Updating Cortex Agent by MDM

Automating Cortex XDR agent upgrades effectively involves balancing initial deployment via MDM with the native automated lifecycle management capabilities of the Cortex XDR console.

1. Best Practices for Large-Scale Agent Upgrades via MDM:

The recommended approach for large environments is to use your MDM (e.g., Intune, Jamf) primarily for the initial baseline installation. Once the agent is installed and communicating with the console, rely on the native Agent Auto-Upgrade policy for ongoing version management.

Native Auto-Upgrade:
This is the most efficient method because it removes the need to continuously create new MDM packages or update application detection rules for every minor release.

Phased Rollout Strategy:
Regardless of the deployment method, use a gradual rollout:

• Control Group: Diverse, low-risk endpoints (about 1 week of testing)
• Initial Wave: ~10% of endpoints (medium risk)
• Broad Waves: Expand to 40%, then 80%, and finally 100%

2. Handling Tamper Protection During Automated Upgrades:

Console-led Upgrades:
When upgrades are initiated from the Cortex XDR console, tamper protection (SPROT) is automatically handled during the process.

MDM/Script-led Upgrades (Windows):
If performing upgrades via MDM or scripts, you must explicitly disable tamper protection using the uninstall password before running the installer:

ECHO [AGENT_UNINSTALL_PASSWORD] | "C:\Program Files\Palo Alto Networks\Traps\cytool.exe" protect disable
msiexec /i cortexxdr_x64.msi /qn /l*v C:\XDRtemp\XDRupgrade.log

Linux:
Running the installer script with sudo or as root handles the upgrade automatically without manual tamper protection steps.

3. Optimizing Bandwidth Usage:

To avoid network congestion during large-scale upgrades:

Download Source Priority:
Configure agent settings to prioritize internal sources such as Peer-to-Peer (P2P) or Broker VM before reaching out to the cloud.

Global Upgrade Scheduler:
Use centralized controls to:

• Limit the number of parallel upgrades (typically 500–2000 depending on version)
• Restrict upgrades to specific time windows (minimum 4-hour window)

Distribution Packages:
When downloading installers for MDM deployment, use distribution packages that include both the MSI and the latest content. This reduces the bandwidth spike immediately after installation.

4. Broker Association and Installer Behavior:

Broker Association:
You can assign or update proxy/broker settings directly from the console by selecting endpoints and applying agent proxy configurations.

Installer Behavior:
Palo Alto Networks provides an MSI installer for Windows. This single package functions as both a fresh install and an upgrade when executed on a system with an existing agent.

(Important Considerations)

End-of-Life (EOL) Agents:
Upgrading from very old versions (such as 7.x to 8.x) may not support direct in-place upgrades. In such cases, uninstalling the old agent and performing a clean installation is recommended.

MDM Detection Rules:
When deploying upgrades through MDM, ensure detection rules (e.g., MSI Product Code) are updated to match the new version. Otherwise, the MDM may repeatedly attempt to reinstall older versions.