo jamf policy", but when I trigger it for Recurring Check-In I get this:
06-22-2023 10:43 AM - edited 06-22-2023 11:11 AM
You need to create a pkg with Composer. Here are the instructions. The name of your .sh file will vary. In this example I use "insight_installer.sh"
You might not use any --attributes "CompanyAttribute Agent". If not just leave that out.
For Apple Silicon the command is: /private/tmp/InsightVM/insight_installer-arm.sh install_start --token us:xxxxxxxx --attributes "CompanyAttribute Agent"
Posted on 06-22-2023 10:58 AM
Here is a video on how to create with Composer:
https://www.loom.com/share/cd2e812d83b343698f5ef061e4cef00c?sid=c494e355-f8ed-45db-8dba-b8df9946dfcc
Posted on 06-02-2021 05:47 AM
I am very new to doing this type of packaging. Can someone give me the steps they used in Composer to create the package that has the folder it is in and such. I am being asked to roll this out to our company. In the near future.
Thanks
Posted on 10-22-2021 07:53 AM
Could anyone tell me how to verify the agent was installed correctly? Thanks!
Posted on 10-22-2021 08:00 AM
You can run the command: ps aux | grep ir_agent
Posted on 04-04-2023 01:58 AM
Hey @DJRizzo
not sure if the question is still open but we use the following EA to collect the Rapid7 Status:
#!/bin/bash
if [ -e /opt/rapid7/ir_agent/ir_agent ]; then
versionCheck=$(/opt/rapid7/ir_agent/components/insight_agent/insight_agent --version | awk '/Semantic/ {print $3}')
sleep 2
lastExecuted=$(date -r $(cat /opt/rapid7/ir_agent/components/insight_agent/common/config/agent.jobs.tem_realtime.json | awk '/remote_execution_last_collection_time/ {print$2}' | sed s/,//g))
sleep 2
echo "<result>Version: $versionCheck Date: $lastExecuted</result>"
else
echo "<result>Agent Not Installed</result>"
fi
Posted on 10-22-2021 07:57 AM
I had my infosec team verify from the rapid7 console.
Posted on 04-29-2022 11:24 AM
Hello, I was able to get the file copied to the /private/tmp folder and run the command. According to my security team the device is still not reporting in. Does the ir_agent need to be granted full disk access?
Posted on 11-30-2022 12:19 PM
What do the Policy Logs details say for that machine?
Posted on 11-30-2022 01:59 PM
Actually, the issue was with the dashboard. Seems it took 48 hours to start reporting in. Now all of my devices are reporting with no issues.
Posted on 02-23-2023 12:58 PM
Hello,
We have about 40% of our devices not getting the Rapid7 portion of our enrollment for whatever reason. These devices are about 30% intel, 70% carbon chipsets. I have dinked around with a handful of scripts but the screenshot I uploaded is the original script that has successfully worked on a little over half of our devices. I went in and edited to some of the information above as in including the chmod and sudo portions mentioned by PCSysops but logs returned 'Failed' results as well, although they didn't return a permissions issue, they returned a "File not found" error instead.
Does this look familiar to anyone? Any advice is greatly appreciated.
Kerry
Posted on 03-07-2023 11:46 AM
Be sure to change permissions in the install script.
Ex.
#!/bin/bash
chmod u+x /private/tmp/Rapid7/agent_installer-arm64.sh
/private/tmp/Rapid7/agent_installer-arm64.sh install_start --token us:Your Token Goes Here
rm -rf /private/tmp/Rapid7
exit 0
Posted on 04-04-2023 01:51 AM
Hey @kprimm
Did you run the chmod command prior the script executing?
Posted on 04-04-2023 01:45 AM
Just wondering if I can use the following folder for the Rapid7 installation files because I want to keep them for the case of a re-installation:
/usr/local/bin/
Posted on 07-19-2023 08:56 AM
We just purchased Rapid7 so I don't have any documentation or anything yet but I've been provided two scripts and token.
I'm seeing here that people are talking about creating a pkg to run the script. I'm curious why would a package need to be created? Can the script not be put into Jamf and let a policy run it?
07-19-2023 09:49 AM - edited 07-19-2023 09:50 AM
Did not work for me. Had to cache policy, then install via script with the token.
07-20-2023 12:45 AM - edited 07-20-2023 01:00 AM
No, the script has to be in a directory on the Mac, e.g. /usr/local/bin/Rapid7/
I created a PKG which places both Rapid7 Installer Scripts in that place. In two seoarated Policies, one for x86 and one for arm Macs, I send the PKG to the Mac followed by the following Script which helps me to run the specified Agent Installer Script on the Mac:
#!/bin/bash
echo "### Token: $4 #####"
sleep 2
cd /usr/local/bin/Rapid7/
chmod u+x agent_installer-x86_64.sh && echo "### chmod done #####"
sleep 2
cd /usr/local/bin/Rapid7/
./agent_installer-x86_64.sh install_start --token $4
echo "### The following script has been executed: Rapid7-Agent-Installer-Preparation-x86_64.sh #####"
sleep 2
echo "### List of /usr/local/bin/Rapid7/
$(ls -l /usr/local/bin/Rapid7/) #####"
sleep 2
exit 0
The Script has the following options under Parameter 4 (I placed the Rapid7 Token there):
Rapid7 provides a documentation how to distribute Rapid7 via Jamf Pro.
Posted on 10-26-2023 07:27 AM
@JevermannNGHow did you get the documentation from Rapid7? They told us they don't have it...
Posted on 10-26-2023 08:17 AM
Posted on 10-26-2023 08:30 AM
Yeah, I have that. Those are just single install instruction though, not what I would consider comprehensive mass deployment documentation (like they have for Windows).
Considering the comment below about FDA and that Rapid7 has a mobile config file in use internally, I do think they ought to have better documentation...
- Chris
Posted on 10-26-2023 08:42 AM
Agreed, I ended up creating the script below, and install cached and it worked for me.
#!/bin/sh
# Install Rapid7 Agent
cd /private/tmp
chmod u+x agent_installer-arm64.sh
sleep 10
sudo ./agent_installer-arm64.sh install_start --token us:**********************
exit