Tags
Xcitium Client Security (XCS) what test Remote Control by ITarian RDS Server RDS EDR AEP csv access scope Comodo dialog box Windows UAC user access rights verification phone number password reset security code forgot password Android threat history generates alert lock device Android devices Mac OS devices mobile devices passcode Lock log SIEM log forwarding log storage log storage settings scan profile Parental control FLS file-lookup server internet access rights Real-time scan default profiles pre-configured profiles pre-defined profiles customize profile clone profile Clone unknown MAC profile Linux profile cloud-based service Maintenance Window maintenance analysis tool UFH check policy test policy Virtual Appliances DNS Resolver register invite graphs Dynamic IP Dome shield Integration O365 Comodo Office 365 removal tool CCS removal tool Comodo Secure Email Gateway subscriptions service Dome Antispam Valkyrie report info web Comodo SWG tutorial policy DLP PAC file iboss Bluecoat Websense Comodo Dome ICAP Dome Agent traffic URL C1 account SWG portal SSL Encrypted Traffic Dome Cloud enable widget chart endpoint dashboard file groups Rules exceptions Wi-Fi networks Wi-Fi setup security restrictions iCloud auto containment containment settings virtual file system sandbox environment client access control local configuration Comodo Client Security Rebranding Communication Client Rebranding security client re-brand Comodo Clients application rules global rules Portsets port sets Firewall ruleset rule set rulesets global proxy server global proxy antivirus settings Client Proxy remote control tool Firewall protection firewall settings configuration file export profile PowerShell VBS script Windows Standard Account Endpoint Manager Client Communication (EMCC) server security clients updates vulnerable security patches installed Client Communication Communication Client (CC) submission Communication Client tray icon script OS Patch Third Party Patch Installation Uninstallation Discovery additional package External Device Control external ITarian remote Windows device apps signed-in logged-in identify License wizard on-boarding local Comodo Client Security Mac devices Linux devices MSP customers EM profile Mac OS profile MAC OS X device user device configuration profile copy invoice enrollment Logging Settings SIEM tool external server Account Security mobile console EM device owners ownership remove MAC third party application remote uninstallation software inventory duplicate Name Master Image Golden Image Bulk Installation Package Windows Operating Systems summary information local time External IP address OS summary Devices list MDM profile iOS push certificate create APNs Apple account portal APN Apple Push Notification search bar filter options customer device group group membership managed device trust rating old duplicates removal device name MAC address MSP (Managed Service Provider) Versions Marketing & Sales Customer Relationship Management (CRM) Enroll New Device New Ticket quick actions bar release notes security status activity status profile status Sales funnel Secure Internet Gateway application launch Two factor Time zone Language Lockout time Change Password tokens device enrollment User Groups Manage Profiles User List Management customer report customer assessment customers End-User forms auto response attachments time entry address support User Directory scripts Knowledgebase canned Banlist announcements Hostname mail delivery CommandLine Power Shell PowerShell interface File Explorer Commands Interface Remote devices Remote Tools Paranoid Mode Training Mode Custom Ruleset Safe Mode The charging flow edit contracts Charging Flowchart Global Asset Rates Charging Plans Contracts charges calculated Remove role Edit a role staff interface Exclusions data loss prevention (DLP) network discoveries ITarian Remote Access Tool Tarian Remote Access Tool inactive devices Device removal settings Portal Set-up Malware File Name Security Sub-System communication client UI settings Communication Client Tray remove a department ticket submission configure department synchronize department submit ticket distributing Bandwidths client updates device management Bandwidth conservation malware activity virus scope autoruns Proxy servers fallback flag Inactive discovered devices SNMP Apple Device Enrollment Program set up service explorer manually deploy Comodo EDR agent parent process multiple ticket selection selected tickets security events folder transfer discoveries network management remote folder TLS TLS1.2 pci dss pci compliance ITarian Portal Endpoint Manager vdi environment vdi clone environment instant clone documentation vendor notice security dashboard events resolution remote tool partner onboard unknown file hunter TLS Encryption procedure parameters pass profiles history performance metrics real time remote endpoints download browse service URL Security Components system Global Software Inventory 2 minutes Integrate intagrate Active Directory Portable Interception SSL enable reporting Rule Threat Protection Rule Advance spam Customize archived outgoing incoming administrator validate domains add Antispam type PCI data loss Location Network information start software session extensions appoinments resource connection computers Comodo Rescue Disk infected opportunity opportunities custom relationship management quote COMODO-CRM protect mac device email notifications registry COM Quarantined point system restore msi contained applications processes security client events Release date department registration particular os section Two Factor Authentication Login interface dashboard report generate Direct Download Link One drive Google drive HIPS mode cleanup automatic suspicious suspicious certificates shellcode injection detect Elevated Access system user access default charging groups move current malware list store push IP address ip installer acronis auto-remediation server machine icon Product Logos rebrand backup Device Control data Chromoting WebRTC ports Protocol skip offline manual time entries ticket assignee Help Guide Tour schedule Reschedule appointment unknown application protection Virtual Desktop Local Verdict server manage calculation cost configuration charging SD contract prepaid hours products classification inventory analyze Device list OS patches global search bar Tool bar Windows Defender Security Center file group white Citrix record SPF work billable time onsite email template template variables emails Gmail SMTP disable Add collaborators admin action Audit logs feature requests submit vote remotely Reset proxy swg secure web gateway dome error disk ticket detail page thread section tickets section internal notes Sub-help topic help topic features Application control white_list Patch Management child parent scheduled customized get to headers columns company restrict customer technician remote access list iOS devices field Reports iOS device APN Certificate MAC OS X options Linux block Comodo Client Communication (CCC) allow Comodo Client Security (CCS) network zones active component tray icon hide show packages additional install block port baseline installation package bulk implement restrict firewall endpoints security and communication global export virus import Database folders files define exclusions change staff admin rating check reassign assign permissions new role create for user of device enroll associated use how profile specific Removing Devices Uninstall windows profile Configuration templates latest version clients comodo file ratings monitoring custom All Devices Ratings Track widgets Agent valkyrie malware files Kill chain report automated establishing endpoint remote session Users prevent Android organization windows assets Mac OS billing identified threats Sort Closed inside Program executed containment service desk remote control Locally runs update scan antivirus SLA Business Hours control CCS Password access Client Auto Specific Device Response Application Third party Status View Logs intended devices alert fails Company Information Configure Verdict Patch Procedures Executable Comodo Internet Security ITSM Analysis Command Line Heuristic Filter Unrecognized Trusted File Rate Malicious Purge Calendar Device Exclusion USB Admin Panel Settings ticket Default system-wide Specific Path Details Monitor Multi Set Currency Connected Who Quick Actions Comparison Version Enterprise Managed Service Provider C1 Portal Remote management Comodo Remote Control ticket management staff panel assign tickets
More

