Deploy agents using the deployment script

Views:

Use a deployment script to download and install the agent on your endpoints.

Important

Installation requires an internet connection to download required software, register the agent with your instance, and receive configuration information such as policy settings. Verify that your endpoint can connect to the internet either directly or using the Agent Installer Proxy Settings.

Your TrendAI Vision One™ account must have permission to view and create the deployment script to complete this task. If you are unable to view or create the script, contact your administrator for assistance.

The deployment script feature allows you to create a custom script you can run within your environment to download and install the TrendAI Vision One™ Endpoint Security agent. The deployment script is customized for your environment when you select the parameters in Endpoint Inventory. You can also use the deployment script with a software management system to quickly deploy to multiple endpoints.

Use this method to configure the deployment script to ensure your newly-deployed agents:

Install Standard Endpoint Protection or Server & Workload Protection features as needed
Install Endpoint Sensor features including XDR for Endpoints (EDR)
Report to the correct Endpoint Group Manager
Automatically apply the correct default settings

For other installation methods, see:

To install agents using the installer package, see Deploy agents using the installer package.

The installer package is required if you plan to use a custom package download source for your deployment script.
To install agents using the offline installer package, see Deploy agents using the offline installer package.

Note

The deployment script is region specific based on your TrendAI Vision One™ account. The deployment script cannot be used to deploy agents across multiple regions.

clock_icon=4b003b65-3058-4609-b2e5-a7e5b7b57973.png

The installation process typically takes about five minutes to complete. Certain variables can affect the duration of the task, such as the specific OS version and distribution, package configuration, network connectivity, and endpoint hardware configuration.

refresh=5bd75452-c2fb-43ed-90e6-7b552fdc5dd2.png

Deployment typically does not require you to restart the endpoint to complete installation. Restarting the endpoint after installation can help with verifying system stability, but is not required.

Procedure

If you want to use a custom download location, prepare the installer package first.

Follow the steps for downloading the installer package in Deploy agents using the installer package.
Upload the archived agent installer package to a location your endpoints can access.

Save the full URL location of the package, including the archive file extension.

An example URL might look like: https://sample.fileserver.us-east-1.amazonaws.com/TMSensorAgent_Windows.zip

Important

Verify your endpoint can access the custom location. If the script is unable to connect to the custom location, installation fails.

The package downloaded from the custom location uses the agent installer proxy settings configured when the package was created.

In the TrendAI Vision One™ console, go to Endpoint Security → Endpoint Inventory.
Click Agent Installer.
For Deployment method, select Deployment script.
Select the Endpoint group you want to assign to the new agent.
Selecting the endpoint group in this step determines which protection features to install.
- Selecting a group managed by Standard Endpoint Protection installs Standard Endpoint Protection features.
- Selecting a group managed by Server & Workload Protection installs Server & Workload Protection features.
- Selecting the group Default for sensor installs agents with only Endpoint Sensor features.

Configure the operating system and initial policy settings.

Setting		Standard Endpoint Protection	Server & Workload Protection	Sensor only
Operating system		Setting is automatic based on the Endpoint group you select: Windows macOS	Choose from: Windows Linux	Choose from: Windows Linux macOS
Initial policy	Group enrolled in Endpoint Security Policies	-	Use endpoint security policy assignment Agent applies the Base priority of the Endpoint Security policy assigned to the group.	-
Initial policy	Group not enrolled in Endpoint Security Policies	-	Select the Protection Manager policy to apply during installation, or select None	-
Relay group		-	Select the relay group to assign the endpoint to, or select None	-

Select the Installer package download source.
- TrendAI™: The deployment script connects to TrendAI™ services to download the latest agent installer package.
- Custom location: The deployment script connects to a location you specify to download the agent installer package. If you choose this option, you must also specify the Installer package source URL, including the full file path.
  
  An example URL might look like: https://sample.fileserver.us-east-1.amazonaws.com/TMSensorAgent_Windows.zip

If you selected TrendAI™ for the download source, select the Agent installer proxy.

Direct connect: The agent installer attempts to connect directly to TrendAI Vision One™ without using a proxy.
Custom proxy: The agent installer attempts to connect using a user-defined proxy.

To use this option, you must provide values the following attributes in the custom script before attempting to deploy:
- PROXY_ADDR_PORT: The IP address or FQDN and port of the proxy server. For example: 127.0.0.1:40
- PROXY_USERNAME: If the proxy server requires credentials, provide the username.
- PROXY_PASSWORD: If the proxy server requires credentials, provide the password.
Service Gateway: The agent installer attempts to connect using a deployed Service Gateway with Forward Proxy Service enabled.

This option requires a Service Gateway with Forward Proxy Service installed and enabled. For more information, see Deploy a Service Gateway and Configure Firewall Exceptions.

Important

The deployment script does not utilize the custom proxies defined in the Agent Installer Proxy settings. Agents adopt the Runtime Proxy settings assigned to their endpoint group after installation and registration is successfully completed.

To include TLS validation, select Validate TrendAI Vision One™ server TLS certificate.

When enabled, the deployment script checks if the TrendAI Vision One™ download server is using a valid TLS certificate from a trusted certificate authority (CA). TrendAI™ recommends enabling this feature to help prevent "man in the middle" attacks.
To include signature validation, select Validate the signature on the agent installer.

When enabled, the deployment script performs a digital signature check on the downloaded agent installer file. The installation process is stopped if the check fails.
Review and obtain the deployment script.

Copy or download the script to your target endpoint.
- Click the download icon () to save the script.
  
  For Windows deployments, the script is saved as a PowerShell script (.PS1). For Linux and macOS deployments, the script is saved as a Bash script (.SH).
- Click the copy icon () to copy the script.
Run the script from the command line interface.
Use the command which corresponds to your operating system and interface:
- Windows
  - Command prompt: Run the command powershell.exe -File scriptname.ps1
  - PowerShell: Run the command .\scriptname.ps1
- Linux terminal: Add the execute permission to the file and run ./scriptname.sh
- macOS terminal: Add the execute permission to the file and run ./scriptname.sh
The deployment script downloads the agent installer package to the endpoint and begins installation. After installation successfully completes, the agent registers to TrendAI Vision One™ and appears in the Endpoint Inventory. The agent automatically adopts any settings or policies assigned to the managing endpoint group.