Rapid 7 Mac Insight Agent

kjenkins
New Contributor

Has anyone found an easy way to deploy the Rapid7 Mac Insight Agent using Jamf

54 REPLIES 54

cslemp
New Contributor III

Thanks, for this.  It's been helpful to see all the different approaches people have taken.

jhbush
Valued Contributor II

This is what I'm using a  post install. rapid7-munkipkg 

#!/bin/bash
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

arch=$(/usr/bin/arch)

if [ "$arch" == "arm64" ]; then
    echo "Apple Silicon Detected"
    chmod +x /private/tmp/rapid7/agent_installer-arm64.sh
    /bin/sh /private/tmp/rapid7/agent_installer-arm64.sh install_start --token us:yourcodehere
else
    echo "Intel Detected"
    chmod +x /private/tmp/rapid7/agent_installer-x86-64.sh
    /bin/sh /private/tmp/rapid7/agent_installer-x86_64.sh install_start --token us:yourcodehere
fi

# Detect Rapid7 is running

if pgrep -x "ir_agent" >/dev/null; then
    echo "Install Successful"
    # Clean Up
    rm -rf /private/tmp/rapid7
    exit 0
else
    echo "Install Failed"
    # Clean Up
    rm -rf /private/tmp/rapid7
    exit 1
fi

MichaelMcG
New Contributor III

Hey, hope you are well, 

I've been tasked with deploying Rapid 7, and all seems to be working, BUT people are telling me you need a config profile to grant Full Disk Access for the ir_agent, and I am having no luck finding any info around this, or which identifiers to use. Are you using one?

For some inexplicable reason they don't mention the FDA being needed in their documentation. Their logging also doesn't reveal that anything is failing if you don't have FDA allowed. Talk to their support though. They provided us with the mobileconfig file that they use internally. This was after we rolled it out not knowing FDA was needed and I happened to notice that it was showing up in the system settings wanting access. We weren't too happy about that and it wasn't noticed during testing.

MichaelMcG
New Contributor III

Thanks will get my infosec team to reach out and grab that. thanks for the reply

TheCrusher4Real
New Contributor III

Brand new to the world of packaging for Macs. We have a mix of Intel Macs and M1s in our environment. Can anyone confirm whether or not I'll need to download both versions of the macOS installer from Rapid7, then target our devices according to chip type (Intel or M1)? Thanks.

Hey, 

yes you will need both as there is no Universal installer. There is a script floating around on here that checks the architecture of the mac and then installs the right version, so you can make one package and target the entire fleet and let the script do the rest of the work

Thanks for that info. And one more point to confirm: once the Rapid7 Insight Agent is installed on a Mac, is there any reason to redeploy/reinstall a newer version of the Agent? My understanding (based on behavior on Windows devices) is that once the Agent is installed, it will update itself without user or administrator intervention. Just wanted to make sure that's the way it will work on Macs as well. Thanks! 

dwynn
New Contributor III

ISVM Agent auto updates on our Macs. 

 

I have two separate policies for the ISVM Install. You could just deploy both installers to the machine and let the scope take care of it. 

Scoped to Apple Silicon - /private/tmp/InsightVM/insight_installer-arm.sh install_start --token us:0000-0000-0000-0000-00000 --attributes "XXXX Agent"

 

Scoped to Intel - /private/tmp/InsightVM/insight_installer.sh install_start --token us:0000-0000-0000-0000-00000 --attributes "XXXX Agent"

dwynn
New Contributor III

Has anyone had success with the new Mac installation instructions below? I can install the .pkg just fine but my method of running the token install command under Files and Processes > Execute Command isn't working anymore.

 

https://docs.rapid7.com/insight-agent/mac-installation/

Yes, but I use a script that starts either the ARM or Intel PKG Installation.

In Parameter 4 and 5 of the script is the input field for the Token and Rapid7 Installer Version.

#!/bin/bash

SystemArch=$(/usr/bin/arch)
echo "### SystemArch - $SystemArch #####"
sleep 2

# Rapid7 Token can be found in Parameter 4
echo "### Token: $4 #####"
sleep 2

# Rapid7 Path - Version can be found in Parameter 5
Rapid7Path="/opt/rapid7/ir_agent/components/insight_agent/$5/"
echo "### Rapid7Path - $Rapid7Path #####"
sleep 2

# Start Rapid7 Installer via Script
if [ "$SystemArch" == "arm64" ]; then
    echo "### Apple Silicon Detected #####"
    /usr/local/bin/jamf policy -event Rapid7-ARM
	sleep 2
else
    echo "### Intel Detected #####"
    /usr/local/bin/jamf policy -event Rapid7-X86
	sleep 2
fi
	sudo -s $Rapid7Path/./configure_agent.sh --token $4 --start && echo "### Rapid7 Config Script Start #####"

# List Folder Content of Rapid7Path
echo "### List of Rapid7Path
$(ls -l $Rapid7Path) 
#####"
sleep 2

# Finish Script
echo "### Jamf Recon - Start #####"
/usr/local/bin/jamf recon && echo "### Jamf Recon - Completed #####"
sleep 2

dwynn
New Contributor III

Thank you. I just couldn't get this script to work with another parameter for --attributes. I have 50 companies each with a different attribute so it would have been nice to get this one to work. I had to create a Composer package for each company. Here is the postinstall script I used.

 

#!/bin/sh
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

arch=$(/usr/bin/arch)
 
 if [ "$arch" == "arm64" ]; then
     echo "Apple Silicon Detected"
     installer -pkg /private/tmp/rapid7/rapid7-insight-agent-4.0.9.38-1.arm64.pkg -target /
 else
     echo "Intel Detected"
     installer -pkg /private/tmp/rapid7/rapid7-insight-agent-4.0.9.38-1.x86_64.pkg -target /
 fi
 
 # Configure agent
 
/opt/rapid7/ir_agent/components/insight_agent/4.0.9.38/configure_agent.sh --token=us:TOKEN --attributes "ATTRIBUTES" --start
 
 # Detect Rapid7 is running
 
 if pgrep -x "ir_agent" >/dev/null; then
     echo "Install Successful"
     # Clean Up
     rm -rf /private/tmp/rapid7
     exit 0
 else
     echo "Install Failed"
     # Clean Up
     rm -rf /private/tmp/rapid7
     exit 1
 fi



exit 0		## Success
exit 1		## Failure

 

 

tmosh
New Contributor

Thank you @dwynn!!! This helped! On another note, do y'all have a Uninstall Script for Rapid7?

Rapid7 offers this command (sudo /opt/rapid7/ir_agent/components/insight_agent/{version}/uninstall.sh). I'm thinking of creating a Policy and adding the command to "Files and Processes". 

dwynn
New Contributor III

I haven't tested this but here is the command from Rapid7 Documentation:

 

Uninstall .pkg installer Insight Agents

sudo /opt/rapid7/ir_agent/components/insight_agent/{version}/uninstall.sh

iOllie
New Contributor III

Uninstall without prompt. Useful for automation

sudo /opt/rapid7/ir_agent/components/insight_agent/{version}/uninstall.sh -f

image (118).png