Automatic Deployment of Endpoint Clients

Software deployment rules are supported for Windows, macOS and Linux.

Use deployment rules to automatically download and install pre-configured packages on endpoint devices.

To manage your Endpoint Security clients and install Endpoint Security Policy on them, you must first deploy the Initial Client to them.

The Initial Client is the Endpoint Agent that communicates with the Endpoint Security Management ServerClosed A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data..

Notes- You can deploy the Initial Client to all your endpoint devices, using a third-party deployment tool, manually or remotely (see Remote Installation of Initial Client).

Important - If you want to switch to a US-DHS and EU compliant Anti-MalwareClosed A component of the Endpoint Security client that protects against known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers. blade, make sure to switch to a complaint Endpoint Security ClientClosed Application installed on end-user computers to monitor security status and enforce security policies. before deploying the client. See Anti-Malware Settings.

Caution - Windows Server 2016 and higher requires that you turn off Microsoft Windows Defender before you install the Harmony Endpoint Security Client. Perform the instructions in the sk159373 before you install or contact Check Point Support to request assistance with the installation.

Automatic Deployment of Endpoint Clients

Using the Tiny Agent

The Tiny Agent is supported with Windows, macOS, and Linux. It is an enhancement to the current Initial Client package (which is a very thin client, without any blade, used for software deployment purposes).

The Initial Client is the Endpoint Agent that communicates with the Endpoint Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

You can extract the Initial Client from the Tiny Agent.

The improvements include:

  • The Tiny Agent has a very small executable (smaller than 1MB).

  • Consolidates all the connection parameters in a single executable.

  • It can be shared in various forms, enabling fast, easy and seamless first-time deployment.

  • Once combined with the Dynamic Package, it installs only what is necessary for each machine.

  • It is agnostic to the client version.

  • It passes Smart Screen validation - no more download warnings.

  • It reduces network traffic for installing selected blades.

It is available for cloud deployments and for on-premises deployments running Endpoint Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.R81 or higher.

00:00: This video shows how to quickly deploy the Harmony Endpoint Security Client using the Tiny Agent on your Windows endpoint and then install a software deployment policy. 00:11: This procedure requires two prerequisites. First, internet access to the endpoint to download and install the software deployment policy. Second, you must create virtual groups of endpoints manually or use the Active Directory scanner to sync the endpoints and users from your Active Directory server. 00:30: Let's get started. Log in to the Infinity Portal. Access the Harmony Endpoint Administrator Portal and click Overview. 00:39: From the top banner, click "Download Endpoint" to download the Tiny Agent. 00:44: Select the Harmony Endpoint Security Client Windows version to install on the endpoints. Make a note of the selected version. 00:52: Click "DOWNLOAD" to download the Tiny Agent. The system downloads the Endpointsetup.exe file. 00:59: Click "OK" to close the window. 01:02: Now transfer or distribute the EndpointSetup.exe file to the endpoints where you want to install the Harmony Endpoint Security Client. You can transfer the file manually or use a third-party tool such as Microsoft Intune. 01:16: Now, let's specify the capabilities, for example, Antibot, Antivirus and other capabilities that you want to deploy on the Harmony Endpoint Security Client. For that, click Policy and then Deployment Policy. 01:30: Click Software Deployment. 01:33: Click Clone and select "Clone above" to duplicate the default software deployment . 01:39: Enter a rule name for the software deployment policy 01:43: Select the group of endpoints to install the software deployment policy. 01:48: Click "OK" to close the window. 01:51: In the Capabilities and Exclusions pane on the right, make sure to select the same Harmony Endpoint Security Windows client version that you selected while downloading the Tiny Agent. 02:02: Now select the capabilities that you want to install on the Harmony Endpoint Security client. 02:09: Click "Save and Install" to save the changes and initiate the installation. 02:14: Review the changes and click "INSTALL". The system installs the software deployment policy on the Endpoint Management Server. 02:22: Now, go to the endpoint and double-click and run the Tiny Agent. It installs the Harmony Endpoint Security Client and downloads the software deployment policy from the Endpoint Management Server. 02:34: Your endpoints are now fully protected by the Harmony Endpoint Security Client. Thank you for watching the video.

To deploy the Endpoint Security Client using the Tiny Agent:

  1. Do any one of these:

    Click

    Steps

    Policy > Deployment Policy > Software Deployment and then click Download Endpoint on the top banner.
    1. Select a Download version and a Virtual group.

    2. Do one of these:

      • To download the file immediately, click Download for the relevant OS and transfer the file to the endpoints.

        Client

        OS

        Downloaded file

        Endpoint Windows EPS_<Year>_<Version>.exe
        macOS EPS_TINY.zip

        Linux

        installScript.sh

        Browse

        Windows

        BrowserSetup.exe

        macOS

        BrowserSetup.zip

        ChromeOS

        BrowserSetup_chromeOS_Laptop.exe or BrowserSetup_chromeOS_Desktop.exe

      • To download the file using a download link, click and click Copy download link.

        When the download link is ready, the Send the Link by Email window appears.

