Deploying XDR Agent for Mac with InTune

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Deploying XDR Agent for Mac with InTune

L0 Member

Hi all,

 

We're trying to bring our few Macs into the systems management fold, and being a Microsoft shop we want to use InTune to manage them.

 

Most Mac packages install files and then are configured in a separate set of commands after install. The XDR Mac client needs the config.xml file in place beside the Cortex XDR.pkg file when installing. I've tried creating a package (using the 'Packages' app) with the xml and pkg files in it and then running a postinstall script as part of that package to kick off the Cortext install using 'installer' as a bash command - but although the files get deployed the Coretex client never gets installed.

 

Am I going about this the wrong way? Is there a way of modifying the Coretex XDR.pkg file to embed the Config.xml bits inside it so I can just deploy that package directly?

 

Has anyone successfully deployed this client using InTune?

 

Any help would be gratefully received.

 

Mark.

1 accepted solution

Accepted Solutions

Hi Mark,

 

That is completely understandable! I am glad to hear that you were able to install the Cortex XDR Agent without InTune successfully. Let's hope that someone comments soon with a solution from their experiences.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

View solution in original post

13 REPLIES 13

L4 Transporter

Hi Mark,

I would start by confirming that the Mac endpoint meets the Mac requirements. Also, confirm that the MacOS version is compatible with the version of Cortex XDR Agent installed by viewing this Compatibility Matrix

Assuming that your device meets the requirements, the installation logs would be needed to determine why the installation is failing. Depending on your version of MacOS, that location could vary as listed below and documented here: Troubleshooting Resources for the Cortex XDR Agent for Mac

 

  • Mac OS X 10.10 and OSX 10.11—/var/log/traps/
  • macOS 10.12 and later releases—View logs from the Console application in /Library/Logs/PaloAltoNetworks/Cortex XDR/.

My recommendation would be to confirm that you are indeed meeting the requirements, as stated previously. And due to the sensitive nature of the logs on your system, the next step would be to open a case with Support at the Customer Support Portal so that they could further analyze the logs.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

Thanks for the reply, but I don't have a problem with the client not installing correctly if I run it manually, it's more about how I can deploy it.

 

The deployment within InTune allows me to deploy a single .pkg file, and if I deploy the standard Cortex XDR.pkg file in that way it installs fine, but can't connect as it has no config. I can't deploy the Config.xml file alongside the .pkg file when done like that.

 

So I tried to package up the Cortex XDR.pkg and the corresponding Config.xml into  another package using the Packager app, and have a postinstall.sh file which runs the installer command line to kick off the installation of the Cortex XDR.pkg file now that it will have the Config.xml file with it - but that's not working at present - and I'm not sure why.

 

What I was aksing was if there's a way to embed the config info into the pkg file directly rather than needing to have the Config.xml file, as then I could use the single .pkg file and it should just work.

 

The documentation for deploying the Mac client shows either the manual installation, of for the Jamf deployment shows how to set up the extension policy, but nothing else - so I'm a bit in the dark about if I'm even trying to do this right. I've learnt more than I ever wanted to know about Mac packaging in the last week and am really none the wiser 🙂

 

Hoping someone else on here has already been through this pain and has a simple method to get it working.

 

Cheers,

 

Mark.

 

Hi Mark,

 

That is completely understandable! I am glad to hear that you were able to install the Cortex XDR Agent without InTune successfully. Let's hope that someone comments soon with a solution from their experiences.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

L0 Member

Hi Mark,

 

Did you manage to install using intune with the config file?

 

Regards,

Hitesh

L0 Member

Also having the same issue - documentation is just covering the extension portion and not the package/xml files. 

 

What's the right solution here? I've currently got agents installed with error code 307, can't connect. 

L0 Member

Hi 

Did someone try to use ICEBERG?

