Manual Deployment of Endpoint Clients

You can export a package of Harmony Endpoint or Harmony Browse from the Endpoint Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. to Endpoint devices using a third-party deployment software, a shared network path, email or other method.

When you download a package for manual deployment, the Initial Client is already included in the package for Harmony Endpoint and there is no need to install it separately.

Note - Initial Client is not supported for Harmony Browse.

Important - If you want to switch to a US-DHS and EU compliant Anti-Malware A component on Endpoint Security Windows clients. This component protects clients from known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers. blade, make sure to switch to a complaint Endpoint Security Client Application installed on end-user computers to monitor security status and enforce security policies. before deploying the client. See Anti-Malware Settings.

Caution - Windows Server 2016 and higher requires that you turn off Microsoft Windows Defender before you install the Harmony Endpoint Security Client. Perform the instructions in the sk159373 before you install or contact Check Point Support to request assistance with the installation.

When you create the package for export, you select your set of components.

The package installation program automatically detects the computer type and installs the applicable components.

Using the Export Package

1. Upload the package to the package repository

   1. When you click the package repository icon, located in the toolbar of both the Export package and Software Deployment tabs, you are redirected to an internal Package Repository page.

   2. When you click the "Upload Agent" button, a "Browse" modal opens. It prompts you to select the relevant file/s (ZIP, EXE) and folder(s) to upload.

      Notes: The administrator can abort an active package upload/download. Packages that are in use cannot be deleted.

2. Create the package for export

   1. Go to Policy >Export Package.

   2. Do any of these:

      1. To export package for Harmony Endpoint, click Endpoint Client.

      2. To export package for Harmony Browse, click Browse Client and continue with Export the package or file.

   3. Click the plus sign to create a new export package.

      The Create Export Package window opens.

   4. Enter the Package Name and select the applicable Operating System.

   5. Select an Operating System.

      • Windows

      • macOS

      • Linux

   6. Select the Package version.

   7. Select Capabilities.

      • For Linux, only the Anti-Malware blade is supported with the exported package.

      • For capabilities supported by Windows, macOS and Linux, see sk169996.

        Note - If the Harmony Endpoint Anti-Malware capability is installed, the third-party Anti-Malware status in the Harmony Endpoint Security Client is not displayed.

      • For general limitations on macOS, see sk110975.

   8. To add a new VPN site to the package, see Adding a New VPN Site to an Exported Package.

   9. Optional: Select a Virtual group or create a new one.

      Users who install this package will automatically be part of this virtual group.

      You can use the virtual group to apply a security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. to the entire group instead of to each object in the group separately.

   10. Optional: Select a Software Signature.

       You can select a file signing method for MSI files that will be deployed using an external distribution system. By default, the client uses an internal signature to authenticate.

       Select one of these file signing methods:

       • None

       • Internal Certificate Authority

       • Custom - If you select Custom do these steps:

         1. Click Browse and get the certificate file (*.p12).

         2. Enter certificate password.

         3. Click Validate.

            The certificate is created on the Endpoint Security Management Server A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data..

         4. Send the *.p12 file to client computers before you install the client package.

   11. Select the settings for the Dynamic Package:

       Note - Dynamic package is not supported for macOS and Linux.

       1. Select the Minimize package size (takes longer) checkbox.

          • General

            Disable the Endpoint Security Client user interface - for unattended machines, like ATMs.

            To learn about packages for ATMs, see sk133174. By default, the client user interface is included in the package.

          • Dependencies Settings

            Select the dependencies to include in the package:

            • .NET Framework 4.6.1 Installer (60MB) - Recommended for Windows 7 computers without .NET installed.

            • 32-bit support (40MB) - Selected by default. Recommended for 32-bit computers.

            • Visual Studio Tools for Office Runtime 10.050903 (40 MB) - Recommended if the package includes Capsule Docs A component on Endpoint Security Windows clients. This component provides security classifications and lets organizations protect and share documents safely with various groups - internal and external..

            • Smart preboot (190MB) - Enables the Easy Unlock and Self Unlock features.

              Easy Unlock allows you to Accept or Reject a Network One-Time Logon request or a Network Password Change request from a user that has forgotten the login credentials of the endpoint or the endpoint is locked due to invalid login attempts using incorrect credentials. Such requests are indicated by the icon in the Asset Management > Computers table. See Viewing Computer Information. It is supported:

              • Only with Endpoint Security client version 86.50 or higher.