How to use the bulk installer package to enroll multiple devices via Active Directory

Open Endpoint Manager > click 'Devices' > 'Bulk Installation Package' > 'Bulk Installation Package'

  • Endpoint Manager lets admins bulk-install the EM agent on multiple Windows endpoints using Active Directory and group policy (GPO).

  • Once the client is installed, the devices are added to EM for management.

  • To do this:

    • Complete a form with details about your deployment

    • Download the custom installation package created by Endpoint Manager

    • Create a group policy object (GPO) and install the package on your endpoints enrolled on your Active Directory (AD)

Software Requirements

  • AD Server – Windows Server 2008 or higher

  • Endpoints – Windows 7 or higher

Note: This wiki tutorial above is for Windows Server 2008 Standard. Steps may vary slightly for other Window server versions.

The deployment involves the following steps:

 

Step 1 - Configure the offline EM package

The communication client package is unique for each company and user. Endpoints that have the client installed are listed under the name of the endpoint user. You can download and execute signed bulk installation packages by default, which will prevent Microsoft Windows UAC warning messages when the installer is running. You can always customize your bulk packets according to your needs.

  • Signed Bulk Installation Package includes file(s) for Windows x86/x64 (Hybrid) platform and consists of settings for the account admin user, default customer, default group, and Default Security Level 1 Profile.
     
  • If Comodo Client - Security is selected, the Signed Bulk Installation Package will contain the latest versions of Communication Client and Comodo Client - Security.
     
  • If only Communication Client is selected, the Signed Bulk Installation Package will include the "Default Version" of the Communication Client.

