Jamf Nation Community

Great write-up... Thank you!

This is a really useful write up and thank you for that. I do have one question. I go to add the Socket Filter Whitelisting and all the fields you identified are there, with the exception of FilterSockets. I'm entering it in the payload for Content Filtering in the configuration profile, but perhaps I'm supposed to be entering it elsewhere.

Again, thanks so much.

Hi Pueo,

Got it, and thanks so much again.

No problem.  There is more. After more than a few emails to FE they eventually gave me updated documentation with the exact procedure a MDM Admin needs to follow in order to successfully deploy FireEye v33.51.0.
One of the bigger changes was adding more settings to the PPPC (whitelist) setting. The previous documentation only had ALLsystemfiles but they now suggest to have quite a few more.  They also provide screen shots for Whitelisting and setting up Malware detection. 
Upgrading FE is easy. Push out profiles, push out HX client (we are using HX Console for agent.  Anyways if you need the pdf there must be away I can send it to you.

p.

Hi @pueo 

Can you tell me the name of the PDF you got from FireEye/Mandiant so I can try to get it from support, or put it up in a place I can grab it? Unfortunately, when I try to distribute the config profile, I get the error "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." so I want to verify that I'm setting it up correctly.

Thanks,

Michael

Sorry for the delay Michael.  Sent to you private messages.

ash

Got it going! Thanks for all your help!

@pueo  / @mlarsen 

Any chance I could grab a copy of that PDF as well? 

I'm trying to deploy the same version of FireEye and am running into similar issues with building my profiles. 

Thanks 🙂 

Hi @johnsz_tu - I apologize for not responding sooner. I never did get the PDF. I did find a a page on the FireEye community which gave me the details I needed though. The page is here - https://community.fireeye.com/CustomerCommunity/s/article/000003689

@mlarson  Sorry I didn't follow up with documentation.  

Do the attachments I just added to the post resolve your issue?

Cheers,

Hi @pueo, The screenshots look good and I was able to get it resolved from the FireEye community page I linked to earlier. Thanks again for all the help you've provided.

Hello.  Sorry for the delay in replying.  I am happy to help with screen shots to get you moving along with your FE deployment. The first two screen shots are taken from the Documentation.  The differences between the previous FE installer and the current one (33.51) is you now need a Content Filter.

Again, apologies for the tardiness. 

Cheers.

Our Profiles.

 System Extension

Content Filter.

FE Documentation

@pueo Thank you so much!!

That will help so much. 

I managed to get through the System Extension dialog yesterday, and have started battling with the Popup for the Network Filter

Going to try to build based on the screenshots above today

Really appreciate it 🙂 

Hi @pueo ,

We've been trying to get this upgrade to v.33.51.1 for more than a month and it's still failing for us...Engaged some FireEye tech for this issue and he sent the same guide that you provided the screenshots from, but it doesn't seem to go through the installation, failing somewhere while running the xagtSetup (see below):

"Installing FireEyewPostinstall v.33.51.1 PROD.pkg...
                Successfully installed FireEyewPostinstall v.33.51.1 PROD.pkg.
                Running script FireeyePostinstall v.33.51.1...
                Script exit code: 1
                Script result: installer: Package name is FireEye Agent
                installer: Installing at base path /
                installer: The install failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “xagtSetup_33.51.1.pkg”.)
                Error running script: return code was 1."

Again, I've already created the required Config Profiles as per the FireEye guide, still No Bueno! 😞

Any ideas?

Thanks,

CC

Hello

**Sorry for the double reply. A few lost screens a re write and I can't figure out how to remove a old post**

-

We keep our FE Agent very basic when it comes to deployment.

For new machines Jamf will install the repackaged client using the following post install script (we use DEPNotify for deployments):

#!/bin/sh
## postinstall

sudo installer -pkg /private/tmp/FireEyeAgent/xagtSetup_33.51.0.pkg -target /
sudo rm -r /private/tmp/FireEyeAgent

--

After this, once the agent checks in with HX the agent will receive any other configurations it needs.  Keep it simple

I packaged this small script using Composer. It took many attempts to get it working.

Things to try

• Test script locally
• Remove spaces from pkg name
• check jamf and install.log files.

As a reminder: Think locally first..:-)

a.

Hi @pueo,

Thanks for the suggestions. And, you are right, the best test is to try it locally, which I've already done that...I've got the .dmg copied locally and tried to go through the normal installation, but it failed at the end. So, I'm not sure if I'm doing something wrong or if this package received from FireEye has some problems with it.

Thanks,

CC

Try using a pkg instead. I rarely if ever use a DMG.  

If the agent does not install just from double clicking the package on a local Mac, then you may have a damaged agent.

Actually, the .dmg has the package and JSON files, when I double-clicked it. I ran the pkg and got the Failed message right at the end.

Sounds like a damaged pkg file. Maybe try on one more machine.  I drag both the json and the pkg file to the /private/tmp/FireEyeAgent folder (I created the FireEyeAgent folder). Then package it up with the post install script.

Yeah, I've tried that too initially...directly from the /private/tmp/FireEyeAgent folder...No dice either! 😞

Hi @pueo ,

Sorry for the long wait before my reply, but our peeps in charged to manage the FireEye appliance had to upgrade it to a newer version, therefore that's why I had to put on hold the testing...Anyways, I just received the v.34.28.1 to test with, but I need to make sure now that I'm following the correct path. 🙂

Could you please tell me how are you doing with upgrading from a lower version to v.34.28.1? Previously, we have been using a script to remove ALL the necessary files/folders/entries before you install the new version...From FireEye tech, I've got this instruction:

"please make sure that the customer correctly removed the system extension and rebooted the mac. The correct command to remove everything is to add the remove helper switch: sudo /Library/FireEye/xagt/uninstall.tool --remove-helper
After running this command and rebooting, the customer should install version 34.28.1 and allow the FireEye and Bitdefender kernel extensions."

Is it going to be enough that "uninstall.tool" with the switch like that?

Thanks,

CC

Thanks @pueo for sharing your findings on this FireEye HX/xagt release and config screens (just love those vendors hiding important info behind their support portals).

Adding to your reply to @mlitton question... agree w/ creating two profiles for Kext (Intel) and SysExt (ARM), but probably best to exclude each config profile scopes via smart groups for "Architecture type" is/not "arm" or is/not "x86_64"? Otherwise, you're potentially generating extra log chatter and performance overhead for failed installs.