1. We are aware that in terms of package deployment these applications only support packages (*.pkg) and metapackages (*.mpkg)There is a constraint here, but we can be work around that taking advantage of how packages work on macOS system (see additional information section for package definition)
2. We are also aware that some applications, such as Apple Remote Desktop for instance (there may be others), also have the capabilities of copying files and running UNIX commands targeting multiple machines, which can also be leveraged to workaround the problem

- Both packages and metapackages support containing multiple embedded packages inside the main package
- This allows us to create a new package, that will contain both "Traps.pkg" and "Servers.xml"/"Config.xml" inside a single container
- Deployment of the package to your entire macOS environment on a simple package is possible in this way
- Several package creation applications for macOS are available that will facilitate this process.
- "Iceberg" application was chosen for this reference documentation, as it's free (and with BSD license)
- Other applications can be used as PackageMaker or any other at your disposal

1.1. Create new package:
- Install Iceberg and open the application
- Create new project
- Select Darwin package
- Give name to the project
NOTE: project name (which later will be the package name) cannot have spaces in it. Packages with empty spaces do not work and will fail, as you can see on the screenshot attached ("PackageNameBroken.png").
- Select Scripts tab
- Check postflight script, choose the selected script file as per 1.2 below
- Add "Traps.pkg" and "Config.xml" to additional resources
- You can edit the others tab if wanted, although not required
- Build
- Package is ready on the project folder
- You can upload the package to the macOS deployment applications

1.2. Script file:
- Script will just point to the package to install, the sub-package embedded inside the main package, "Traps.pkg"
- No file extension
- TextEdit.app cannot be used to create or edit the file
- File content:
"#! /bin/sh

sudo installer -dumplog -verbose -pkg $1/Contents/Resources/Traps.pkg -target /"
- Open terminal
- Run command "vi postflight"
- Editor opens with new created file
- Press G (uppercase G)
- Press A (uppercase A)
- Paste file content
- Press escape
- Type ":wq" (write and quit)
- Script is created
- Run command "sudo chmod 777 postflight" and enter password
- This will give the file run permissions


2.1. Apple Remote Desktop copy + UNIX features:
- Copy "Traps.pkg" and "Config.xml" and script to a location on all needed endpoints
- Should be possible to place them on a folder and copy the folder with the 3 files
- Run the UNIX Command to all needed endpoints
- Command is "sudo ./postflight"

2.2. Script file:
- Script will install "Traps.pkg"
- No file extension
- TextEdit.app cannot be used to create or edit the file
- File content:
"#! /bin/sh

sudo installer -dumplog -verbose -pkg ./Traps.pkg -target /"
- Open terminal
- Run command "vi postflight"
- Editor opens with new created file
- Press G (uppercase G)
- Press A (uppercase A)
- Paste file content
- Press escape
- Type ":wq" (write and quit)
- Script is created
- Run command "sudo chmod 777 postflight" and enter password
- This will give the file run permissions


Scripts:
Scripts for case 1 and 2 are attached for reference, file named "Scripts.zip". please feel free to modify or create yours if needed.


Video:
A video recording of the full tutorial following the instructions exactly as detailed above is attached to this article, file named "TrapsMacOsPackagingIceberg.mp4". This might help to clarify any doubts or follow the procedure more closely.


Additional Information
Note:
Please note that Palo Alto Networks does not enforce any specific software distribution tool, and it's each customer's decision to opt for the best tool for their environment. We provide the installation package and the config XML file, and with this data you can do everything that is needed to install Traps.

Palo Alto Networks engineers are not expected or required to hold knowledge on how every software distribution tool works, since we don't support any 3rd party products.  That said, each customer should be responsible for the decisions in terms of the deployment solutions and related implementations. 


Package Definition:
Package is a file system directory abstraction. We can also define it as a container that encapsulates all the daemons, kexts (short for kernel extension, aka kernel drivers in Windows), config files, launching agents and daemons, any direct dependencies (libraries) and possible needed scripts for pre or post installation.

