Deploying XDR Agent for Mac with InTune

Hi Mark,

Did you manage to install using intune with the config file?

Regards,

Hitesh

Also having the same issue - documentation is just covering the extension portion and not the package/xml files. 

What's the right solution here? I've currently got agents installed with error code 307, can't connect. 

Hi 

Did someone try to use ICEBERG?

1. We are aware that in terms of package deployment these applications only support packages (*.pkg) and metapackages (*.mpkg)There is a constraint here, but we can be work around that taking advantage of how packages work on macOS system (see additional information section for package definition)
2. We are also aware that some applications, such as Apple Remote Desktop for instance (there may be others), also have the capabilities of copying files and running UNIX commands targeting multiple machines, which can also be leveraged to workaround the problem

- Both packages and metapackages support containing multiple embedded packages inside the main package
- This allows us to create a new package, that will contain both "Traps.pkg" and "Servers.xml"/"Config.xml" inside a single container
- Deployment of the package to your entire macOS environment on a simple package is possible in this way
- Several package creation applications for macOS are available that will facilitate this process.
- "Iceberg" application was chosen for this reference documentation, as it's free (and with BSD license)
- Other applications can be used as PackageMaker or any other at your disposal

1.1. Create new package:
- Install Iceberg and open the application
- Create new project
- Select Darwin package
- Give name to the project
- NOTE: project name (which later will be the package name) cannot have spaces in it. Packages with empty spaces do not work and will fail, as you can see on the screenshot attached ("PackageNameBroken.png").
- Select Scripts tab
- Check postflight script, choose the selected script file as per 1.2 below
- Add "Traps.pkg" and "Config.xml" to additional resources
- You can edit the others tab if wanted, although not required
- Build
- Package is ready on the project folder
- You can upload the package to the macOS deployment applications

1.2. Script file:
- Script will just point to the package to install, the sub-package embedded inside the main package, "Traps.pkg"
- No file extension
- TextEdit.app cannot be used to create or edit the file
- File content:
"#! /bin/sh

sudo installer -dumplog -verbose -pkg $1/Contents/Resources/Traps.pkg -target /"
- Open terminal
- Run command "vi postflight"
- Editor opens with new created file
- Press G (uppercase G)
- Press A (uppercase A)
- Paste file content
- Press escape
- Type ":wq" (write and quit)
- Script is created
- Run command "sudo chmod 777 postflight" and enter password
- This will give the file run permissions


2.1. Apple Remote Desktop copy + UNIX features:
- Copy "Traps.pkg" and "Config.xml" and script to a location on all needed endpoints
- Should be possible to place them on a folder and copy the folder with the 3 files
- Run the UNIX Command to all needed endpoints
- Command is "sudo ./postflight"

2.2. Script file:
- Script will install "Traps.pkg"
- No file extension
- TextEdit.app cannot be used to create or edit the file
- File content:
"#! /bin/sh

sudo installer -dumplog -verbose -pkg ./Traps.pkg -target /"
- Open terminal
- Run command "vi postflight"
- Editor opens with new created file
- Press G (uppercase G)
- Press A (uppercase A)
- Paste file content
- Press escape
- Type ":wq" (write and quit)
- Script is created
- Run command "sudo chmod 777 postflight" and enter password
- This will give the file run permissions


Scripts:
Scripts for case 1 and 2 are attached for reference, file named "Scripts.zip". please feel free to modify or create yours if needed.


Video:
A video recording of the full tutorial following the instructions exactly as detailed above is attached to this article, file named "TrapsMacOsPackagingIceberg.mp4". This might help to clarify any doubts or follow the procedure more closely.

Additional Information
Note:
Please note that Palo Alto Networks does not enforce any specific software distribution tool, and it's each customer's decision to opt for the best tool for their environment. We provide the installation package and the config XML file, and with this data you can do everything that is needed to install Traps.

Palo Alto Networks engineers are not expected or required to hold knowledge on how every software distribution tool works, since we don't support any 3rd party products.  That said, each customer should be responsible for the decisions in terms of the deployment solutions and related implementations. 


Package Definition:
Package is a file system directory abstraction. We can also define it as a container that encapsulates all the daemons, kexts (short for kernel extension, aka kernel drivers in Windows), config files, launching agents and daemons, any direct dependencies (libraries) and possible needed scripts for pre or post installation.

- Additional information on macOS packages @ https://en.wikipedia.org/wiki/Package_(macOS)
- Additional information on encapsulation @ https://en.wikipedia.org/wiki/Encapsulation_(computer_programming)


As a learning experience:
- Grab any macOS package file (*.pkg)
- Rename it to *.zip
- Extract it to some location/folder
- You will probably see a single extracted file named "Payload~" or "Payload". Maybe not, and you will see another package files (*.pkg) and config files (*.xml), etc - which is the exact kind of package embedding we did to resolve this initial problem described on this KB. It that is the case, start the procedure again on new packages.
- Once again rename "Payload~" to "Payload.zip" and extract it again
- You will probably see now the files mentioned above that are the content of the application. You might also see directly the application (*.app)
- On some cases you might have to repeat the renaming and extraction process 1 or 2 more times depending on the level of the encapsulation donr


About Iceberg:
(extracted from their official website @ http://s.sudre.free.fr/Software/Iceberg.html)

Iceberg is an Integrated Packaging Environment (IPE) that allows you to create packages or metapackages conforming to the Mac OS X specifications.
With Iceberg, you can quickly create your installation packages using a graphic user interface similar to your favorite development tools.
Iceberg can also be useful for Administrators who want to gather in a metapackage numerous packages for remote distribution via Apple Remote Desktop.

- Additional information on Iceberg @ http://s.sudre.free.fr/Software/documentation/Iceberg/English.lproj/documentation/index.html
- Screenshots of all the application's views @ http://s.sudre.free.fr/Software/Iceberg.html

@poliveira : 2nd Option ist working for us for MacOS up to Version 11. Awesome, Thank You!

But i try to figure out how does it work with the 1st Option "Packages". I spend a lot of days for trying but it doesn´t work with packages. I am a rookie in Packages, maybe i make mistakes but i tried to mirrow the stuff from the tutorial Iceberg to packages.

Please, would you be so kind and give a step by step Introduction for "Deploy Cortex XDR agent for macOS with Packages for Intune"? I think a lot of people will be very thankfull for that help. 

Thanks and many Greetings!

Sebastian