Wondering whether to install Aurena Agent on everyone’s PC through Windows Update process or whether to just let users install if needed. What are others doing? What is recommended? Any issues?
We let the users decide if they want it or not but as many users need to use local printers they install it for this. We decided to automate it completely. Things to note:
- Software should always be installed under the “user context”. I.e. install it using the username for each user who wants to use the program. It doesn't require Admin to install.
- The HTTPS Certs will rotate (usually yearly). This will be hashed and stored in %LOCALAPPDATA%\IFS\IFSAurenaAgent\allowed_hosts.txt with the connection info
We use “Intune” to manage our devices. We have created a install/uninstall script that does the install for all our environments on any given device. The user can request the software via our company app store “Company Portal”
We have then put in a check that will automatically update the values in allowed_hosts.txt when the certificates rotate (we have a detection and remediation script).
Message me if you need more info.
We let the users decide if they want it or not but as many users need to use local printers they install it for this. We decided to automate it completely. Things to note:
- Software should always be installed under the “user context”. I.e. install it using the username for each user who wants to use the program. It doesn't require Admin to install.
- The HTTPS Certs will rotate (usually yearly). This will be hashed and stored in %LOCALAPPDATA%\IFS\IFSAurenaAgent\allowed_hosts.txt with the connection info
We use “Intune” to manage our devices. We have created a install/uninstall script that does the install for all our environments on any given device. The user can request the software via our company app store “Company Portal”
We have then put in a check that will automatically update the values in allowed_hosts.txt when the certificates rotate (we have a detection and remediation script).
Message me if you need more info.
Do you happen to have more details of how you manage the deployment of the allowed_hosts.txt with it refreshing?
Do you also deploy it for your DEV and Test environments too?
Hi Chris,
Essentially we have 4 scripts:
- Install Script
- Runs the MSI installer with arguments for each environment (runs the MSI 3 times just to auto-populate the allowed_hosts.txt)
- Modifies some registry keys to ensure it is detected (old problem that stopped the agent being detected by IFS, might no longer be relevant)
- Uninstall Script
- Uninstalls the software
- Detection Script
- Reads the allowed_hosts.txt text and checks is the Hash value is old. If it is flags for remediation
- Remediation Script
- If above is true replaces the old Hash with new hash in text file
Essentially every year we find get new cert hash and update our remediation / detection scripts to update all computers. We use the install and uninstall for new deployments / automating software updates.
At the same time we then update our IFS Print Agents as they also fall over with cert changes. All scripts are powershell.
Thank you! That makes sense. We managed to replicate enough of this in our environment and have succeeded in updating the hash with a new text file.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.