EgoSecure Agent I: Windows
Distribute EgoSecure Agent
With the power of Matrix42 Secure Unified Endpoint Management, you can benefit from combining the capabilities of a modern enterprise mobility management solution with all the capabilities that EgoSecure Data Protection provides on your Windows device fleet. Within this guide, we will configure and generate a *.msi package with the EgoSecure Management Console and import the generated package into Silverback for distributing the EgoSecure Agent to your managed Windows 10/11 devices. Please note that when the EgoSecure Server is installed, a MSI package is automatically generated with the default settings and stored in the EgoSecure Server installation directory. Once the Server is updated, the MSI package is regenerated automatically and placed in the selected location on the EgoSecure Server computer.
Requirements
- Before you start, please review the following Documents and manuals
- The distributed Ego Secure Agent platform (x64) must match the used Windows version (x64)
Create and Configure Package
- Open your EgoSecure Console
- Login with your administrative credentials
- Navigate to Installation
- Select Create MSI Package
- Configure now the available settings of the MSI package with the following options:
| Setting | Options | Description |
|---|---|---|
| EgoSecure Agent components installation | ||
| Install network driver for WLAN control |
|
Select if and when to install the kernel driver for WLAN control (esndislwf.sys). The following options are available: Do not install: The WLAN control on the client remains disabled. Immediately (not recommended): The driver is installed shortly after the MSI installation. Warning! The client network connection is temporary interrupted. After restart: The driver is installed the first time the Client is restarted after the MSI installation Possible data loss with immediate WLAN control installation If for the setting Install network driver for WLAN control you select Immediately, the client network connection is temporarily interrupted after the Agent installation. This can lead to data loss. To install the WLAN control after the restart of the EgoSecure Agent, select After restart. |
| Install kernel driver for CD/DVD control |
|
Install the kernel driver (escdflt.sys) to encrypt on CD/DVD disks and control disk writing performed by third-party applications. |
| EgoSecure Agent service | ||
| Protect EgoSecure Agent service and files |
|
Protects the EgoSecure Agent service from being stopped and the EgoSecure Agent system files from being removed and renamed. Once a user tries to stop the EgoSecure Agent service, all device types listed under Storage group are blocked. |
| EgoSecure Agent UI | ||
| Hide tray icon |
|
Enable the option to make the EgoSecure Agent interface invisible. Users do not see any notifications, assigned permissions, etc. They can only use options available in the Windows Explorer context menu for encryption, Secure Erase, and Antivirus. |
| Tray UI language |
|
Define the language of the EgoSecure Agent interface that is applied only during the first Agent installation. A user is permitted to change this language. The automatic language selection is performed in the following priority:
|
| EgoSecure overlay icons priority |
|
Define whether EgoSecure overlay icons have priority over other applications in Windows Explorer. Overlay icons identify an encryption type of files and folders. The following levels of adding EgoSecure Shell Icon Overlay Identifiers to the registry are available: Low - adding z at the beginning of EgoSecure identifiers, no changes to the identifiers of other applications. Normal - adding EgoSecure identifiers without spaces, no changes to the identifiers of other applications. High - adding EgoSecure identifiers with spaces, no changes to the identifiers of other applications. Highest - adding EgoSecure identifiers with spaces at the beginning, deleting spaces at the beginning of identifiers of other applications |
| Uninstall/Update password | ||
| Password |
|
Optionally set a password required from users if they want to perform Agent uninstallation or update locally. |
| Check the password on |
|
Select which operation with Agent is protected from unauthorized access: uninstallation or update |
| Rights for communication devices | ||
| Apply after restart only |
|
Define whether the rights for communication devices are applied shortly after the Agent installation or after a computer restart. |
| Write rights and settings into the MSI file (Offline Clients) | ||
| Export access control rights |
|
Export access rights defined in User management and Computer management under Control | Devices and ports tab |
| Export permitted devices |
|
Export a list of device permissions defined under Permitted devices | Permitted device models and under Permitted devices | Individual device permissions. |
| Export encryption settings |
|
Export encryption types and encryption keys (including their private part) permitted for users or computers |
