Topics on this page
Use deployment scripts to add and protect computers
Adding a computer to your list of protected resources in Workload Security and implementing protection is a multi-step process. You can perform most of these steps from the command line which means you can use a script. The Workload Security console contains a deployment script writing assistant which you can accessed from the Support menu.
The deployment scripts generated through Workload Security do the following:
-
Install the agent on a chosen platform
-
Activate the agent
- Assign a policy to the agent
Generate a deployment script
The generated deployment script changes depending on your region, so you can not use the same deployment scripts across regions.
- Before you begin, ensure the following:
a. You configured your agent version control settings. See Configure agent version control for details.
b. You have enabled agent-initiated activation (AIA). It is required if you want your deployment script to activate the agent after installation. See Activate and protect agents using agent-initiated activation and communication for details. - In the upper right corner of the Workload Security console, click Support > Deployment Scripts.
- Select the platform on which you are deploying the software.
- Select Activate agent automatically after installation.
Agents must be activated before you apply a policy to protect the computer. Activation registers the agent with the manager during an initial communication. - Optionally, select the Security Policy, Computer Group, Relay Group, Proxy to contact Workload Security, and Proxy to contact Relay(s).
- Optionally (but recommended), select Validate Workload Security TLS certificate.
Selecting this option ensures that Workload Security uses a valid transport layer security (TLS) certificate from a trusted certificate authority (CA) when downloading the agent software. This can help prevent a man-in-the-middle attack. You can check whether Workload Security is using a valid CA certificate by looking at the browser bar in the Workload Security console. - Optionally (but recommended), select Validate the signature on the agent installer to have the deployment script initiate a digital signature check on the agent installer file. If the check is successful, the agent installation proceeds. If the check fails, the agent installation is aborted. Before you enable this option, consider the following:
- This option is only supported for Linux and Windows installers (RPM, DEB, or MSI files), and macOS (PKG files).
- On Linux, this option requires that you import the public signing key to each agent computer where the deployment script will run. For details, see Check the signature on an RPM file and Check the signature on a DEB file.
- The deployment script generator displays the script. Click Copy to Clipboard and paste the deployment script in your preferred deployment tool, or click Save to File.
The deployment scripts generated by Workload Security for Windows agent deployments require Windows PowerShell version 4.0 or later. You must run PowerShell as an Administrator and you may have to run the following command to be able to run scripts: Set-ExecutionPolicy RemoteSigned
- Linux: Remove the --tls1.2 tag.
- Windows: Remove the #requires -version 4.0 line. Also remove the [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; line so that early TLS (version 1.0) is used to communicate with the manager.
If you are using Amazon Web Services and deploying new Amazon EC2, Amazon WorkSpace, or VPC instances, copy the generated script and paste it into the User Data field. This lets you launch existing Amazon Machine Images (AMIs) and automatically install and activate the agent at startup. The new instances must be able to access the URLs specified in the generated deployment script.
When copying the deployment script into the User Data field for a Linux deployment, copy the deployment script as-is into the User Data field and CloudInit will execute the script with sudo. If there are failures, they are noted in /var/log/cloud-init.log
.
The User Data field is also used with other services such as CloudFormation. For more information, see AWS CloudFormation: WaitCondition.
Troubleshooting and tips
- If you are attempting to deploy the agent from PowerShell (x86), you can receive the following error :
C:\Program Files (x86)\Trend Micro\Deep Security Agent\dsa_control' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
The PowerShell script expects the environment variable forProgramFiles
to be set to theProgram Files
folder, as opposed toProgram Files (x86)
. To resolve the issue, close PowerShell (x86) and run the script in PowerShell as an administrator. - The deployment script can be modified to perform agent updates instead of new installs by changing the
rpm -ihv
torpm -U
. - If there is a need to control the specific agent version used by the deployment scripts there are two options to meet this goal:
- Use agent version control. See Configure agent version control for details. This approach has the advantage that you do not have to hard-code the agent version itself into each script which can be a more flexible approach for some deployments.
- Either modify the deployment script, or write your own scripts, to meet requirements specific to your deployment. Details on the URL format to download agents can be found here URL format for download of the agent.
- Instead of using the deployment scripts generated by the manager, you can use your own automation method coupled with an agent download URL to automate the download and installation of the agent. For details, see URL format for download of the agent.