07-24-2017 09:48 PM
Hello,
I have long since known that we can offer both a file download as a remediation as well as the execution of signed code. Is there any way to actually run a signed executable that has been downloaded as part of a posture validation remediation flow on Windows? OS X? Getting an answer for Windows is a priority right now.
This would be on latest ISE/Posture Module and I spoke about it with vsantuka
Thanks,
Russ
Solved! Go to Solution.
07-25-2017 05:49 AM
Theoretically, yes.
Here are two ways to accomplish this, first is to run the installer from the download server. Create an Application Condition at Policy > Policy Elements > Conditions > Application Condition. This is where you choose the Application you would like to ensure is installed.
Create the Remediation Action that takes place if the Application is not installed at Policy > Policy Elements > Results > Launch Program Remediation. Point this to the installer source on your download server.
Create the Posture Requirement at Policy > Policy Elements > Results > Requirements
Add the rule to your Posture Policy at Policy > Posture
The other option is the two step option that you mentioned.
Create a File Condition at Policy > Policy Elements > Conditions > File Condition to check if the installer file exists.
Then go to Policy > Policy Elements > Conditions > Application Condition and create the check for the installation of the application.
From here, we will create both Remediation Actions. Go to Policy > Policy Elements > Results > File Remediations and upload the file to be downloaded to your client. This file will reside on ISE.
Next, go to Policy > Policy Elements > Results > Launch Program Remediations and reference the local installer for your application.
Create your Requirements at Policy > Policy Elements > Results > Requirements
Add to your Posture Policy. Remember, the rules are run from the top down, so you want to check if the downloaded file exists prior to checking if the application is installed.
Now, having said all that, I did not go into detail as to the permissions/ACLs/access you will need to accomplish these tasks. One of the biggest things to remember is that the client MUST have permissions to install applications or this will not work.
07-25-2017 05:49 AM
Theoretically, yes.
Here are two ways to accomplish this, first is to run the installer from the download server. Create an Application Condition at Policy > Policy Elements > Conditions > Application Condition. This is where you choose the Application you would like to ensure is installed.
Create the Remediation Action that takes place if the Application is not installed at Policy > Policy Elements > Results > Launch Program Remediation. Point this to the installer source on your download server.
Create the Posture Requirement at Policy > Policy Elements > Results > Requirements
Add the rule to your Posture Policy at Policy > Posture
The other option is the two step option that you mentioned.
Create a File Condition at Policy > Policy Elements > Conditions > File Condition to check if the installer file exists.
Then go to Policy > Policy Elements > Conditions > Application Condition and create the check for the installation of the application.
From here, we will create both Remediation Actions. Go to Policy > Policy Elements > Results > File Remediations and upload the file to be downloaded to your client. This file will reside on ISE.
Next, go to Policy > Policy Elements > Results > Launch Program Remediations and reference the local installer for your application.
Create your Requirements at Policy > Policy Elements > Results > Requirements
Add to your Posture Policy. Remember, the rules are run from the top down, so you want to check if the downloaded file exists prior to checking if the application is installed.
Now, having said all that, I did not go into detail as to the permissions/ACLs/access you will need to accomplish these tasks. One of the biggest things to remember is that the client MUST have permissions to install applications or this will not work.
07-25-2017 06:34 AM
Hey Charles,
Thank you for the thorough reply, I suppose the bit I did miss out on here is that the clients, like many in an enterprise environment, do not have much if any access to run installers that are downloaded.
Cheers,
Russ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide