Remotely Inject a CylancePROTECT License Token on macOS

Have you found that, after a seemingly random period of time post CylancePROTECT deployment, your help desk is receiving calls about CylancePROTECT not being licensed?

Well, you’re not the only one.

The client / server architecture setup for CylancePROTECT on macOS requires that the client machine check-in on a periodic basis or it will automatically “forget” it’s license key.

This behavior is great if the machine happens to be lost or stolen; however, if you have remote users that don’t frequently get on the network, having a machine forget it’s license is definitely not ideal.

Luckily, we can remotely inject the license key using LANDESK Management Suite to deploy a little script to work the magic.  All remotely might I add.  Neither you nor I want to touch every machine that needs an update.

Furthermore, this script would work if you find that your original license key was compromised and you need to replace it with a new one.

The script is a fairly basic script.  It’ll stop the CylancePROTECT service, run a backup on the existing token XML file, inject the token into the XML, and restart the service.  All you need to do in the script is change the variable value “newCylanceCustomToken” with your actual token value.  You can download the script from my GitHub site or just create your own by copying and pasting from the script below.  Just remember to run chmod +x on your script if you make your own.

Special shout out goes to Logrhythm SIEM for the assist on the SED portion of this script.

Once you have your script ready to go, compress it and copy it to your file share so you can create a LANDESK package and deploy it out.

CylancePROTECT Package Creation

  1. Open the LANDESK Management Suite Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select New Macintosh Agent package.
  5. Give the package a name
  6. Provide a description as well as any metadata information desired
  7. Set the primary file to the script file you previously transferred to your package share
  8. Fill out the Metadata details if desired, specifically supplying a logo so it shows up properly in the portal
  9. Save the package

CylancePROTECT Package Deployment

  1. Right click on the Mac software distribution package created and select Create Scheduled Task
  2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
  3. Now, right click on the task and select properties
  4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push
  5. Set the radio button in the Portal Settings to Run Automatically
  6. Change the Reboot Settings or Distribution and Patch settings if desired
  7. Set the schedule task settings with the appropriate start time

 

#!/bin/sh

# CylanceTokenReplacement.sh
# Created by Bennett Norton and Logrhythm SIEM on 10/20/16.
# This script will stop the Cylance service, replace the token file, and restart Cylance

#Script Variable
#change the variable to match your token 
newCylanceToken="newCylanceCustomToken"

#Don't change these variables
cylanceTokenLocation="/Library/Application Support/Cylance/Desktop/registry/LocalMachine/Software/Cylance/Desktop/"
cylanceValuesXML="values.xml"

#Stop the Cylance service
launchctl unload /Library/LaunchDaemons/com.cylance.agent_service.plist

#Make a backup of the values.xml and then edit the by adding in the InstallToken key
sed -i.backup 's/<\/values>/<value name=\"InstallToken\" type=\"string\">'"$newCylanceToken"'<\/value><\/values>/g' "$cylanceTokenLocation/$cylanceValuesXML"

#Start the Cylance service
launchctl load /Library/LaunchDaemons/com.cylance.agent_service.plist

Set and Maintain a Desired Security State for MDM Managed Devices

LANDESK Management and Security Suite 2016.3 has MDM management built into its core functionality.  Once a device is enrolled, you’ll have access to apply a number of different “Agent Settings” commonly known as Configuration Profiles in the Apple world.

LDMS 2016.3 has 4 out-of-the-box editable agent settings that can be built and assigned to a Mac or iOS device; Mobile Compliance, Mobile Connectivity, Mobile Exchange/Office 365 and Mobile Security.  You’ll find all of these profile in the Agent Settings tool within the Configuration toolbar of the Management Suite console.

Mobile Compliance can be used to ensure the device’s integrity.  For example, you can enable a compliance rule to detect if the device has been jailbroken and if it has, choose to selectively wipe it removing access to everything you’ve deployed to the device. mdm-mobilecompliance

Mobile Connectivity is where you would upload certificates to be used to bind to WiFi as well as the appropriate settings for the device to access your corporate WiFi. mdm-wifi-cert

Mobile Exchange/Office 365 should be self-explanatory.  Within this setting you’ll configure how your MDM devices will be configured to access your corporate email. mdm-o365

Mobile Security has the real meat and potatoes for the agent settings.  You can set a password policy, restrict the device functionality such as access to FaceTime, block access to the iTunes store, set the accessible ranges for content and ratings, control the behavior of iCloud and even block TouchID from unlocking the device.  mdm-mobilesecurity

Mix and match the agent settings as desired, when deploying them out you do not need to employ a “one-size-fits-all approach.”   When you create your Agent Settings task, you can select one of each to deploy at, giving you a ton of available combinations of configurations.

Once you have all of your Agent Settings created as desired, just create a Change Agent Settings task and target your MDM devices.

  1. While still in the Agent Settings window, click on the Calendar/Clock icon, it’s the second one in the menu bar and then select Change Settings.change-settings
  2. Give your task an appropriate name, I named mine “Passcode”
  3. Find the “Mobile …” from the list on the right hand side of the panel and click on the corresponding Keep agent’s current settings window area.
  4. Find your newly created Mobile Agent Setting and select it.mdm-changeagentsettings
  5. Now set your desired Task Settings (policy, push, policy supported push) and desired portal settings (required, recommended, optional). I used a policy-supported push and required.
  6. Add in your Targets
  7. Schedule your Change Settings task

Once a device is added to a task and the task is started, every time the device “syncs” with the LANDESK Management Suite server, it will compare itself against the current scheduled tasks on the core with what it currently has applied and will add/remove profiles accordingly.  So don’t delete your task once you’ve successfully applied an agent setting, so doing would in effect tell LANDESK to remove the agent setting from the device the next time it syncs.

