Aug 08 2019 08:27 AM
Aug 12 2019 11:11 AMSolution
We provide a silent installer which you can use to script it any which way (DSC, PowerShell, GPO, etc.):
DSC might be a bit tricky since the installer isn't an MSI so you wouldn't use that DSC function. But again, DSC can run any arbitrary command and we provide a CLI for the installer so it would be pretty straight forward.
It really depends on what your most comfortable with doing. Anything is possible :)
Oct 24 2019 01:24 AM
Hi, I am going to bump this because it's very relevant.
I am working on deploying AATP via DSC. I have the DSC Code written, almost.
Write-Verbose 'Checking for presence of AATP Sensor service'
Get-Service 'AATPSensor' -ErrorAction Stop
'Result' = 'installed'
'Result' = 'missing'
$state = [scriptblock]::Create($GetScript).Invoke()
if ($state['Result'] -eq 'missing')
Write-Verbose 'Azure ATP Agent is NOT installed'
Write-Verbose 'Azure ATP Agent is installed'
I know I can run the dot command to execute the silent installer. I am trying to work out the best way to host the Zip/Exe file. I would put it on a share but we have multiple domains and not everything trusts everything. I am considering hosting the file on an Azure Storage Account, but then need to manage SAS keys and at some point the current version will no longer work so that has to be managed.
I can output the JSON file contents as part of the script, that's no problem, is there a location I can grab the EXE from? When you click the download button in the portal, I am sure it will grab the exe from somewhere, add the JSON config to the Zip file then download it. Is it possible to download just the EXE file so that I can always ensure I am grabbing the latest release without needing to manage anything?
Oct 24 2019 01:57 AM
@Mark Lewis , No, the exe is not publicly exposed.
You can (theoretically) download the zip, but as you mentioned it's created on demand, and you will need to authenticate to the website as if you were logging into the workspace portal.
Oct 24 2019 02:05 AM
@Eli Ofek Thank you, is it possible to make it available to download publicly? Is there a way to request this? Or is there a reason I wouldn't be aware of that it can't be? I appreciate the JSON file is unique to environments but I'd be surprised if the EXE was compiled every time. How would the update service grab the agent to upgrade it? Wondering if I could use this method?
Oct 24 2019 02:12 AM
@Mark Lewis , The exe is not compiled on demand.
The update service is actually not using the exe, it grabs a cab file with a subset of the binaries it needs to update, which is also requires some sort of authentication, but it won't help you as you need to deploy for the first time, and that won't be enough.
We are actually working on refactoring the deployment, it will take time, and such request already exist from other customers, but I can't tell you when we will get to a point that it would be that easy.
Oct 24 2019 02:27 AM
@Eli Ofek Thank you again.
So secondary option is to put the EXE on a Azure Storage account and grab it from here, would there be any risk to having the EXE available publicly? Given that the tenant ID etc is in the JSON which wouldn't be public
Oct 24 2019 03:38 AM
@Mark Lewis The risk is for anyone who attempts to download and install it. once it leaves our servers we can't control it for tempering... if you decide to do so, at least try to protect it somehow with access keys, and check for signatures after download before applying it.
The exe itself is the same for everyone using the same version. no customer data is in there (unlike the zip).