Methods To Install an App Control Agent
search cancel

Methods To Install an App Control Agent

book

Article ID: 286750

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Steps to install an App Control Agent

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Windows OS: All Supported Versions
  • macOS: All Supported Versions

Resolution

Table of Contents

 

Windows

IMPORTANT: Legacy Windows (XP, 7, 2003, 2008) installs require specific steps!

  • Installing on Windows XP & Server 2003:
    • If on Server 8.11.2+ and Agent 8.10.2+ use Method 1 (Policy Installer).
    • If on Server and Agent versions prior, use Method 2 (Unbranded Installer).
  • Installing on Windows 7 & Server 2008: KB4474419 (SHA-256 Code Signing Support) is required
  • Additional Steps for Communication: Connecting Legacy Windows Agents to the Console

 

Method 1: Using the Latest Policy Installer (Preferred)

  1. Confirm whether Registration Codes have been enabled
    • If enabled, the command for installation should include the Registration Code.
  2. Navigate to: https://ServerAddress/hostpkg/ and locate the Policy Installer (or download directly to the endpoint)
    • The latest Policy Installer should always be used when installing Agents.
    • This allows the full Config List (Server Configuration, Custom Rules, Approval Methods, etc) to be included at time of install.
    • Policy Installers are frequently regenerated automatically (minimum once every 24 hours).
    • Using the Policy Installer URL directly from the Server's /hostpkg/ path will make future installs & scripting easier.
  3. Use an administrative command prompt to issue the relevant command:
    • If Registration Codes are disabled 
      Using a Policy Installer downloaded locally to the endpoint:
      msiexec.exe /i "C:\Path\To\<PolicyInstaller>.msi" /qn /norestart /L*v "C:\Temp\AgentInstall.log"

      Using a Policy Installer directly from the Server:
      msiexec.exe /i "https://ServerAddress/hostpkg/pkg.php?pkg=<PolicyInstaller>.msi" /qn /norestart /L*v "C:\Temp\AgentInstall.log"
    • If Registration Codes are enabled 
      msiexec.exe /i "C:\Path\To\<PolicyInstaller>.msi" B9_REGISTRATION_CODE=registrationcodegoeshere /qn /norestart /L*v "C:\Temp\AgentInstall.log"

Method 2: Using the Unbranded Installer

Manually with Server.conf (Zip Package)

  1. Verify Zip Package Generation is enabled (Requires Server 8.9.0+):
    1. Navigate to https://ServerAddress/shepherd_config.php
    2. Verify the Property GenerateWindowsHostGroupZipPackage is set to: true
  2. Navigate to: https://ServerAddress/hostpkg/ and download the Policy Installer (Ex: Production-LowEnforcement.zip)
  3. Extract the contents to a temporary location. (Ex: C:\Temp\Production-LowEnforcement\)
  4. Execute the relevant installation file
    • Windows XP/2003: ParityHostAgent_SHA1.msi must be used. XP and 2003 do not support the SHA256 signed version.
    • All other Windows Versions: ParityHostAgent.msi

