Remotely Inject a CylancePROTECT License Token on macOS

Have you found that, after a seemingly random period of time post CylancePROTECT deployment, your help desk is receiving calls about CylancePROTECT not being licensed?

Well, you’re not the only one.

The client / server architecture setup for CylancePROTECT on macOS requires that the client machine check-in on a periodic basis or it will automatically “forget” it’s license key.

This behavior is great if the machine happens to be lost or stolen; however, if you have remote users that don’t frequently get on the network, having a machine forget it’s license is definitely not ideal.

Luckily, we can remotely inject the license key using LANDESK Management Suite to deploy a little script to work the magic.  All remotely might I add.  Neither you nor I want to touch every machine that needs an update.

Furthermore, this script would work if you find that your original license key was compromised and you need to replace it with a new one.

The script is a fairly basic script.  It’ll stop the CylancePROTECT service, run a backup on the existing token XML file, inject the token into the XML, and restart the service.  All you need to do in the script is change the variable value “newCylanceCustomToken” with your actual token value.  You can download the script from my GitHub site or just create your own by copying and pasting from the script below.  Just remember to run chmod +x on your script if you make your own.

Special shout out goes to Logrhythm SIEM for the assist on the SED portion of this script.

Once you have your script ready to go, compress it and copy it to your file share so you can create a LANDESK package and deploy it out.

CylancePROTECT Package Creation

  1. Open the LANDESK Management Suite Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select New Macintosh Agent package.
  5. Give the package a name
  6. Provide a description as well as any metadata information desired
  7. Set the primary file to the script file you previously transferred to your package share
  8. Fill out the Metadata details if desired, specifically supplying a logo so it shows up properly in the portal
  9. Save the package

CylancePROTECT Package Deployment

  1. Right click on the Mac software distribution package created and select Create Scheduled Task
  2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
  3. Now, right click on the task and select properties
  4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push
  5. Set the radio button in the Portal Settings to Run Automatically
  6. Change the Reboot Settings or Distribution and Patch settings if desired
  7. Set the schedule task settings with the appropriate start time

 

#!/bin/sh

# CylanceTokenReplacement.sh
# Created by Bennett Norton and Logrhythm SIEM on 10/20/16.
# This script will stop the Cylance service, replace the token file, and restart Cylance

#Script Variable
#change the variable to match your token 
newCylanceToken="newCylanceCustomToken"

#Don't change these variables
cylanceTokenLocation="/Library/Application Support/Cylance/Desktop/registry/LocalMachine/Software/Cylance/Desktop/"
cylanceValuesXML="values.xml"

#Stop the Cylance service
launchctl unload /Library/LaunchDaemons/com.cylance.agent_service.plist

#Make a backup of the values.xml and then edit the by adding in the InstallToken key
sed -i.backup 's/<\/values>/<value name=\"InstallToken\" type=\"string\">'"$newCylanceToken"'<\/value><\/values>/g' "$cylanceTokenLocation/$cylanceValuesXML"

#Start the Cylance service
launchctl load /Library/LaunchDaemons/com.cylance.agent_service.plist

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s