Silently Install Cylance Protect with LANDESK Management Suite

Overview

Cylance Protect is a next generation anti-virus product and seems to be taking the OS X world by storm.  The product marketing aspect verbiage states Cylance “blocks threats in real time BEFORE they ever cause harm.”

As a result of Cylance’s success, I’ve recently received a number of requests from customers asking how they can silently install the product with their specific, company-unique token.

Luckily, accomplishing  a silent install of Cylance Protect is a fairly simple process.  I’ve written a basic script that will accomplish the task for you.  One particular customer sent a reply back to me after using this script, stating the “Cylance deployments went great!!!”  Hopefully your deployments can go as smooth as theirs.

Furthermore, because this script leverages the LANDESK SDClient tool for the download,  you will still benefit from bandwidth controls and  you’ll be able to leverage the peer sharing if your store your package file into the sdcache folder.

For simplicity, I’ve chosen to write my package to the same folder as where I’ll write my token file.  Because the token file can be read with any text editor, I’ve chosen to store my data in a private folder; which means I will only benefit from LANDESK’s bandwidth controls, but I figured it was a good tradeoff for me.  I just didn’t want to put the license key into a folder that people might be accustom to look at.

Cylance Protect Script

Break out your favorite Text Editor (TextWrangler or XCode is what I use) and let’s get started.  I’ll break the script down into sections for easy understanding.  The first part of the script contains your obligatory declaration indicating it’s a shell script as well as some comments as to what I named the script, when I created the script and what it does. Besides the very first line, everything is optional.

#!/bin/sh
#  CylanceSilentInstall.sh
#  Created by Bennett Norton on 8/30/16.
#  This script will copy a file from the source destination and place it on the Mac into the destination folder

The next part is where you’ll set the variables used throughout the script.  You’ll need to supply the custom Cylance token, the package name, the location of where the package will be stored on your HTTP share and the location to where you’ll want to store the package and Cylance token on the client.

It’s likely that you’ll be able to leave the cylancePackageName and cylancePackageAndTokenDestination variables as is, only modifying the cylanceToken and cylancePackageLocation variables.  Just repalce the text betweent the quotes.

#Script Variables
#change these variables to match your token and desired destination paths

cylanceToken="cylanceCustomToken"
cylancePackageName="CylancePROTECT.zip"
cylancePackageLocation="http://ldserver.ldlab.org/SoftwareDist/MacPackages/Cylance/"
cylancePackageAndTokenDestination="/private/tmp/Cylance"

The next section of the script detects if the folder for where we will store the package file on the client exists and if it does not, creates it.  You may want to enhance this part of the script on your own to delete any files inside if it does exist, I have not added that in, but it may be a good idea.

#Check to see if destination exists and if not, create it

if [ ! -d "$cylancePackageAndTokenDestination" ]; then
echo "Location doesn't exist.  Creating directory"
mkdir $cylancePackageAndTokenDestination
echo "$cylancePackageAndTokenDestination created"
fi

You shouldn’t need to adjust anything within the next phase of this script.  This step is simply creating an output file of the token to be used during the install.

#Output token to file
#You shouldn't need to make any changes here

echo "$cylanceToken" > "$cylancePackageAndTokenDestination/cyagent_install_token"

The next step within our script is to download the installer package.  This piece is specifically tailored to LANDESK Management Suite and uses SDClient as the downloader.  If you don’t have LANDESK Management Suite, alter this part of the script to use CURL.

#Download package installer

/Library/Application\ Support/LANDesk/bin/sdclient -noinstall -package "$cylancePackageLocation/""$cylancePackageName" -destdir "$cylancePackageAndTokenDestination"

We now need to unzip the package file and install the package using OS X commands, which means this code is generic, not specific to LANDESK Management Suite.

#unzip package installer

unzip "$cylancePackageAndTokenDestination/""$cylancePackageName" -d "$cylancePackageAndTokenDestination"

#Install Cylance

sudo installer -pkg /private/tmp/Cylance/CylancePROTECT.pkg -target /

Finally, let’s clean up after ourselves.  The final command in our script will delete the entire /tmp folder.  

