The Automox Agent Deployer is a locally downloaded and executed client binary that allows you to deploy Automox agents to CrowdStrike managed device estate using the CrowdStrike API for the Real-Time-Response module. After configuring variables using a CLI-based GUI for ease of use, the client installs the Automox agent on devices scoped in the configurator step.
Configuring and setting up scripts
This consists of 5 steps. These are described in the following sections.
Step 1: Download the deployer application
OS - Architecture | File |
---|---|
Linux - arm64 | |
Linux - amd64 | |
macOS - arm64 | |
macOS - amd64 | |
Windows - arm64 | |
Windows - amd64 |
Note: For Windows, you must open up a PowerShell window and call the .exe file directly. For Linux/macOS, you must open a terminal window in the directory where you have downloaded the file, and run chmod a+x <filename>
, where <filename>
is the name of the downloaded file. You can then execute the file by running ./<filename>
.
Step 2: Configurator (for first-time use)
After you download and install the Agent Deployer application, select command-config. Now you can set up the configuration including the file path, Automox Access key, CrowdStrike Client ID, CrowdStrike secret, the CrowdStrike API region, and the platform deployment size. All of these elements are required.
Requirements
Automox Access Key
CrowdStrike API Client ID
CrowdStrike API Client Secret
CrowdStrike API Region
To identify the API key region, refer to the Cloud environment column in the overview table of your CrowdStrike API reference article, which is accessible from here: https://falcon.crowdstrike.com/documentation/46/crowdstrike-oauth2-based-apis.
CrowdStrike API Client Permissions
Hosts - read
For getting details on hosts being deployed to
Host Groups - read
For getting available groups and membership details
Real time response - read and write
For executing the RTR installation scripts. The write permission here is what allows custom scripts to be executed.
If opting to upload RTR installation scripts, the RTR (admin) - write permission is temporarily required. For security reasons, this permission should be removed after uploading is completed.
Response policies
For verifying that the selected groups have Real time response capabilities enabled
Group Response Policy Configuration
All groups selected for deployment will need to have the following Real Time Response Policy settings enabled
Real Time Response - enabled
Custom scripts - enabled
Falcon scripts - enabled
After the Automox key and CrowdStrike configuration values are configured, the deployer will use those details to connect to the CrowdStrike API to get a list of available groups and provide them for picking where to deploy. Multiple groups can be selected.
Step 3: Select upload or print custom scripts
The configurator provides an option to upload or print the RTR scripts necessary for deployment of the Automox agent.
If opting to upload RTR installation scripts, the RTR (admin) - write permission is temporarily required. For security reasons, this permission should be removed after uploading is completed.
The upload route is the easiest and most likely to ensure success when deploying as there is no risk of errors related to formatting/new lines from copying and pasting the printed scripts.
Upload Scripts
Before you continue, confirm that the Real time response (admin) - write permission is enabled for the CrowdStrike API Client being used by the deployer. If it is not configured when attempting to upload, 2 retries are allowed before the configurator exits.
The deployer then attempts to upload the installation script for each platform.
The scripts are uploaded with permissions that allow them to be used by any user with the RTR Active Responder role or API Client with the Real time response - write permission (non-admin).
If successful, the configurator continues. Ensure that the Real time response (admin) - write permission is removed at this point. It is not needed for normal operation of the deployer and provides too much permission.
Print Scripts
Note: The credentials have been rotated in this example.
When selecting print, the script for each platform is printed for copying and pasting into the CrowdStrike console under Response Scripts & Files. The names of the scripts need to make those provided by the deployer.
Navigate to Response Scripts & Files and click Create a script.
Enter the name and description and ensure the correct shell type is selected for each OS. Be aware that Real Time Responder roles are required for this action. These can be added via User Management in the CrowdStrike console.
OS Shell Types
Windows: Powershell
Linux: Bash
macOS: Zsh
Permissions: RTR Active Response and RTR Administrator
This permission allows the deployer to use this script without admin permissions.
Repeat the steps for macOS and Linux by pressing any key twice and using the name and script content printed for each.
Note: If the user intends to deploy on all OSes, there must be 3 different scripts for each OS uploaded here.
Step 4: Set up recurring schedule to run the script(s)
For the prompt: “Print commands for scheduling the tool to run”, enter ‘Yes’.
Provide path - defaults to the existing path and determine the frequency. This is only available for Linux and Windows.
Scheduler Example - Windows
The application prints the PowerShell script for scheduling when Windows is selected as the scheduling platform.
Open PowerShell and run printed script.
Review Task Scheduler
After you run the recurring schedule script, you will see a new automated task in the Task Scheduler. All arguments are pre-populated with necessary flags. You can change any parameters within the Task Scheduler.
Note: Plain text API secrets are in this scheduled task, which represents a potential security risk.
Step 5: Save configuration and pre-check
You can opt to save the configuration to a file. This file can be referenced using the --config
flag when running the deployer. A configuration file is not required if using the schedule task/cron schedulers as the commands are generated with the configuration values as flags
Finally, the deployer will attempt to validate that the selected groups for deployment have Real time response capabilities enabled. Any groups with incorrect settings will be logged.
Deployment
Select command-deploy to see results of your actions.
Deploy command and results. For devices that are not online, the commands are queued up via the queue offline
flag within CrowdStrike.
Troubleshooting
There are a few known errors to look out for when deploying.
Missing scripts
RTR Custom Script 'AutomoxAgentInstaller-<Platform>' is missing, cannot deploy. Please run configuration to upload or print the required script"
This error message is displayed when the specified RTR Custom Script is not found in the CrowdStrike platform. There are a couple possible reasons for this:
The scripts were not created.
In this case, run the
config
command to upload or print the scripts.
The permissions are not correct on the script.
Ensure that the script permissions are set to the RTR Active Responder and Admin
Offline Hosts
host 'abc-123' (device-id) was offline, deployment will be performed by Crowdstrike when the device is online
This message is not necessarily an error. It is printed when a host in the deployment group was offline. CrowdStrike will attempt to run the command when the host is online; however, the deployer does not track these queued commands.
Invalid scripts
RTR Custom Script 'AutomoxAgentInstaller-<Platform>' returned an error during deploy. This is usually due to the script being improperly formatted or invalid. Please run configuration to upload or print the required script to fix. If manually uploading, refer to the README for troubleshooting steps.
If the scripts were manually uploaded to the CrowdStrike platform, it is possible that they were not pasted correctly.
The most common reason for this is trailing empty lines at the end of a script. Remove these and try again. If this doesn’t fix the issue or if there are no empty lines, try uploading the scripts via the deployer.
Timeout
The installation commands run during the deployment must succeed within 30 seconds.
If the command takes longer than 30 seconds to complete, you will see an error stating that the command timed out. This could be due to a slow connection or some other error for the host. One thing to try is rebooting the host that failed to install (if that’s an option).
Other deployment errors
Other errors may be captured from the deployment. Errors that are not known will return the raw details from the deploy operation. These are usually fairly helpful in understanding what went wrong.