              • Only on endpoints running Windows OS.

              • Only if the Full Disk Encryption is Check Point encryption.

              Self-Unlock allows users to unlock their endpoint by scanning a QR code using their mobile device, without your (Administrator) intervention. It is supported:

              • Only with Endpoint Security client version 86.60 or higher.

              • Only on endpoints running Windows OS.

              Note - If the endpoint is connected remotely (not in the LAN), then ensure that your Endpoint Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. is accessible over internet. Otherwise, you must set up a reverse proxy The Reverse Proxy makes sure that requests from mobile devices and Capsule Docs clients that do not have internal network access reach the Endpoint Security Management Server. and specify the Hide behind IP address under NAT in the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. For more information, see the SmartConsole Help.

              Additional settings for the Self-Unlock feature:

              1. Specify Self-Unlock Settings in Computer Actions.

              2. Enable Self-Unlock for Full Disk Encryption A component on Endpoint Security Windows clients. This component combines Pre-boot protection, boot authentication, and strong encryption to make sure that only authorized users are given access to information stored on desktops and laptops. Acronym: FDE.. See Advanced Pre-boot Settings.

              Note - Smart pre-boot is available only to customers in the Early Availability program.

          • Anti-Malware Settings

            Select the signature to include in the package.

            This sets the level of Anti-Malware protection from the time that a client gets the package until it gets the latest Anti-Malware signatures from the signature provider:

            • Full - Recommended for installing on devices without high-speed connectivity to the Anti-Malware server.

            • Minimum - Selected by default. Recommended for a clean installation on devices that are connected to the Anti-Malware server.

            • None - Recommended for upgrades only.

       2. Optional: To download the package automatically after the system creates the package, select the Download package when saved checkbox.

   12. Click Finish.

       The system starts to create the package. It can take several minutes depending on the package size. When the package is ready, the system shows Exported Package created message.

   Note - You can duplicate the package configuration for future use. Click the icon.

3. Export the package or file

   In the export package tile, click to download the package or file.

   Client	OS	Downloaded file
   Endpoint	Windows	EPS_<Year>_<Version>.exe
   	macOS	EPS_TINY.zip
   	Linux	installScript.sh
   Browse	Windows	BrowserSetup.exe
   	macOS	BrowserSetup.zip
   	ChromeOS	BrowserSetup_chromeos_Laptop.exe or BrowserSetup_chromeos_Desktop.exe

   Note - Dynamic package is not supported for Harmony Browse.

4. Continue with Installing the Exported Package or Client.

Installing the Exported Package or Client

You can also use a third-party deployment software, a shared network path, email, or some other method to distribute the package or file.

Endpoint Client

1. For Windows, distribute the downloaded package or file to users' endpoint or run the EPS_<Year>_<Version>.exe /CreateMSI on the users' endpoint.

   On Windows 8.1 and higher, right-click the exe file and click Run as administrator to install the client.

   The EPS_<Year>_<Version>/CreateMSI command is supported only with the Endpoint Security Client E85.20 or higher. It is supported for both 32-bit and 64-bit Windows.

   You can install the Endpoint Security client using the EPS.msi file through the Command Line Interface (CLI). To install:

   1. Transfer the EPS.msi file to the endpoints.

   2. In the endpoint's CLI, run:

      msiexec.exe /i <path to msi file>\EPS.msi

      For example, msiexec.exe /i C:\users\admin\EPS.msi

      Output

      USERINSTALLMODE=<blades' mask>

      Generating MSIs. It will take a few minutes.

      Please wait...

      ===> <location>\EPS.msi

      ===> <location>\32\EPS.msi

      The system creates the msi files for both 64-bit and 32-bit and opens Windows Explorer windows where the msi files are created.

   3. Make a note of the path where msi files are created.

   4. In the Command Prompt window, press any key to close.

   5. Transfer the msi file to the endpoints and run the msi file to install the Harmony Endpoint Security client.

   For more information, see sk179668.

2. For macOS, distribute the package or file to users' endpoint.

3. For Linux, run the sh script in the users' endpoint.

Browse Client

1. For Windows, distribute the downloaded package or file to users' endpoint or run the EndpointSetup.exe /CreateMSI on the users' endpoint.

2. For macOS, distribute the package or file to users' endpoint.

3. For ChromeOS, see sk173974.

You can only see the deployment status after the package is successfully installed.