#Delete Cylance folder

rm -rf "$cylancePackageAndTokenDestination"

As I mentioned with the folder detection, you may want to do some detection logic to see if the application exists in the Application folder prior to deleting the folder, that’s up to you.

And that’s it, you now have a fully functioning script you can use to silently deploy Cylance Protect in your environment.  For ease in the copy and paste process, here is the entire script.

#!/bin/sh
#  CylanceSilentInstall.sh
#  Created by Bennett Norton on 8/30/16.
#  This script will copy a file from the source destination and place it on the Mac into the destination folder


#Script Variables
#change these variables to match your token and desired destination paths

cylanceToken="cylanceCustomToken"
cylancePackageName="CylancePROTECT.zip"
cylancePackageLocation="http://ldserver.ldlab.org/SoftwareDist/MacPackages/Cylance/"
cylancePackageAndTokenDestination="/private/tmp/Cylance"

#Check to see if destination exists and if not, create it

if [ ! -d "$cylancePackageAndTokenDestination" ]; then
echo "Location doesn't exist.  Creating directory"
mkdir $cylancePackageAndTokenDestination
echo "$cylancePackageAndTokenDestination created"
fi

#Output token to file
#You shouldn't need to make any changes here

echo "$cylanceToken" > "$cylancePackageAndTokenDestination/cyagent_install_token"

#Download package installer

/Library/Application\ Support/LANDesk/bin/sdclient -noinstall -package "$cylancePackageLocation/""$cylancePackageName" -destdir "$cylancePackageAndTokenDestination"

#unzip package installer

unzip "$cylancePackageAndTokenDestination/""$cylancePackageName" -d "$cylancePackageAndTokenDestination"

#Install Cylance

sudo installer -pkg /private/tmp/Cylance/CylancePROTECT.pkg -target /

#Delete Cylance folder

rm -rf "$cylancePackageAndTokenDestination"

At this point, you need to save your file to an OS X machine, if you’re not already on a Mac. Make sure your file extension is .sh as well, I saved mine as CylanceSilentInstall.sh.

After your shell script is saved, you then need to open up Terminal and give the script execute permissions.  Don’t skip this step or your script will not execute when using LANDESK.  Once Terminal is open, run the following command:

chmod +x /path/to/your/script/name.sh

You should now be able to test your script manually.  Find a test machine or VM, if the Mac you’re using is not viable, open Terminal on it and run the following command:

sudo /path/to/your/script/name.sh

Assuming all goes well and Cylance Protect installs, you’re ready to zip up your script and copy it to your HTTP package share.  Now you just need to build a LANDESK Mac package and deploy the package to your target machines.

Create a LANDESK Mac Software Package

  1. Open the LANDESK Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select New Macintosh Package.
  5. Give the package a name
  6. Provide a description as well as any metadata information desired
  7. Set the primary file to the zip file you previously transferred to your software distribution folder
  8. Fill out the Metadata details if desired, specifically supplying a logo so it shows up properly in the portal
  9. Save the package

Create a Scheduled Mac Software Distribution Task

  1. Right click on the Mac software distribution package created and select Create Scheduled Task
  2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
  3. Now, right click on the task and select properties
  4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push
  5. Set the radio button in the Portal Settings to either Recommended or Optional if you desire to put the package into Workspaces.  If you’d like to automatically deploy the app, select Run automatically
  6. Change the Reboot Settings or Distribution and Patch settings if desired
  7. Set the schedule task settings with the appropriate start time

 

 

 

LANDESK Mac Management Part 10 : Provision a Non-Managed Machine

In the 10th and final part of the LANDESK Mac Management video series, I’ll show you how to add a “bare metal” record into the LANDESK console so that you can target your Provisioning Template created in the 9th video to a machine not currently being managed by LANDESK.  This is a good example of what you could do when you buy a new machine and want to deploy an image to it.