- Additional information on macOS packages @ https://en.wikipedia.org/wiki/Package_(macOS)
- Additional information on encapsulation @ https://en.wikipedia.org/wiki/Encapsulation_(computer_programming)


As a learning experience:
- Grab any macOS package file (*.pkg)
- Rename it to *.zip
- Extract it to some location/folder
- You will probably see a single extracted file named "Payload~" or "Payload". Maybe not, and you will see another package files (*.pkg) and config files (*.xml), etc - which is the exact kind of package embedding we did to resolve this initial problem described on this KB. It that is the case, start the procedure again on new packages.
- Once again rename "Payload~" to "Payload.zip" and extract it again
- You will probably see now the files mentioned above that are the content of the application. You might also see directly the application (*.app)
- On some cases you might have to repeat the renaming and extraction process 1 or 2 more times depending on the level of the encapsulation donr


About Iceberg:
(extracted from their official website @ http://s.sudre.free.fr/Software/Iceberg.html)

Iceberg is an Integrated Packaging Environment (IPE) that allows you to create packages or metapackages conforming to the Mac OS X specifications.
With Iceberg, you can quickly create your installation packages using a graphic user interface similar to your favorite development tools.
Iceberg can also be useful for Administrators who want to gather in a metapackage numerous packages for remote distribution via Apple Remote Desktop.

- Additional information on Iceberg @ http://s.sudre.free.fr/Software/documentation/Iceberg/English.lproj/documentation/index.html
- Screenshots of all the application's views @ http://s.sudre.free.fr/Software/Iceberg.html

@MMoskovich next time, please quote your sources.

Traps macOS Deployment: How to Build Custom Packages for Microsoft InTune, AirWatch, Apple Remote De... 

 

Iceberg is no longer supported on new macOS versions, but there are other apps out there like "Packages" that work similarly. A 2nd option is to deploy only the package and then push a script that will connect the agents to the right tenant:

echo Password1|/Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool reconnect force <packageDistributionID>; sleep 5; /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool checkin

 

L0 Member

@poliveira : 2nd Option ist working for us for MacOS up to Version 11. Awesome, Thank You!

But i try to figure out how does it work with the 1st Option "Packages". I spend a lot of days for trying but it doesn´t work with packages. I am a rookie in Packages, maybe i make mistakes but i tried to mirrow the stuff from the tutorial Iceberg to packages.

Please, would you be so kind and give a step by step Introduction for "Deploy Cortex XDR agent for macOS with Packages for Intune"? I think a lot of people will be very thankfull for that help. 

 

Thanks and many Greetings!

Sebastian

Hey all,

I have the same problem.
It would be nice if there were such detailed instructions.

Greetings

Philipp

L0 Member

Hey all,

I have the same problem.
It would be nice if there were such detailed instructions.

L0 Member

Has anyone managed to install using intune or not? If so, please tell me how.

@poliveira - thanks for this solution- is there any plan to add this string to the package .plist file? Seems like that would be the easiest way to fix this ongoing issue.

Ok I was able to this by creating a .DMG from .pkg and config.xml using disk utility- then push via Intune along with script to install pkg from mounted DMG. (replace path with actual path and name of file) 

#!/bin/bash

# Path to the mounted DMG volume
MOUNT_POINT="/Volumes/cortex XDR"

# Check if the DMG is mounted
if [ ! -d "$MOUNT_POINT" ]; then
echo "DMG is not mounted."
exit 1
fi

echo "DMG mounted at $MOUNT_POINT"

# Path to the .pkg file inside the mounted DMG
PKG_PATH="$MOUNT_POINT/Cortex XDR.pkg"

# Install the package
sudo installer -pkg "$PKG_PATH" -target /

# Check if the installation was successful
if [ $? -eq 0 ]; then
echo "Cortex XDR installed successfully."
else
echo "Installation failed."
fi  

  • 1 accepted solution
  • 14225 Views
  • 13 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!