Onboard macOS devices with AgentP using Jamf and SCEP

In this topic, you will learn how to deploy Portnox™ AgentP on managed macOS devices by using Jamf if certificates are managed by SCEP.

There are two options to deploy AgentP on managed macOS devices using Jamf:

  1. Onboard devices using SCEP certificates and use AgentP for risk assessment only (recommended)
  2. Deploy AgentP and have the users onboard manually

This topic describes the first option. Begin by completing the steps in the following topic: Onboard macOS devices with certificates using Jamf and SCEP. Then, continue with steps in the current topic.

Note: Do not install AgentP on managed devices before you complete the certificate-based onboarding. If you already installed AgentP, make sure to uninstall it and delete all related configuration and profiles.

Add the AgentP installation package to Jamf

In this task, you will download the Portnox™ AgentP installation package for macOS and upload it to Jamf to be later distributed to managed macOS devices.

  1. Open the Download Portnox AgentP page in your browser.
  2. Click on the tile that represents the macOS system to download the AgentP installer.

  3. Open your Jamf instance in the browser and log in.
    For example, vorlon.jamfcloud.com
  4. In the top-left corner, click on the Computers icon.

  5. In the left-hand menu, click on the Management Settings option.

    Jamf shows the Settings pane on the right-hand side.

  6. In the top bar of the Settings pane, click on the Computer management tab.

  7. Click on the Packages tile.

    Jamf shows the Packages pane on the right-hand side.

  8. In the top-right corner of the Configuration Profiles pane, click on the New button.

    Jamf shows the New Package pane on the right-hand side.

  9. In the New Package pane, click on the Choose File button and select the AgentP installation package file that you downloaded earlier (PortnoxAgentP.pkg).

    You can leave the default values of all other fields in this pane.

  10. Click on the Save icon in the bottom-right corner to save the package configuration.

    Note: Package files must have unique names. If another package profile already exists with the same file name, you will see an error. If so, rename the file before uploading.

Get issuer information from Portnox Cloud

In this task, you will copy the issuer name from the Portnox™ Cloud portal, so you can use it later when creating a configuration script for AgentP.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > Trusted Root Certificates option.

  3. In the Trusted Root Certificates section, copy the value of the Issued to field in this section to a text file.

Create an AgentP configuration script in Jamf

In this task, you will prepare a script that creates an AgentP configuration file on the managed device.

  1. Open your Jamf instance in the browser and log in.
    For example, vorlon.jamfcloud.com
  2. In the top-left corner, click on the Computers icon.

  3. In the left-hand menu, click on the Management Settings option.

    Jamf shows the Settings pane on the right-hand side.

  4. In the top bar of the Settings pane, click on the Computer management tab.

  5. Click on the Scripts tile.

    Jamf shows the Scripts pane on the right-hand side.

  6. In the top-right corner of the Scripts pane, click on the New icon.

    Jamf shows the New Script pane on the right-hand side.

  7. In the New Script pane, in the General tab, in the Display Name field, enter a name for the script.

    We used the name AgentP Unattended but you can use any name you like.

  8. Click on the Script tab.

  9. Enter the script code in the large text field and then click on the Save button in the bottom-right corner.

    Adjust your script to your environment and requirements.

    mkdir -p /var/agentp
    json='{"HideUI":true}'
    echo $json > /var/agentp/uipreferences.cfg
    json='{"Mode":"certificate","Certificate":"issuer:issued_to","User":"[current]","AutoSwitch":true,"UseCertificateSerialNumberAsDeviceId":true,"Domain":"your_domain","profileInstallationNeeded":false}'
    echo $json > /var/agentp/unattended.cfg
    chmod a+rw /var/agentp
    chmod a+rw /var/agentp/uipreferences.cfg
    chmod a+rw /var/agentp/unattended.cfg
    1. As issued_to, paste the value that you copied earlier from the Portnox Cloud portal.
      For example:
      json='{"Mode":"certificate","Certificate":"issuer:Vorlon - Portnox CLEAR","User":"[current]","AutoSwitch":true,"UseCertificateSerialNumberAsDeviceId":true,"Domain":"your_domain","profileInstallationNeeded":false}'
    2. As your_domain, use the domain serviced by Portnox Cloud (the domain configured in your authentication repository integration).
      For example:
      json='{"Mode":"certificate","Certificate":"issuer:Vorlon - Portnox CLEAR","User":"[current]","AutoSwitch":true,"UseCertificateSerialNumberAsDeviceId":true,"Domain":"vorlon.com","profileInstallationNeeded":false}'
    • If you are using user-based certificates, not device-based certificates, you can remove the User value from the configuration string or assign the value null to the user. Then, AgentP will use the certificate UPN or Subject as the user name.

      For example:
      json='{"Mode":"certificate","Certificate":"issuer:Vorlon - Portnox CLEAR","AutoSwitch":true,"UseCertificateSerialNumberAsDeviceId":true,"Domain":"vorlon.com","profileInstallationNeeded":false}'
    • If you did not onboard macOS devices using SCEP certificates and you want AgentP to download the profile and have the user of the device confirm profile installation, set profileInstallationNeeded to true.

      For example:
      json='{"Mode":"certificate","Certificate":"issuer:Vorlon - Portnox CLEAR","User":"[current]","AutoSwitch":true,"UseCertificateSerialNumberAsDeviceId":true,"Domain":"vorlon.com","profileInstallationNeeded":true}'

Create a policy in Jamf to deploy the package and script

In this task, you will create a policy that you can apply to managed devices to automatically install and configure the Portnox™ AgentP package on managed macOS devices.

  1. Open your Jamf instance in the browser and log in.
    For example, vorlon.jamfcloud.com
  2. In the top-left corner, click on the Computers icon.

  3. In the left-hand menu, click on the Policies option.

    Jamf shows the Policies pane on the right-hand side.

  4. In the top-right corner of the Policies pane, click on the New button.

    Jamf shows the New Policy pane on the right-hand side.

  5. In the General section, enter the Display Name for the policy.

    We used the name AgentP Unattended but you can use any name you like.

  6. In the Trigger section, select the triggers that you would like to use to apply this policy as well as any additional conditions, depending on your environment and requirements.

    If any of the triggers occur, Jamf will run the policy on the managed device. Also note that some triggers will require additional Jamf configuration such as events.

  7. In the left-hand menu of the New Policy pane, click on the Packages option.

    Jamf shows the Configure Packages pane on the right-hand side.

  8. On the right-hand side, click on the Configure button to configure packages for the new policy:

    Jamf shows the Packages list on the right-hand side.

  9. Click on the Add button next to the AgentP package that you created earlier.

    Jamf shows the PortnoxAgentP.pkg pane on the right-hand side.

    Note: The name may be different if you did not use the default name of the package/file.
  10. In the left-hand menu of the New Policy pane, click on the Scripts option.

    Jamf shows the Configure Scripts pane on the right-hand side.

  11. On the right-hand side, click on the Configure button to configure scripts for the new policy:

    Jamf shows the Scripts list on the right-hand side.

  12. Click on the Add button next to the configuration script that you created earlier.

    Jamf shows the AgentP Unattended pane on the right-hand side.

    Note: The name may be different if you did not use the suggested display name for the script.
  13. In the Priority field, select the Before value.

  14. Click on the Save icon in the bottom-right corner to save the policy.

  15. Optional: Configure other policy parameters as needed.
    For example, configure the Scope tab to identify the devices to which you want to apply this policy.