Configure the offline package

  • Login to ITarian

  • Click 'Enroll Devices in Bulk' in the ITarian taskbar

            OR

  • Click 'Applications' > 'Endpoint Manager'

  • Click 'Devices' > 'Bulk Installation Package'

  • Select the 'Bulk Installation Package' tab

 

The package configuration screen opens on the right:

  • Select 'Windows'

  • Click 'Customize Bulk Package' if you need to customize your bulk installation

 

User - Devices enrolled by AD GPO are assigned to the currently logged-in admin by default.

  • Specify a different user if required.

  • Start typing the name of a user and choose from the suggestions that appear.

Customer - Choose the company to which the endpoints should be assigned.

  • This field only applies to ITarian MSP customers. It does not apply to ITarian Enterprise customers.

Device Group - The device group to which enrolled devices should be added (optional).

  • Profiles that apply to the group will apply to all devices you add.

  • See this wiki if you need help to assign profiles to a device group.

Package Options -

  • Operating system - Select Window OS version - 64 bit, 32 bit or hybrid. The hybrid package will detect the OS version and install the correct client.

  • Clients:

    • Communication Client (CC) - Mandatory. This client enrolls the endpoint.

      • If enabled in 'Settings' > 'Portal Setup' > 'Client Settings' > 'Windows' > 'Communication Client' interface, you can select the version of CC to be installed.

    • Comodo Client Security (CCS) - Optional. This client installs security software such as antivirus, firewall and auto-containment.

            Note - You can choose the version of CC and CCS version to install if enabled in portal settings. If not enabled then you must install the ‘default’ version.

            You can also configure the following for CCS:

            Additional Options:

  • Database - Choose whether to include the latest virus database with the installation package. This increases the file size. If disabled, the client will download the latest database anyway when you run the first scan.

  • Profile - Default is 'Windows - Security Level 1' profile. Choose a different profile if required.

    • Type the first few characters of a profile and choose from the suggestions that appear.

Restart Control Options - CCS only. Reboot endpoints to complete CCS installation. You have the following restart options:

  • Force the reboot in... - Restart the endpoint a certain length of time after installation. Select the delay from the drop-down. A warning message is shown to the user prior to the restart.

  • Suppress reboot - Endpoint is not auto-restarted. The installation is finalized when the user next restarts the endpoint.

  • Warn about reboot and let users postpone it - Shows a message to the user which tells them that the endpoint needs to be restarted. The user can choose when the restart happens.

  • Optional. Type a custom message in the 'Reboot Message' field.

UI Options - Configure which messages are shown to the user regarding the installation.

  • Show error messages if installation failed - Notifies the user if the installation is not successful.

  • Show a confirmation message upon completion of installation - Notifies the user if the installation is successful. Type your message in the box provided.

Proxy Settings - Nominate a proxy server through which the client should connect to Endpoint Manager and other Comodo servers. If you do not set a proxy then the clients will connect directly as per network settings.

  • Enter the IP / hostname and port of the proxy server

  • Enter the UN/PW of an admin of the proxy server

           Note: If you specify a proxy then you must configure the same proxy settings in the profile on the device:

           Click ‘Configuration Templates’ > ‘Profiles’ > open the device profile > ‘Add Profile Section’ > ‘Clients Proxy’

If you do not wish to use a proxy server for CCS and CC then click 'Download Installer' after configuring user, company, group and client options.

If you wish to use a proxy then additionally complete the 'Proxy settings' section and click 'Download MST File'

Please note .mst file can be added to the GPO only after it has been configured as explained in the steps given below.
 

Step 2 - Download the EM client packages

The next step is to download the EM communication client (mandatory) and security client (optional) for Windows devices.

  • Read the EULA in full by clicking the 'End User License Agreement' link.

  • Download Installer - Download the client setup file for Windows. After installation, the client connects to the EM server and begins importing devices.

    • Creates a .msi file if you only select the communication client. Creates a .exe file if you select both communication and security clients.

  • Download MST File - Proxy setups only. Download a .mst installer which includes proxy server information.

Save the package on the Active Directory server from which you want to import endpoints.

