Posted on 07-31-2019 11:44 AM
Has anyone found an easy way to deploy the Rapid7 Mac Insight Agent using Jamf
Posted on 10-26-2023 10:27 AM
Thanks, for this. It's been helpful to see all the different approaches people have taken.
Posted on 07-26-2023 04:38 PM
This is what I'm using a post install. rapid7-munkipkg
#!/bin/bash
## postinstall
pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3
arch=$(/usr/bin/arch)
if [ "$arch" == "arm64" ]; then
echo "Apple Silicon Detected"
chmod +x /private/tmp/rapid7/agent_installer-arm64.sh
/bin/sh /private/tmp/rapid7/agent_installer-arm64.sh install_start --token us:yourcodehere
else
echo "Intel Detected"
chmod +x /private/tmp/rapid7/agent_installer-x86-64.sh
/bin/sh /private/tmp/rapid7/agent_installer-x86_64.sh install_start --token us:yourcodehere
fi
# Detect Rapid7 is running
if pgrep -x "ir_agent" >/dev/null; then
echo "Install Successful"
# Clean Up
rm -rf /private/tmp/rapid7
exit 0
else
echo "Install Failed"
# Clean Up
rm -rf /private/tmp/rapid7
exit 1
fi
Posted on 10-24-2023 04:46 AM
Hey, hope you are well,
I've been tasked with deploying Rapid 7, and all seems to be working, BUT people are telling me you need a config profile to grant Full Disk Access for the ir_agent, and I am having no luck finding any info around this, or which identifiers to use. Are you using one?
Posted on 10-24-2023 06:13 AM
For some inexplicable reason they don't mention the FDA being needed in their documentation. Their logging also doesn't reveal that anything is failing if you don't have FDA allowed. Talk to their support though. They provided us with the mobileconfig file that they use internally. This was after we rolled it out not knowing FDA was needed and I happened to notice that it was showing up in the system settings wanting access. We weren't too happy about that and it wasn't noticed during testing.
Posted on 10-24-2023 06:15 AM
Thanks will get my infosec team to reach out and grab that. thanks for the reply
Posted on 11-06-2023 02:49 PM
Brand new to the world of packaging for Macs. We have a mix of Intel Macs and M1s in our environment. Can anyone confirm whether or not I'll need to download both versions of the macOS installer from Rapid7, then target our devices according to chip type (Intel or M1)? Thanks.
Posted on 11-06-2023 10:42 PM
Hey,
yes you will need both as there is no Universal installer. There is a script floating around on here that checks the architecture of the mac and then installs the right version, so you can make one package and target the entire fleet and let the script do the rest of the work
Posted on 11-07-2023 08:58 AM
Thanks for that info. And one more point to confirm: once the Rapid7 Insight Agent is installed on a Mac, is there any reason to redeploy/reinstall a newer version of the Agent? My understanding (based on behavior on Windows devices) is that once the Agent is installed, it will update itself without user or administrator intervention. Just wanted to make sure that's the way it will work on Macs as well. Thanks!
Posted on 11-07-2023 09:15 AM
ISVM Agent auto updates on our Macs.
I have two separate policies for the ISVM Install. You could just deploy both installers to the machine and let the scope take care of it.
Scoped to Apple Silicon - /private/tmp/InsightVM/insight_installer-arm.sh install_start --token us:0000-0000-0000-0000-00000 --attributes "XXXX Agent"
Scoped to Intel - /private/tmp/InsightVM/insight_installer.sh install_start --token us:0000-0000-0000-0000-00000 --attributes "XXXX Agent"
Posted on 07-30-2024 01:32 PM
Has anyone had success with the new Mac installation instructions below? I can install the .pkg just fine but my method of running the token install command under Files and Processes > Execute Command isn't working anymore.
Posted on 07-31-2024 12:14 AM
Yes, but I use a script that starts either the ARM or Intel PKG Installation.
In Parameter 4 and 5 of the script is the input field for the Token and Rapid7 Installer Version.
#!/bin/bash
SystemArch=$(/usr/bin/arch)
echo "### SystemArch - $SystemArch #####"
sleep 2
# Rapid7 Token can be found in Parameter 4
echo "### Token: $4 #####"
sleep 2
# Rapid7 Path - Version can be found in Parameter 5
Rapid7Path="/opt/rapid7/ir_agent/components/insight_agent/$5/"
echo "### Rapid7Path - $Rapid7Path #####"
sleep 2
# Start Rapid7 Installer via Script
if [ "$SystemArch" == "arm64" ]; then
echo "### Apple Silicon Detected #####"
/usr/local/bin/jamf policy -event Rapid7-ARM
sleep 2
else
echo "### Intel Detected #####"
/usr/local/bin/jamf policy -event Rapid7-X86
sleep 2
fi
sudo -s $Rapid7Path/./configure_agent.sh --token $4 --start && echo "### Rapid7 Config Script Start #####"
# List Folder Content of Rapid7Path
echo "### List of Rapid7Path
$(ls -l $Rapid7Path)
#####"
sleep 2
# Finish Script
echo "### Jamf Recon - Start #####"
/usr/local/bin/jamf recon && echo "### Jamf Recon - Completed #####"
sleep 2
Posted on 08-02-2024 06:59 AM
Thank you. I just couldn't get this script to work with another parameter for --attributes. I have 50 companies each with a different attribute so it would have been nice to get this one to work. I had to create a Composer package for each company. Here is the postinstall script I used.
#!/bin/sh
## postinstall
pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3
arch=$(/usr/bin/arch)
if [ "$arch" == "arm64" ]; then
echo "Apple Silicon Detected"
installer -pkg /private/tmp/rapid7/rapid7-insight-agent-4.0.9.38-1.arm64.pkg -target /
else
echo "Intel Detected"
installer -pkg /private/tmp/rapid7/rapid7-insight-agent-4.0.9.38-1.x86_64.pkg -target /
fi
# Configure agent
/opt/rapid7/ir_agent/components/insight_agent/4.0.9.38/configure_agent.sh --token=us:TOKEN --attributes "ATTRIBUTES" --start
# Detect Rapid7 is running
if pgrep -x "ir_agent" >/dev/null; then
echo "Install Successful"
# Clean Up
rm -rf /private/tmp/rapid7
exit 0
else
echo "Install Failed"
# Clean Up
rm -rf /private/tmp/rapid7
exit 1
fi
exit 0 ## Success
exit 1 ## Failure
Posted on 09-12-2024 07:30 AM
Thank you @dwynn!!! This helped! On another note, do y'all have a Uninstall Script for Rapid7?
Rapid7 offers this command (sudo /opt/rapid7/ir_agent/components/insight_agent/{version}/uninstall.sh). I'm thinking of creating a Policy and adding the command to "Files and Processes".
Posted on 09-12-2024 07:49 AM
I haven't tested this but here is the command from Rapid7 Documentation:
Uninstall .pkg installer Insight Agents
sudo /opt/rapid7/ir_agent/components/insight_agent/{version}/uninstall.sh
Wednesday
Uninstall without prompt. Useful for automation
sudo /opt/rapid7/ir_agent/components/insight_agent/{version}/uninstall.sh -f