This content has been marked as final. Show 13 replies
Well you could use RSD to deploy the agent...but if that's not an option, I'll just keep my eye on this thread too.
I use startup scripts...(if that's an option let me know and I can definitely help with that). I find startup much better than logon because they don't wait for a user to logon...it all happens as soon as a machine is added to the domain.
Thanks for that. Yea, using a startup script from AD/GPO is the way I will need to go I think.
Unless somebody has worked out a better way?
RSD isn't an option right now, though I have that on my want to implement list I can't at the momment.
(Though I have done some testing with it and want to use it)
For my logon script at the momment it is done with a VBScript and it works fine.
It just checks if the correct version of agent is installed and if not it runs the framepkg from the users local file and print server.
If you (or others) have any good tips for deploying the agent from a startup script that would be great if you want to pass some info along? It looks like that is what I will be doing I think.
Here's a snippet of my startup script with the releated info...I don't check version but just the existence of EvtFiltr.ini to determine if the machine is managed or not. The version can be easily updated by the agent with an update task so that part is not necessary.
** Keep in mind that I am assuming that all AD computers other than XPe thin clients are candidates for the McAfee Agent here.
rem Startup script to check for McAfee Agent and current ePO Server name
rem If MA does not exist, install it, if exists, poke it
rem ** Note: if logging, log file must exist and be writeable by the process involved as all the log file entries assume appending to the file **
rem Test if client is XPe Thin Client
if /i %runtimeskucode% == XPeCli goto thin_client
rem Set MADir variable to location of Common Framework directory
if exist "%ProgramFiles%\McAfee\Common Framework\CmdAgent.exe" set MADir=%ProgramFiles%\McAfee\Common Framework
if exist "%ProgramFiles(x86)%\McAfee\Common Framework\CmdAgent.exe" set MADir=%ProgramFiles^(x86^)%\McAfee\Common Framework
if exist "%ProgramFiles%\McAfee\CmdAgent.exe" set MADir=%ProgramFiles%\McAfee
if exist "%ProgramFiles%\Network Associates\Common Framework\CmdAgent.exe" set MADir=%ProgramFiles%\Network Associates\Common Framework
if exist "%SystemDrive%\ePOAgent\CmdAgent.exe" set MADir=%SystemDrive%\ePOAgent
if exist "%ProgramFiles%\ePOAgent\CmdAgent.exe" set MADir=%ProgramFiles%\ePOAgent
rem Test if client is ePO managed (EvtFiltr.ini only exists on ePO managed machines)
if exist "%ALLUSERSPROFILE%\Application Data\McAfee\Common Framework\EvtFiltr.ini" goto check_epo_server
if exist "%ALLUSERSPROFILE%\Application Data\Network Associates\Common Framework\EvtFiltr.ini" goto check_epo_server
rem If we're here we need to install agent (uses system credentials when run as a startup script)
"\\myad.dom\netlogon\FramePkg_AD.exe" /FORCEINSTALL /INSTALL=AGENT /SILENT
echo ***** %date% %time%: MA was NOT detected on %computername% ***** >> "\\10.1.1.1\pub\pub\ePO_Inst_Logs\general.log"
echo %date% %time%: Attempted to install MA on %computername% > \\10.1.1.1\pub\pub\ePO_Inst_Logs\%computername%.log
rem Check registry key for existence of current ePO server name - if pointing to old ePO server, update sitelist with new version
REG QUERY "HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent" /v ePOServerList | find /i "my_active_ePO_server_name" > nul
if %errorlevel% == 1 (
"%MADir%\FrmInst.exe" /Silent /siteinfo=\\myad.dom\netlogon\epo\SiteList.xml
echo %date% %time%: Updated ePO SiteList.xml on %computername% >> "\\10.1.1.1\pub\pub\ePO_Inst_Logs\general.log"
rem Wakeup agent and log computer name (if log desired remove "rem" on next line)
rem echo %date% %time%: MA exists on %computername% >> "\\10.1.1.1\pub\pub\ePO_Inst_Logs\general.log"
"%MADir%\CmdAgent.exe" /p /c
rem Log computer is a thin client if desired
rem echo %date% %time%: %computername% is an %runtimeskucode% - skipping... >> "\\10.1.1.1\pub\pub\ePO_Inst_Logs\general.log"
Thanks for that, it is usefull to see what others are doing.
I haven't done much research (i mean googling) yet, but I think I am going to just modify my current VB script and use that as a startup script. I haven't done that before, just used them as logon scripts, but do you know of any tips or things to look out for if I do this?
Currently I use a framepgk with no credentials embeded into it and that just runs as the logged on user from the login script.
I like to check the version of the agent just so that if for some reason there are systems that have not been updated via ePO (for whatever reason) it will try and run the framepkg again when that system logs on.
I could probbaly get away with out it, as I don't have any problems with that actually, but I like it just as a kind of a backup method etc.
If I modifiy the VBS and make that as a startup script what user will it run as?
Will it still be ok to use a framepkg with no credentials?
If the install is using current logged on user credentials, then they would have to have local admin rights. The embeded credential agent package has been posted for download so you could create a custom install package.
The user that runs the installer just needs to have local admin rights.
Thanks Jeff, yup, currently users have local admin rights which is why I get away with no embeded credentials.
We will be killing local admin rights too.
So I guess what I was wondering is what happens when you use a script as startup instead of logon.
The logon runs as the user who is logging on, but do you know what would be the default user for when a script is run on startup instead of logon?
heh, I still haven't googled this yet :)
I did used to use a package with embeded credentials in the past, but somebody complained about the security issues, so canned that, because I could get away with doing so. So I would prefer not to embed credentials if I don't have to.
Well, seeing as MA P2 came out without embedded cred options, I ended up using a non-cred package for deploying via startup. It works fine. I believe the system account is used at this point of the bootup process so you should be good with a non-cred'd install with startup.
Excellent, thanks for the info, it's just good to know somebody else got that to work ok before I waste too much time on it, as you know, thats the one things that's hard to come by :)
Once I get a chance I will make a start on this side of things.
If anyone else has any info feel free to chip in happy
oh yea, and thanks for the tip on the new package being available, I am downloading it now.