Document toolboxDocument toolbox

Endpoint Agent deployment

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 23, 2022
4 min read
[ 1 Supported endpoints  ] [ 2 Access Endpoint Agent repository ] [ 3 Deploying Windows Endpoint Agent ] [ 4 Deploying the Linux Endpoint Agent ] [ 5 Deploying the macOS Endpoint Agent ]

Supported endpoints 

Devo Endpoint Agent supports different kinds of endpoints. This section depicts the operating systems where the client can be deployed.

Access Endpoint Agent repository

  1. Open the agents' repository URL in the EA Manager installation for your environment (https://<DEAM_IP>:8081). Access credentials were defined during the EA Manager installation process.

  2. A warning message is displayed (no certificates available). Click on the advanced configuration button and then click on Proceed to [...]

  3. Use the configured credentials to access the agent's repository website.

EAM’s agents' repository is displayed with all available versions of the Universal Agent listed per targeted platform:

Deploying Windows Endpoint Agent

Click on win-dea-Osquery-xxxxx.zip to download the Endpoint Agent package and unzip it in the local filesystem of the endpoint to monitor (e.g., in C:\user\Downloads\DEA).

The unzipped folder contents should look like this:

File

Description

File

Description

exts

Extensions of the baseline agent functionality (e.g. log collector).

.crt and secret

Certificate and tokens for agent authentication and secure communications path establishment with the Endpoint Agent Manager.

install.ps1

Endpoint Agent installation script

osquery.flags

Configuration parameters and paths

osquery-x.x.x.msi

osquery agent installation package

README.txt

Installation instructions

  1. Follow the instructions in the README.txt file. A common issue is the permissions level required to execute the installation script. Should that be the case, make sure you temporarily disable all restrictions using the commands listed in the same file. Remember to also restore the restrictions as they were configured before.

  2. Once the installation script is finished, check that the agent is up and running by opening Windows’ task manager and finding the Osquery daemon listed as an active process:

  3. Log in to the Endpoint Agent Manager (see above for instructions). The endpoint should be automatically detected and listed as an active host.

  4. Log in to the destination domain in Devo (US > demo for the demo platform). Open one of the box.devo_ea.xxx.xxx tables in it. Data corresponding to the endpoint should start appearing in the data structure, identified by the hostname.

Deploying the Linux Endpoint Agent

Click on deb-dea-osquery-X.X.X-devo-ea-manager.tgz to download the Endpoint Agent package and untar (tar -xzf deb-dea-osquery-X.X.X-devo-ea-manager.tgz) it in the local filesystem of the endpoint to monitor (e.g., in /var/tmp/devo-ea-manager). The untar folder contents should look like this:

File

Description

File

Description

exts

Extensions of the baseline agent functionality (e.g. log collector).

.crt and secret

Certificate and tokens for agent authentication and secure communications path establishment with the Endpoint Agent Manager.

install.sh

Endpoint Agent installation script

osquery.flags

Configuration parameters and paths

osquery-x.x.x.deb

osquery agent installation package

README.txt

Installation instructions

  1. Follow the instructions in the README.txt file.

  2. Once the installation script is finished, you can check that the agent is up and running by executing ps -ef | grep osquery . You should see several osquery processes running:

  3. Log in to the EAM (see previous paragraphs for instructions). The endpoint should be automatically detected and listed as an active host.

  4. Log in to the destination domain in Devo (US > demo for the demo platform). Open one of the box.devo_ea.xxx.xxx tables in it. Data corresponding to the endpoint should start appearing in the data structure, identified by the hostname.           

Deploying the macOS Endpoint Agent

Keep in mind that If you manage macOS full disk permission through a profile, you will need to update it from OSQuery 5.0.1 or above. See how to do it in this link.

Click on darwin-dea-Osquery-xxxxx.zip to download the Endpoint Agent package and unzip it in the local filesystem of the endpoint to monitor (e.g., in C:\user\Downloads\DEA).

The unzipped folder contents should look like this:

File

Description

File

Description

exts

Extensions of the baseline agent functionality (e.g. log collector).

.crt and secret

Certificate and tokens for agent authentication and secure communications path establishment with the Endpoint Agent Manager.

install.sh

Endpoint Agent installation script

osquery.flags

Configuration parameters and paths

osquery-x.x.x.pkg

osquery agent installation package

README.txt

Installation instructions

  1. Follow the instructions in the README.txt file.

  2. Once the installation script is finished, you can check that the agent is up and running by executing ps -ef | grep osquery . You should see several osquery processes running.

  3. Log in to the EAM (see previous paragraphs for instructions). The endpoint should be automatically detected and listed as an active host.

  4. Log in to the destination domain in Devo. Open one of the box.devo_ea.xxx.xxx tables in it. Data corresponding to the endpoint should start appearing in the data structure, identified by the hostname.