Deployment with JAMF

You can deploy the Qualys Cloud Agent for MacOS using JAMF. The following are the main steps to deploy Cloud Agent using JAMF.

Create a Policy for Trust JSS Certificates

Login to the JAMF Portal

Log in to the JAMF Admin Portal.

Create a Policy for Trust JSS Certificates for Computer Enrollment

1. To create a policy for Trust JSS certificate for computer enrollment, navigate to Policies tab on the Computer screen.
2. Click New to configure Truss JSS Certificates settings.
   
   
3. Add the following details in the General tab of the configuration screen.
   
   Display Name: Enter the display name for a new policy.
   
   Category: Select Enrollment from the available options.
   
   Enrollment Complete: Select this option to set the enrollment completion time.
   
   Execution Frequency: Select Ongoing from available options.
   
   Target Drive: Enter the value as / .
4. Click Save to save this configuration option.

Configure Script for Trust JSS Certificates

1. To configure the script, navigate to All Settings > Computer Management.
2. On the Computer Management screen, click on the Script tab.
3. Click New to create a new script.
   
   
4. Open the General tab and enter the following information:
   
   Display Name: Enter the display name for the script.
   
   Category: Select the Enrollment from the available options.
   
   Click Save.
5. Open the Script tab and enter the following parameters.
   
   #!/bin/sh
jamf -recon
jamf -trustJSS
   
   These parameters are automatically sent to the script in the defined sequence.
6. Click Save.

Script Options

Enter the following information in the Options window:

1. In the Priority field, select After from the available options. This defines the priority of script execution during imaging.
2. Click Save to save the priority settings.

Select Configuration Script

1. Navigate to Computer > Policies and click Script.
2. On the Script tab, click Configure. The window to select the script opens.
   
   
3. Select the newly created script and click Add.
4. Click Save.

Download Cloud Agent

Refer to the Download Cloud Agent Installer to learn how to download the Cloud Agent installer package.

Configure Policy for Qualys Cloud Agent

Following are the steps to configure the deployment policy for Qualys Cloud Agent.

1. On the JAMF dashboard, navigate to Computers > Policies.
2. Click New. The General window opens.
   
   
3. In the General window, enter the following details.
   
   Display Name: Enter the display name for the script.
   
   Select the Enabled checkbox.
   
   Category: Select the category for which you want to add the policy. For example, Application, Security, Unknown, and so on.
   
   Enrollment Complete: Select this checkbox. This defines the enrollment completion time.
   
   Recurring Check-in: Select this checkbox. It enables the recurring check-in frequency defined in JAMF Pro.
   
   Execution Frequency: Define the frequency to run the policy.
   
   Target Drive: Enter the field value as /. This field defines the target drive to run the policy. By default, the policy runs on a boot drive.
   
   Click Save.

Upload Package

Following are the steps to upload Qualys Cloud Agent with the newly created policy.

1. On the JAMF Admin Portal, navigate to All Settings > Computer Management.
2. On the Computer Management screen, open the Packages window.
3. In the Packages window, click New. The New Package screen opens.
   
   
4. Enter the following details in the New Package screen:
   
   Display Name: Enter the Cloud Agent display name.
   
   Category: Select the category for Cloud Agent Package.
   
   File name: Select the package file name available on the distribution point.
5. Click Save to save the package configuration.

Configure Script for Payload Configuration

The script payload configuration allows you to select script execution time in relation to other tasks in the policy. You can also enter values for script parameters. 

Following are the steps for script payload configuration:

1. On JAMF Admin portal, navigate to All Settings > Computer Management.
2. Open the Scripts window and click New. It opens the script configuration screen.
   
   
3. Enter the following details in the General tab of script configuration screen.
   
   Display Name: Enter the script name.
   
   Category: Select the category to add the script.
   
   Click Save.
4. Open the Scripts tab on the script configuration screen.
   