In my example template, I will deploy my latest El Capitan image built with AutoDMG, I’ll deploy TextWrangler, I’ll apply a configuration profile to adjust the Doc and to bind the machine to my domain, I’ll also name the machine and enable Core Storage.  All of this is done with my template, which specifies in which order they are applied.

Also, by way of note, the process to target a managed device inside of LANDESK is very similar to what is shown in this video, you simply need to drag the machine from your All Devices list as opposed to using the bare metal machine method.

LANDESK Mac Management Part 9: Creating an OS X Provisioning Template

In part 9 of the LANDESK Mac Management video series, we more or less get to bring together everything we’ve done up to this point, agent deployment, software deployment, configuration profile deployment which can include binding the machine to the domain , patch deployment and even FileVault deployment; all in a chained template experience when we provision a new device.

I created slides for our Interchange event explaining each step of the provisioning template build process, available here, but for many of you, the video below may be more beneficial.

LANDESK Mac Management Part 8: Building a Gold Image using AutoDMG

In part 8 of the LANDESK Mac Management video series, we’ll download a couple of freeware utilities to assist us in creating a gold image for Provisioning.  The first tool we’ll use is AutoDMG.  This is an image builder tool created by Per Olofsson and can be downloaded from https://github.com/MagerValp/AutoDMG/releases.  AutoDMG builds an actual image file directly from an OS X installer, precluding the need to build out an actual machine and capture the image from it.  There are a lot of benefits in going with this approach and is our recommended approach at LANDESK.

Furthemore, AutoDMG, as part of the build process, allows you to bundle in deployment packages as well.  While LANDESK recommends that you exclude bundling software packages directly into your image in most scenarios, there are a couple of configuration packages you may want to bundle in order to make the provisioning process more streamlined.  One of those packages might be the creation of an admin account and setting it to auto-login.  CreateUserPKG, again another utility written by Per Olofsson, is one I recommend.  The video walks you through creating an admin account and setting it to autologin.  See http://magervalp.github.io/CreateUserPkg/ for the utility download.

You may also want to track down other configuration packages to assist you as well, such as Rich Trouton’s recommendations on disabling Apple’s Diagnostics and Usage utility (https://derflounder.wordpress.com/2014/11/21/controlling-the-diagnostics-usage-report-settings-on-yosemite/)  or the iCloud confirmation window (https://derflounder.wordpress.com/2014/10/16/disabling-the-icloud-and-diagnostics-pop-up-windows-in-yosemite/).

 

LANDESK Mac Management Part 7: Building a NetBoot Image for OS Deployment

In part 7 of the LANDESK Mac Management video series, we’ll prepare for an operating system deployment by creating a NetBoot image, the equivalent of a WinPE image for the Windows world, to boot the OS X devices into a pre-boot environment.  The video will demonstrate how to use Apple’s System Image Utility and LANDESK’s Startup Disk Stamper to accomplish this task.

 

 

 

LANDESK Mac Management Part 6: Create and Deploy an OS X Upgrade Package

In part 6 of the LANDESK Mac Management video series, I discuss how to use a freeware utility called CreateOSXInstallPkg, available at https://github.com/munki/createOSXinstallPkg, to build an upgrade package that can be easily deployed with LANDESK Management Suite 2016.  While this can be done as a required package, this video will walk through the process using Workspaces; focussing in on the end user experience via a self-guided upgrade.

LANDESK Mac Management Part 5: FileVault Hard Drive Encryption and Key Management

In part 5 of this LANDESK Mac Management series, we’ll use Apple’s FileVault and a LANDESK Security Suite license to enable encryption on the hard drive as well as to collect the individual recovery key from the machine; storing that key in a unique database table on the core server independent from the computer record.

Note: This feature is only enabled with a LANDESK Security Suite license.

LANDESK Mac Management Part 4: Patching OS X and 3rd Party Applications

In part 4 of this LANDESK Mac Management series, we’ll demonstrate how you can patch the Mac OS, walking through the reboot process as well as patching 3rd party application titles on the machine; which typically don’t require a reboot to take place.