Steps to install an App Control Agent

• App Control Agent: All Supported Versions
• Microsoft Windows OS: All Supported Versions
• macOS: All Supported Versions

Windows

Notes

• Windows XP & Server 2003 require additional steps:
  • Server Version 8.9.0+ and Agent version 8.7.4+
  • Installation Method 2 (Unbranded Installer).
  • Additional steps are required to connect Agents to the Console.
  • Additional steps are required on the App Control Server for the SHA1 Root Certificate.
• Windows 7 and Server 2008 require an update to support SHA-256 signed packages (8.7+ Agent)
  • KB4474419
  • 2019 SHA-2 Code Signing Support requirement for Windows and WSUS

Method 1: Using the Policy Installer (Preferred)

1. Navigate to https://ServerAddress/hostpkg/ to download the relevant Policy Installer MSI file.
2. Confirm if Registration Codes are enabled or not.
3. Use an administrative command prompt to issue the relevant command:
   • If Registration Codes are disabled:

     msiexec.exe /i "C:\Path\To\PolicyInstaller.msi" /qn /norestart /L*v "C:\Temp\AgentInstall.log"
     

   • If Registration Codes are enabled:

     msiexec.exe /i "PolicyInstaller.msi" B9_REGISTRATION_CODE=registrationcodegoeshere /qn /norestart /L*v "C:\Temp\AgentInstall.log"

Method 2: Using the Unbranded Installer

Manually with Server.conf (XP/2003 or Zip File)

1. Verify Zip Package Generation is enabled (Requires Server 8.9.0+):
   1. Navigate to https://ServerAddress/shepherd_config.php
   2. Verify the Property GenerateWindowsHostGroupZipPackage is set to: true
2. Download the relevant Policy.zip file to the endpoint.
   1. Navigate to https://ServerAddress/hostpkg and download the relevant zip file (Ex: Production-LowEnforcement.zip)
   2. Extract the contents to a temporary location. (Ex: C:\Temp\Production-LowEnforcement\)
   3. Execute the relevant installation file
      
      • Windows XP/2003: ParityHostAgent_SHA1.msi must be used. XP and 2003 do not support the SHA256 signed version.
      • All other Windows Versions: ParityHostAgent.msi

Manually with ParityHostAgent.msi

1. Gather "ParityHostAgent.msi" and "configlist.xml" files from the App Control servers hostpkg folder
   • The default location is C:\Program Files (x86)\Bit9\Parity Server\hostpkg)
   • The unencrypted version of configlist.xml is required. Using configlist.xml.egk or configlist.xml.enc will result in a failed install attempt.
2. Gather the necessary detail:
   • B9_SERVER_IP: This needs to match the  "Server Address" listed in the console under System Configuration (gear icon) > general tab
   • B9_SERVER_PORT: This must match the "Server Port" mentioned in System Configuration > general tab
   • B9_SERVER_ID: This is found by navigating to https://yourconsole/support.php > Advanced Configuration > Server ID field
   • B9_CONFIG: This will be the path to the configlist.xml that you copied
   • B9_HOSTGROUP: This value will be the name of the policy you want to assign it to after install, policy name should be in quotes.
   • Optional (B9_REGISTRATION_CODE) Confirm if Registration Codes have been enabled. If so, this must have a valid code specified.
3. Open and admin CMD Prompt and run the relevant command. Example:

   msiexec /i "C:\Temp\ParityHostAgent.msi" B9_SERVER_IP=Eaxmple.com B9_SERVER_PORT=41002 B9_SERVER_ID={b9}ServerIdcodehere... B9_CONFIG="C:\Temp\configlist.xml" B9_HOSTGROUP="Corp Low Policy" B9_REGISTRATION_CODE=registrationcodegoeshere /l*v "C:\Temp\AgentInstall.log"

macOS

1. Navigate to https://ServerAddress/hostpkg and download the relevant macOS install package.
2. Open a Terminal window and change directory to the location where the installer was downloaded (by default, the user-specific Download directory - cd ~/Downloads
3. Double-click on the agent installation file you downloaded (policyname-mac.dmg). A standard package installation dialog begins.
4. Respond to the installation dialog prompts, and when the dialog indicates the installation was successful, click Close.
5. The Mac firewall may detect the agent as a new application and block access to the network. Instruct users to permanently allow incoming connections to b9daemon.

Linux

1. Navigate to https://ServerAddress/hostpkg and download the relevant Linux install package.
2. Extract the Agent installer:

   tar -xvzf <policyname>-Red Hat.tgz

   • Note: If the Policy name contains characters not accepted in command arguments, such as spaces or parentheses, escape each character with a backslash.
3. Change to the directory matching the download tarball name:

   cd <policyname>-Red Hat

   • Note: App Control Server versions 8.9.0 and lower will require the attached GPG key bit9cs_sha2.asc in the same folder as b9install.sh.
4. Validate the b9install script against the Public Key and Detached Signature with the following commands:

   gpg –-dearmor bit9cs_sha2.asc
   gpg --no-default-keyring --homedir . --keyring bit9cs_sha2.asc.gpg --verify b9install.asc b9install.sh

   • Note: The result should return similar: gpg: Good signature from "build (carbonblack)"
5. Install the Agent:

   With Notifier: sudo sh ./b9install.sh
   Without Notifier: sudo sh ./b9install.sh –n

Notes:

• This procedure (and any installation involving b9install.sh) should be used only when the Linux Agent is otherwise fully removed from the endpoint.
• If using Secure Boot, please follow these instructions instead:
  • Enable Secure Boot for Linux Agents