   
5. Enter the parameters for script configuration. following are the sample parameters for script configuration.
   
   sudo /Applications/QualysCloudAgent.app/Contents/MacOS/qualys-cloud-agent.sh ActivationId=848b31ad-3b93-49ea-9bf2-4f55d25ab6e2 CustomerId=6581ba99- ef16-4931-81fd-1c0493577d21
   
   These parameters are automatically passed to the script in defined order.
   
   Click Save to save the script configuration.
6. Open the Options tab.
7. In the Priority field, select After as a field value. It defines the priority of the script execution over other tasks during imaging.
   
   Click Save.
8. Navigate to Computer > Policies and open the Script tab.
9. In the Configure Script screen, click Configure. The Policies screen opens.
   
   
10. Select the newly created Script and click the Add button next to it.

Payload Configuration for Privacy Preferences Policy Control (PPPC)

To configure the payload for privacy preferences, perform the following steps.

1. Navigate to Computers > Configuration Profiles and click New.
   
   
2. In the General screen, enter the following details:
   
   Display Name: Enter the display name for the policy.
   
   Category: Select the value for this field as per the requirement. For example, Application, Security, Unknown, and so on.
   
   Distribution Method: Select Install-Automatically as the field value. This field defines the method to distribute policy. 
   
   Level: Select Computer-Level as the field value. This field defines the level to apply the configuration profile.
   
   Click Save.
3. Click Privacy Preferences Policy Control to configure the payload.
   
   
   
   Identifier: Enter the field value as com.qualys.cloud-agent.
   
   Identifier Type: Select Bundle ID as a field value.
   
   Code Requirement: Enter the required code with Identifier. You can use the following code to proceed with JAMF Deployment.
   
   identifier "com.qualys.cloud-agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6]/* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13]/* exists */ and certificate leaf[subject.OU] =CLRUMG7LZ6
   
   APP OR SERVICE: Select SystemPolicyAllFiles as a field value.
   
   ACCESS: Select Allow as a field value.
   
   Click Save.

Enroll Devices 

Registering your device to the device management platform allows the JAMF admin to push necessary policies or updates to it.

Perform the following steps to enroll or register a device.

1. Browse to the Qualys JAMF cloud from your Mac device.
2. Login to the JAMF portal using your Qualys LDAP credentials. Do not use qualys.com in the credentials.
3. Click Continue to download and install Qualys JAMF CA certificate.
4. Click Continue to download and install Qualys JAMF MDM profile.
5. Click Install in the Install Prompt to install the Qualys JAMF CA certificate.
   
   
6. Follow the above-mentioned steps to install MDM Profile.

Follow the UI instructions to download and install the CA certificate and MDM profile.

To verify if the Privacy Preference Policy Control Configuration, CA certificate, and MDM profile are correctly installed, go to the System Preferences > Profile.

 You have to add your device in the Scope to get these confirmation details.

Configure the Scope

1. Navigate to Computer > Policies window and open the Scope tab.
   
   
2. Enter the following information in the Scope tab window.
   
   Target Computers: Specify the computer to deploy the policy. You can select a Specific Computer or All Computers.
   
   Target Users: Specify the users to deploy the policy. You can select Specific User or All Users.
3. To add a MacOS device, click the Add button. A window to select the MacOS device opens.
4. Search the device by its hostname and click Add.
5. Click Save to save the policy.

Scope for Configuration Profile

1. Navigate to Computers > Configuration Profile and select the profile.
2. Follow the UI instructions to define the scope of the Configuration Profiles.

In a similar way, you can add the limitations and exclusions for a device.

 The Qualys Cloud Agent for MacOS is automatically deployed to devices added to the scope.

View Configuration Profile Details

To view the logs and other details of a configuration profile, navigate to Computer > Policies > Configuration Profiles.

The deployment time is varied depending on the network bandwidth and the number of devices added to the configuration profile.

Verify the installed Cloud Agents and their logs using the pkgeutil tool.