        1. Click to copy to the link.

        2. Share the download link with users (for example, by email) to download the file.

    Overview, and then click Download Endpoint on the top banner.
    Overview > Getting Started > Let's Start Connect Your First Agent
    1. In the Download & Install Endpoint agent widget, click Download.

      The Download & Install Endpoint Agent window appears.

    2. Click Online Install.

    3. From the Operating System list, select the OS.

    4. From the Version list, select the client version.

  2. For Windows:

    • Run the exe file to install the Harmony Endpoint Security client.

    • If you want to use the msi file, then convert the exe file into a msi file:

      1. Open the Command Prompt window by selecting Run as administrator.

      2. Run:

        cd [Path where you have downloaded the exe file]

        For example, cd C:\Users\User\Downloads

      3. Run:

        EndpointSetup.exe /CreateMSI

      4. Transfer the msi file to the endpoints and run the msi file to install the Harmony Endpoint Security client.

        Note - For silent installation, run msiexec.exe /i [path to msi file]\EPS.msi /qn SILENTINSTALL=1.

  3. For macOS:

    1. Unzip the file and open the EPS_TINY folder.

    2. To install the Harmony Endpoint Security client, do one of these:

      • Run the EPNano.app file.

      • In the terminal window, run:

        ./EPNano.app/Contents/MacOS/EPNano

  4. For Linux:

    • If you downloaded the installScript.sh file, run the file on the endpoint to install the Harmony Endpoint Security client.

    • If you copy the download link, on the Linux machine, run:

      1. curl [paste_download_link] -o install.sh

      2. chmod +x install.sh

      3. sudo ./install.sh install

  5. Continue with Deployment Rules.

Note - You can deploy the Initial Client to all your endpoint devices, using a third-party deployment tool, manually or remotely (see Remote Installation of Initial Client).

Troubleshooting Issues with the Tiny Agent on Windows OS

The Tiny Agent shows simple error messages in cases of network issues (connectivity problems, proxy issue, and so on).

Log File Location

The log file is located here:

C:\Windows\System32\LogFiles\WMI\EndpointSetup.etl

Silent Installation

Run:

PsExec.exe -accepteula -nobanner -s "C:\Users\<Administrator Username>\Desktop\EndpointSecurity.exe"

Using the Vanilla Client

Note - The Vanilla client is supported only for Windows-based endpoints.

The Vanilla client is similar to the Tiny Agent but receives the connection parameters separately that prevents unauthorized clients to connect to the Harmony Endpoint Management Server.

To deploy the Endpoint Security Client using the Vanilla Client:

  1. Go to Overview > Getting Started > Let's Start Connect Your First Agent.

  2. In the Download & Install Endpoint agent widget, click Download.

    The Download & Install Endpoint Agent window appears.

  3. Click Copy Installation link.

  4. Click .

    The download link appears in the field on the left.

  5. Click to copy the link.

  6. Do one of these:

    To

    Do

    Install the Vanilla client directly on the endpoint
    1. On the endpoint where you want to install the client, open the link in a browser.

      Note - Make sure that the user has Administrator role in the endpoint.

    2. In the Download Endpoint Agent widget, click Download.

      The system downloads the EndpointSetup.exe file.

    3. Run the EndpointSetup.exe to register the client.

      The Ready to connect dialog box appears.

    4. Click OK.

    5. In the Connect to Harmony Endpoint widget, click Connect.

      The Endpoint Security dialog box appears that shows the client installation status.

    Install the Vanilla client remotely on the endpoint

    On the endpoint where you want to install the client, run this command as the Administrator:

    EndpointSetup.exe /url [link]

    The system downloads the Vanilla client, installs it and then connects to the Harmony Endpoint Management Server.

    Install the Vanilla client remotely on the endpoint using third-party distribution applications, for example, Microsoft InTune
    1. Run this command as the Administrator:

      EndpointSetup.exe /createmsi /url [link]

      The system downloads the EPS.msi file.

    2. Distribute the EPS.msi file using third-party MDM application. For more information, see Remote Installation of Initial Client.

  7. When the installation is complete, the Harmony Endpoint Security Client is installed on the endpoint and connected to the Harmony Endpoint Management Server.

  8. Continue with Deployment Rules.

Deployment Rules

Deployment rules let you manage Endpoint Security Component Package deployment and updates.

Deployment rules work on both Windows OS and macOS. Linux OS is not supported yet.

The Default Policy rule applies to all Endpoint devices for which no other rule in the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. applies.

You can change the default policy as necessary.

You can define more rules to customize the deployment of components to groups of Endpoint devices with different criteria, such as:

  • Specific Organizational Units (OUs) and Active Directory nodes.

  • Specific computers.

  • Specific Endpoint Security Virtual Groups, such as the predefined Virtual Groups ("All Laptops", "All Desktops", and others.). You can also configure your own Virtual Groups.

Deployment rules do not support user objects.

Mixed groups (that include both Windows OS and macOS objects) intersect only with the applicable members in each rule.

See Installation and Upgrade Settings for local deployment options.