| Export only public part of keys |
|
Only having a public part of keys, a user is not permitted to decrypt, and therefore, open files encrypted on other Agents. Note: Files encrypted internally on this Agent can be decrypted. |
| Export EgoSecure Antivirus settings |
|
Distribute AV signatures to selected computers via the MSI package not to overload the network; global antivirus exclusions are also applied. If proxy server settings are defined under Administration | Servers | Mail, proxy and others and the Use proxy server check box is set under Product settings | EgoSecure Antivirus | Update settings, proxy server settings are written. The proxy server settings will be used later for signature update on the Client side via the Internet (if update from the EgoSecure Server is not possible). For details, see Installing Antivirus via MSI |
| Selection of objects |
A double-click will open the selection pane |
Select the objects (user/computer) for which the rights and settings selected in this section are exported to the MSI file. |
| Write authentication certificate for SSL communication to MSI | ||
| Add authentication certificate |
|
Enable the option to add an Agent authentication certificate and its private key to the MSI package. The area with this option is greyed out if SSL is disabled. |
| Password |
|
Enter a password to protect an Agent authentication certificate and its private key. This password is required from users during a local Agent installation/update or a remote Agent installation/update via script/software enrollment tools. Use only printable characters of the ASCII table. |
- After configuration, press Generate
- Wait until the MSI package created successfully message and locate the output location
Review Output
- Open Windows Explorer and navigate to your output location
- e.g. C:\Program Files\EgoSecure\EgoSecure Server\MSI
- Review the listed files and acknowledge that the *.msi and batch files are available for different architecture versions
- Right-click depending on your target architecture version, either the install or install_x64 batch file
- Press Edit
- You should see now something similar to the following:
start /B msiexec /i ESAgentSetup_x64.msi /l* AgentInstall.log REINSTALL="ALL" REINSTALLMODE="vamus" ADMINPWD="" PKCS12_PASS=""
- Copy the following part into your clipboard
/l* AgentInstall.log REINSTALL="ALL" REINSTALLMODE="vamus" ADMINPWD="" PKCS12_PASS="
Intregrate Agent
Add to App Portal
- Open Silverback Management Console
- Login with Administrative credentials
- Navigate to App Portal
- Select Windows
- Press New Application
- Change Scope to Device
- Enter as Name e.g. EgoSecure Agent
- Enter a description
- Select Choose File
- Navigate to your output folder and select your architecture version, e.g. ESAgentSetup_x64.msi
- Double click the *.msi package
- Upload your icon (optional)
- Press the edit box for Installation Parameters
- Enter your adjusted installation parameters
- e.g. with the sample MSI installation parameters:
/quiet /l* AgentInstall.log REINSTALL="ALL" REINSTALLMODE="vamus" ADMINPWD="" PKCS12_PASS="Pa$$w0rd"
- Press OK
- Enable Automatically push to managed devices
- Press Save
- Wait until the uploading process is finished
Create a Tag
- Navigate to Tags
- Click New Tag
- Enter a name, e.g. EgoSecure Agent
- Under Enabled Features enable Apps
- Under Device Types enable Windows
- Enable Auto Population (optional)
- Press Save
With activation of the Auto Population checkbox, all Windows devices will receive this tag when they check-in. You can use also a more granular configuration for Auto Population for the tag assignment. Please note that it is recommend first to assign the Tag later manually to some test devices, before starting an automatic roll-out with this tag.
Add EgoSecure Agent
- Navigate to Apps
- Select Assign More Apps
- Select EgoSecure Agent Agent
- Click Add Select Apps
- Press Save & Close
Assign Tag (optional)
If you have not enabled the Auto Population for the Tag, navigate now to Definition, press Associated Devices and assign devices by selecting the Attach More device option. As an alternative navigate to the Devices Tab, locate your device and use the quick action to assign the Tag manually.
Initialize and Review
Perform a device sync
- On your Windows 10/11 device
- Press Start
- Open Settings
- Select Accounts
- Press Access work or school
- Open the Silverback Profile
- Press Info
- Scroll Down to Device sync status and perform a sync
Agent Installation
- After the Device sync the device should have the Tag assigned in Silverback Management Console
- Review the Tag Assignment in Silverback (optional)
- The agent will now be transferred to the device. It may take some time. Please be patient
- Reopen the Silverback Profile to see under Applications the status
- e.g. EnforcementCompleted
- e.g. DownloadInProgress
- Check hidden folder on device for C:\ProgramData\EgoSecure
- After a couple of time the EgoSecure Agent icon should appear on the bottom right