Manually with ParityHostAgent.msi

  1. Gather "ParityHostAgent.msi" and "configlist.xml" files from the App Control servers hostpkg folder
    • The default location is C:\Program Files (x86)\Bit9\Parity Server\hostpkg\
    • If the Configlist.xml is not provided at time of install, the Agent will not know Custom Rules, Publisher Approvals, Agent Management settings, etc until it is fully Up to Date.
      • If the endpoint cannot download the Configlist from the Server (Port 443 by default), it will be forced to download the Configlist incrementally over 41002.
      • Downloading incrementally can take several hours to fully complete.
      • Using the unencrypted version of the Configlist (configlist.xml) is required. Using configlist.xml.egk or configlist.xml.enc will result in a failed install attempt.
  2. Gather the necessary details:
    • B9_SERVER_IP: This needs to match the  "Server Address" listed in the console under System Configuration (gear icon) > general tab
    • B9_SERVER_PORT: This must match the "Server Port" mentioned in System Configuration > general tab
    • B9_SERVER_ID: This is found by navigating to https://yourconsole/support.php > Advanced Configuration > Server ID field
    • B9_HOSTGROUP: This value will be the name of the policy you want to assign it to after install, policy name should be in quotes.
    • Optional Configs
      • B9_CONFIG: This will be the path to the configlist.xml that was copied from the Server (recommended to include at install)
      • B9_REGISTRATION_CODE (8.9.2+) Confirm if Registration Codes have been enabled. If so, this must have a valid code specified.
      • B9_ENABLE_SERVICE_PROTECTION (8.10.0+) Disable PPL during install
  3. Open and admin CMD Prompt and run the relevant command. Example: 
    msiexec /i "C:\Temp\ParityHostAgent.msi" B9_SERVER_IP=Eaxmple.com B9_SERVER_PORT=41002 B9_SERVER_ID={b9}ServerIdcodehere... B9_CONFIG="C:\Temp\configlist.xml" B9_HOSTGROUP="Corp Low Policy" B9_REGISTRATION_CODE=registrationcodegoeshere B9_ENABLE_SERVICE_PROTECTION=0 /L*v "C:\Temp\AgentInstall.log"

macOS

  1. Navigate to: https://ServerAddress/hostpkg/ and locate the Policy Installer (or download directly to the endpoint)
    • The latest Policy Installer should always be used when installing Agents.
    • This allows the full Config List (Server Configuration, Custom Rules, Approval Methods, etc) to be included at time of install.
    • Policy Installers are frequently regenerated automatically (minimum once every 24 hours).
    • Using the Policy Installer URL directly from the Server's /hostpkg/ path will make future installs & scripting easier
  2. Open the Disk Image file (Ex: policyname-mac.dmg) and execute the pkg installation file inside it.
  3. Respond to the installation dialog prompts and when the dialog indicates the installation was successful, click Close.
  4. Open Security Preferences (System Preferences > Security & Privacy > Privacy)
  5. Verify Full Disk Access is allowed, and the following System Extensions are Allowed & Unblocked:
    • appc_es_extension
    • b9notifier
    • b9daemon
  6. Reboot the endpoint.

More detailed instructions and Jamf Deployment instructions, are available in the macOS Agent Installation Guide.

Linux

  1. Navigate to: https://ServerAddress/hostpkg/ and locate the Policy Installer (or download directly to the endpoint)
    • The latest Policy Installer should always be used when installing Agents.
    • This allows the full Config List (Server Configuration, Custom Rules, Approval Methods, etc) to be included at time of install.
    • Policy Installers are frequently regenerated automatically (minimum once every 24 hours).
    • Using the Policy Installer URL directly from the Server's /hostpkg/ path will make future installs & scripting easier
  2. Extract the Agent installer: 
    tar -xvzf <policyname>-Red Hat.tgz
    • Note: If the Policy name contains characters not accepted in command arguments, such as spaces or parentheses, escape each character with a backslash.
  3. Change to the directory matching the download tarball name: 
    cd <policyname>-Red Hat
    • Note: App Control Server versions 8.9.0 and lower will require the attached GPG key bit9cs_sha2.asc in the same folder as b9install.sh.
  4. Validate the b9install script against the Public Key and Detached Signature with the following commands: 
    gpg --dearmor bit9cs_sha2.asc
gpg --no-default-keyring --homedir . --keyring bit9cs_sha2.asc.gpg --verify b9install.asc b9install.sh
    • Note: The result should return similar: gpg: Good signature from "build (carbonblack)"
  5. Install the Agent: 
    With Notifier: sudo sh ./b9install.sh
Without Notifier: sudo sh ./b9install.sh –n

Notes:

  • This procedure (and any installation involving b9install.sh) should be used only when the Linux Agent is otherwise fully removed from the endpoint.
  • If using Secure Boot, the Public Key must be installed on the endpoint.

Additional Information

Attachments

20413_bit9cs_sha2.asc.zip get_app
Powered by Wolken Software