Remotely Enroll a macOS Device with LANDESK MDM

With the release of LANDESK Management Suite 2016.3, LANDESK can now manage a Mac using an MDM profile in addition to the traditional LANDESK agent.  One of the main benefits of enrolling with the Mac the MDM service, in addition to already having your regular agent installed, is that you’ll be able to push a VPP app to the Mac.

This blog will walk you through the process of creating a package to install the LANDESK MDM Enroller app on your Mac and then subsequently running a script to enroll the Mac with the MDM service.

Part 1 – Create a LANDESK MDM Enroller Bundle Package Folder

  1. Open the LANDESK Management Suite Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. Right click on the selected folder and click on New Package Bundle
  5. Provide your desired package bundle name, I used LANDESK MDM Packages

Part 2 – Create a LANDESK MDM Enroller Package

  1. Download the LANDESK MDM Enroller app from the Community page and copy it to your file share
  2. Right click on your package bundle, hover over New Macintosh Package and select Macintosh Agent
  3. Give the package a name
  4. Browse to the Enroller App file you previously saved and select it from within the Primary File window
  5. Provide a description and any metadata information if desired
  6. Save the package

Part 3 – Create the LANDESK Enrollment Script

The script is pretty basic, you just need to call the command line utility with a -u for username, -p for password and -m for the enrollment server.  The script has been built with variables, so just adjust the variables and you’ll be set.

  1. On a Mac device, save the Enroller script from GitHub as a .sh file or use the script pasted at the bottom of the blog
  2. Open the .sh file with your text editor and edit the variables for the username, password and enrollment server
  3. Save the file
  4. Set the execute permissions by running chmod +x /script/path/name.sh
  5. Compress the .sh file
  6. Copy the .sh file to your package share

Note: The script is calling the command line utility built inside of the LANDESK MDM Enroller application.  That means that in order for this script to properly execute, the LANDESK MDM Enroller must already be installed.  To ensure this takes place, we are bundling the packages together and will tell LANDESK which package to execute first.

Part 4 – Create the Enrollment Script Package

  1. Right click on your package bundle again, hover over New Macintosh Package and select Macintosh Agent
  2. Give the package a name
  3. Browse to the zipped script file you previously copied to your package share and select it from within the Primary File window
  4. Provide a description and any metadata information if desired
  5. Save the package

Part 5 – Deploy the Enrollment Package Bundle

  1. Right click on your package bundle and select Properties
  2. Select the Bundle Package Settings from the menu tree
  3. Use the Up / Down buttons to make sure your packages are listed in the appropriate order, with the MDM Enroller app being first and the script being second; clicking Save when you’re finished
  4. Right click on the bundle package one final time and select Create Scheduled Task(s)…
  5. Right click on the newly created Scheduled Task and click on the Properties option
  6. Add your desired targets
  7. Set your desired Task and Portal settings
  8. Schedule the task
#!/bin/sh

#  mdmAutomaticEnrollment.sh
#  Created by Bennett Norton on 11/1/16.
#  This script will enroll a LANDESK Management Suite managed macOS device with an additional MDM profile for support with features like VPP

# NOTE: This script assumes the Mac to be enrolled with an MDM profile is currently under management within LANDESK Management Suite, with a valid agent, and that the Mac has already installed the LANDESK MDM Enrollment Application found at https://community.landesk.com/docs/DOC-42347


#Script Variables
#change the variables to match with a valid LANDESK Management Suite user, corresponding password and enrollment server URL.  The server URL format should be the fully qualified name of the Cloud Service Appliance / LANDESK Server name.

landeskUserAccount="landeskadmin"
landeskPassword="adminpassword"
enrollmentServerURL="fullyqualified.cloudserviceappliance.com/landeskServerName"


#Enroll the managed Mac device with MDM

/Applications/LANDESK\ MDM\ Enroller.app/Contents/MacOS/ldmdmenroll -u "$landeskUserAccount" -p "$landeskPassword" -m "$enrollmentServerURL"

Create and Deploy a VPP Software Package to a macOS or iOS Device

Creating and deploying a VPP software package to either a macOS or iOS device is a very simple process within LANDESK Management Suite 2016.3.  See the instructions below or watch the short video vignettes to be off and racing down the VPP software distribution track.

macOS VPP Package Creation and Deployment

  1. Open the LANDESK Management Suite Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select Macintosh > Macintosh MDM macmdmbutton
  5. Give the package a name
  6. Press the arrow button surrounded by the blue circle next to your Token alias mdmpackagecreation
  7. Highlight the desired VPP app and hit the Select button – note only macOS apps will display in this window mdmpackage
  8. Save the package
  9. Right click on the resultant package and select Create Scheduled Task(s)…
  10. Add one or more macOS devices that have been enrolled with MDM
  11. Start the task

 

iOS VPP Package Creation and Deployment

The iOS package creation is nearly identical, so I won’t include screenshots in these steps.

  1. Open the LANDESK Management Suite Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select Mobile > iOS
  5. Give the package a name
  6. Select the VPP radio button in the right hand pane, select the appropriate token alias if you have more than one VPP token and then click the arrow within the blue circle
  7. Press the arrow button surrounded by the blue circle next to your Token alias
  8. Highlight the desired VPP app and hit the Select button – note only iOS apps will display in this window
  9. Save the package
  10. Right click on the resultant package and select Create Scheduled Task(s)…
  11. Add one or more iOS devices that have been enrolled with MDM
  12. Start the task