Triton Forcepoint AP-WEB

cdinges
New Contributor II

Does anyone out there have experience packaging Triton Forcepoint AP-WEB up for distribution through the JAMF? The current ZIP that I have has two .pkgs included in the folder along with a .cer file, .hsw file & .xml file. I believe the WebsenseEndpoint.pkg kicks off the installer WebsenseEPClassifier.pkg then somehow configures the client with the necessary files. I am looking to combine all these into one .pkg file. An help / direction would be greatly appreciated.

Thanks in advance and have a great holiday season!

17 REPLIES 17

rlindenmuth
New Contributor III

I'm just starting this process as well. Do you have any tips and tricks you care to pass along?

cdinges
New Contributor II

The best practice is to copy the package to the machine locally then run the command to install the software. My policy does this with great success.

cpittman1218
New Contributor

Hey Cdinges can you explain how you do this in little deeper detail in regards of the policy you created.

Thank you.

sax_man424
New Contributor II

I am curious as well. Would it be possible to share your script in this post?

cdinges
New Contributor II

Sorry for the delayed response.

Yes, I created a package to deploy the files to a folder on the machine then the policy runs a command to kick off the installer. The command line to run is: sudo /usr/sbin/installer -pkg /Library/Application Support/JAMF-CustomApps/triton832607new/WebsenseEndpoint.pkg -target /

According to the vendor this is the best practice.

jmcdaniel
New Contributor II

In theory it should also be possible to create a custom pkg using casper admin with the bundle and deploy that via policy as well. Just an idea, especially now that there are 4 files in the Forcepoint .zip for mac endpoint.

ctsuda
New Contributor

I've tried the custom package using the install files that come with Websense and was able to get it download to the client. Unfortunately, it downloads to the desktop and the script fails to find the installer files after that. Changing the script to point to the desktop does kick off the installation but then the files remain there and that's something that I want to avoid.

I tried the snapshot method as well and it failed.

Any suggestions?

jmcdaniel
New Contributor II

@stevenadler do you have any recommendations?

ctsuda
New Contributor

I was actually able to do this with Composer. In speaking with Jamf, I had to put the files in a place where I wanted the files to download to so that the install could run. Then I dropped the files into Composer and had it create my package. I uploaded the package to Jamf and created the policyI then used the script supplied by cdinges with changes to the location of the files that I need to run. It worked after that but the files don't delete after the install, which I'm okay with.

vgulizio
New Contributor

Do we have a better step by step on this? Just trying to understand how to setup the policy once the package is uploaded to Jamf. Is it setup as an install, and then an option to run a script? Little confused.

jmcdaniel
New Contributor II

Essentially once you have built the package with the Forcepoint Package builder you would upload the file using casper admin.

-You would then want to create a policy to deploy the zip. (ideally with a smart or static group but could be targeted users).

-Then make a second policy that looks for that package already installed and have it run a bash script to run the installer with the sudo prefix.

aka

sudo unzip ./endpoint.zip

sudo ./endpointpackagefile.pkg

The endpoint package (not the classifer.pkg) contains the installer and will call on the other files from the zip so ensure you run the command inside the directory where the zip has been extracted.

I hope this information helps!

Cheers.

NOTE: This should work for the DLP or Web endpoint. Use whatever flags or context paths needed to run in a commandline install in your script.

vgulizio
New Contributor

Thanks. I had already ended up doing exactly that, and it has been working on every policy push. Information is definitely a help.

Thank you. - Vince

SimonePS
New Contributor

https://support.forcepoint.com/KBArticle?id=000016604
Deploying Forcepoint Endpoint for MacOS using Jamf

On a side note, how are you authenticating remote users in a FP hybrid cloud deployment?

nimoyjohnson
New Contributor

Has anyone been successful with using NoMad/Jamf Connect and Triton Forcepoint AP-WEB or on an unbound Mac?

SimonePS
New Contributor

@nimoyjohnson , there's (finally!) a Forcepoint direct connect client and there's no need to have the kerberos ticket.

daniel_oconnell
New Contributor II

Hey Everyone,
Are you disabling Kernel Extensions as per Forcepoint's documentation to deploy this software?

https://support.forcepoint.com/KBArticle?id=000016604
https://www.websense.com/content/support/library/endpoint/v85/release_notes/rn_endpt_new.aspx

This doesn't seem like an option for me. I have tried to allow the specific kernel extensions for Forcepoint DLP but the software doesn't install correctly.
Team Id: C489D5E8E8
Bundle Ids: com.websense.endpoint.process, com.websense.endpoint.process.kpi, com.websense.endpoint.dlp

I'm also using their prebuilt Config Profile to give Full disk access. The product installs, but it missing components such as the icon in the menu bar. Any direction would be appreciated.

ateazzie
New Contributor III

@daniel.oconnell Are you using any of their scripts?
When I was deploying Forcepoint 20 I found an error in their scripts, which made the installation from not happening
Make sure you use their application on a windows server to create a correct config profile for installation