Step 3 - Create a shared network folder and configure permission level

Now that you have downloaded the .msi or .mst setup file, the next step is to create a shared folder in the network.

  • Create a new folder in your desired location

  • Name the folder appropriately. For example 'EM_agent'

  • Select the folder, right-click and select 'Share' or from the menu toolbar

 

  • Click 'Advanced Sharing...', then select the 'Share this folder' check box

 

  • Click 'Permissions'. By default, 'Everyone' will be selected. Since all endpoints need to have at least read access to this shared folder, make sure the permission is configured for 'Everyone'

 

  • Ensure the 'Permission Level' is set to 'Read' and click 'OK'.

 

  • Click 'Apply', then 'OK' in the 'Advanced Sharing' dialog.

 

  • Note down the location of this shared folder and click the 'Close' button

Follow the similar steps to create a shared file location for .mst file, if required.
 

Step 4 - Create a group policy and assign the package

The next step is to create a group policy that will install the client package onto the endpoints.

  • Click 'Start' > 'Administrative Tools' > 'Group Policy Management'

  • Right-click on the domain name and select the 'Create a GPO in this domain and Link it here...' option

 

  • Enter a name for the group policy in the 'New GPO' dialog

 

  • Click 'OK'

The newly added group policy will be listed.

  • Right-click on the policy and click the 'Edit' option

 

The 'Group Policy Management Editor' is shown.

  • Expand 'Computer Configuration' > 'Policies' > 'Software Settings'

 

  • Right-click on 'Software installation' and select 'New' > 'Package'

 

  • Enter the path of the shared folder that was noted before, in the 'Open' dialog, select the file and click the 'Open' button

 

  • Select the file and click 'Open'

  • In the 'Deploy Software' dialog, select 'Assigned'

Note: If you want to add the MST file also to the GPO, then select 'Advanced' and move to 'Deploy Software' instruction in Step 6. If you want to add the .mst file later then see the instructions in Step 6.

 

  • Click 'OK'
     

Step 5 - Run a GPO update

In order to install the EM client package, you need to run a GPO update in the command prompt.

  • Open the command prompt, type 'gpupdate' and press enter.

 

The group policy update is run and a confirmation message is shown:

 

After the group policy has been successfully updated, the endpoints must be restarted for the EM communication client to be installed.

That's it. You have now successfully enrolled Windows endpoints via AD using the GPO method. You can see the endpoints listed in the 'Devices List' screen.

Note: You may get an error message if you try to manually install the EM communication client on an endpoint where the GPO was deployed and then removed. Visit the Microsoft support site at https://support.microsoft.com/en-us/mats/program_install_and_uninstall and run the tool on the endpoint.

  • The device group policy that was selected in the enrollment form will be applied to the enrolled devices automatically.

  • If you have configured proxy settings and downloaded the .mst file then go to Step 6 to add the MST file to the newly created GPO.

 

Step 6 - Add MST file to the GPO

If you want to include the MST file to the GPO, then download the file after providing the details in the proxy settings fields in the form.

  • After downloading the file, save it on the AD server and create a shared folder as explained in Step 3.

  • If you are adding both MSI and MST files at one go, then select 'Advanced' at the end of Step 4.

  • If you are adding the file later on, then open Group Policy Management, right click on the policy, then click 'Edit'

 

The 'Group Policy Management Editor' opens.

 

  • Expand 'Computer Configuration' and right-click on 'Software Installation'

  • Click 'New', then 'Package'

 

  • Click 'Open'

The 'Deploy Software' dialog opens.

 

  • Select 'Advanced' and click 'OK'. If you select any other option, then you won't be able to add the MST file.

 

  • Click the 'Modifications' tab

 

  • Click 'Add' and enter the location of the shared MST file in the open dialog.

 

  • Click 'Open'

The file name is shown in the dialog:

 

  • Click 'Open' again.

The MST file is added to GPO.

 

  • Click 'OK' to complete the setup.

  • Open the command prompt, type gpupdate and press enter to update the GPO.

That's it, you have successfully added MST file to the GPO.

After first successful connection, the device group profile(s) will be applied and the client proxy settings will take over. Make sure the profile(s) (via device, device group, user and/or user group profiles) applied to the enrolled devices contain the same proxy settings in the client proxy settings component.