Automatic Deployment of Endpoint Clients

Software deployment rules are supported for both Windows and macOS.

Use deployment rules to automatically download and install pre-configured packages on endpoint devices.

To deploy Endpoint Security clients with automatic deployment, install one of these deployment packages on these Endpoint clients:

Automatic Deployment of Endpoint Clients

Tiny Agent

The Tiny Agent functionality introduces a few major improvements to the current Initial Client package (which is a very thin client, without any blade, used for software deployment purposes).

The Initial Client is the Endpoint Agent that communicates with the Endpoint Security Management Server A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data..

You can extract the Initial Client from the Tiny Agent.

The improvements include:

The Tiny Agent has a very small executable (smaller than 1MB)
It can be shared in various forms, enabling fast, easy and seamless first-time deployment.
Once combined with the Dynamic Package, it installs only what is necessary for each machine.
It is agnostic to the client version.
It passes Smart Screen validation - no more download warnings
It reduces network traffic for installing selected blades.

It is available for cloud deployments and for on-premises deployments running Endpoint Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. R81 or higher.

To download the Tiny Agent:

Do one of these:
- Click Overview, and then click Download Endpoint on the top banner.
- Click Policy > Deployment Policy > Software Deployment, and then click Download Endpoint on the top banner.
The Download Harmony Endpoint window appears.
Select a Download version and a Virtual group, and then click Download for an OS.

For Windows OS, the system downloads the EndpointSetup.exe file. Run the .exe file on the endpoint to install the Harmony Endpoint Security client.

Note - To extract the MSI file, run:

EndpointSetup.exe /CreateMSI

For macOS, the system downloads the EPS_TINY.zip file. Transfer the zip file to the endpoint.

Caution - Do not change the EPS_TINY.zip file name.

Unzip the file and open the EPS_TINY folder.
To install the Harmony Endpoint Security client, do one of these:
- Run the EPNano.app file.
- In the terminal window, run:
  
  ./EPNano.app/Contents/MacOS/EPNano

For Linux OS, the system downloads the installScript.sh file. Run the installScript.sh file on the endpoint to install the Harmony Endpoint Security client.

Troubleshooting Issues with the Tiny Agent on Windows OS

The Tiny Agent shows simple error messages in cases of network issues (connectivity problems, proxy issue, and so on).

Error messages and Remediation

Console Error	Description	Remediation
`Endpoint Setup failed!`	Exception occurred (either allocation failed on any internal component, or another type of abnormal termination)	Download the file again and check its signature (it could be corrupted), and make sure you have enough free RAM.
`Failed to initialize Endpoint Setup!`	Either we cannot verify our own signature, or map the installer in the memory.	Make sure you have enough memory.
`Failed to parse internal data!`	Failed to parse the URL for downloading `eps.msi` from CDN	File downloaded from the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. is corrupted. Contact Check Point Support.
`Failed to download or verify Windows Installer package (EPS.msi)!`	Failed to verify downloaded `EPS.msi`	Make sure that your Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., or any network security component, does not corrupt the installer.
`Failed to find program files folder`	Failed to get program files from Microsoft.	Make sure your OS is updated.
`Failed to create our program files folder for config.dat`	Either there is some Check Point product installed, or the Administrator cannot create folders in the Program Files folder	Make sure that the Endpoint Security Client is not already installed.
`Failed to save config.dat`	Either there is some Check Point product installed, or the Administrator cannot create folders in program files folder	Make sure that the Endpoint Security Client Application installed on end-user computers to monitor security status and enforce security policies. is not already installed.
`Failed to install the product`	Cannot run Windows Installer to install `EPS.msi`	Make sure Windows Installer is enabled.
`Failed to download Windows Installer package (EPS.msi)!`	Failed to download `eps.msi`	Make sure you have access to CDN: sc1.checkpoint.com
`Failed to authenticate EndpointSetup!`	Data corruption occurred, or data added to the file is corrupted	Make sure the file is not corrupted, and/or that you downloaded it from the correct location.
`Failed to parse configuration data`	Failed to find the server config information.	Make sure you downloaded the file from the portal.
`Setup failed another installation is currently in progress`	Another installation is stuck, or has not finished.	Reboot the machine, or fix/complete any pending installation.

Log File Location

The log file is located here:

C:\Windows\System32\LogFiles\WMI\EndpointSetup.etl

Silent Installation

Run:

PsExec.exe -accepteula -nobanner -s "C:\Users\<Administrator Username>\Desktop\EndpointSecurity.exe"

For more details on deployment methods of the Endpoint clients, see the Harmony Endpoint Server Administration Guide for your version.

Deployment Rules

Deployment rules let you manage Endpoint Security Component Package deployment and updates.

Deployment rules work on both Windows OS and macOS. Linux OS is not supported yet.

The Default Policy rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. applies to all Endpoint devices for which no other rule in the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. applies.

You can change the default policy as necessary.

You can define more rules to customize the deployment of components to groups of Endpoint devices with different criteria, such as:

Specific Organizational Units (OUs) and Active Directory nodes.
Specific computers.
Specific Endpoint Security Virtual Groups, such as the predefined Virtual Groups ("All Laptops", "All Desktops", and others.). You can also configure your own Virtual Groups.

Deployment rules do not support user objects.

Mixed groups (that include both Windows OS and macOS objects) intersect only with the applicable members in each rule.

To create new deployment rules for automatic deployment

From the left navigation panel, click the Policy view.
Click Software Deployment.
From the top toolbar, click Duplicate Above or Duplicate Below.

The Clone Rule window opens.
Configure the rule:
- Enter the rule name
- Select the groups to which the rule applies.
  
  Mixed groups (that include both Windows OS and macOS objects) intersect only with the applicable members in each rule.
- Select the applicable parts of the organization.
- Select the affected devices.
Click OK to create the new rule.
Click the new rule to select it.

Configure the deployment settings:

Select the applicable package version.

Caution - The Endpoint Security client package version must match the client package version selected in the exported package. Otherwise, the system discards the capabilities selected in the Software Deployment rule.

Select the package capabilities.

Click Save.
Above the right section Capabilities & Exclusions, click Install Policy.