Check for signing
The UEM Agent offers the possibility to check the swdepot.dds for a valid signature before downloading and installing packages.
The program CreateHash signs the file PackageHashes.json and the swdepot.dds in the user directory on the Empirum Master Server. The files are checked for their digital signature on a client after the download.
Starting with Empirum version 19.0.2 the creation and signing of the PackageHashes.json as well as the signing of the swdepot.dds on the Empirum server is automatically performed by a service.
Use of the CreateHash at first use:
- Copy the unpacked directory CreateHash to \Empirum\AddOns\.
- Open the "Create Hashes and Sign Files.bat".
- Add your thumbprint certificate to the -th parameter. Add the path to your PackageHashes.json und swdepot.dds Run the batch file.
- The files PackageHashes.json and swdepot.dds get a digital signature at the end of the files. The files remain readable.
The batch file must always be executed if changes are made in the depot.
Activate signing for UEM Agent
To activate signing on the client side, set the following in the AgentTemplate under the thumbprint (without spaces and special characters)
/AgentTemplate/SoftwareDepot/SignatureThumbprint
Example:
<SignatureThumbprint>2774e273994767b7505123b9f363ec072bbbfec8
</SignatureThumbprint>