000029182 - Deploying DLP Endpoint Enforce Agent using SCCM Fails.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029182
Applies ToRSA Product Set: DLP
RSA Product/Service Type: Endpoint Enforce Agent
Platform: SCCM
IssueDeploying DLP Endpoint Enforce Agent using SCCM Fails.

How-to deploy DLP Endpoint Enforce Agent using SCCM.
The problem occurs because of the SCCM translation that is automatically applied to the install string supplied for the EP install, results in and install string that is exceeding a limitation of characters. 
We have been seeing an increase in reports where deployment via SCCM will install the Agent however the agent is unable to communicate to the intended resource (rEPC). Typically we will see errors in the EP messages log referencing the failure to find a joinkey.dat, however the error observed as a result can vary depending on where the string is getting cut off. 

 
ResolutionThe Resolution for this issue is to deploy via SCCM using a correlating batch script that will call this MSI install directly. Effectively eliminating the translation from install string.
(Please note: for this to work you must first make sure the EP is no longer installed on the target.)
The following, is an example batch script with preliminary checking. 
@ECHO OFF
REM --- Check for an existing installation (the 'Endpoint Enforce Service' process)
IF EXIST "%ProgramFiles%\RSA\Enforce\bin\EPEnforceSrv.exe" goto _End
REM --- Check for an existing installation on 64-bit
IF EXIST "%ProgramFiles(x86)%\RSA\Enforce\bin\EPEnforceSrv.exe" goto _End
REM --- Check for an existing installation of DLP EC, rEPC, GW, or SC
IF EXIST "%ProgramFiles(x86)%\RSA\Discovery\" goto _End
IF EXIST "%ProgramFiles%\RSA\Discovery\" goto _End
REM --- Deploy to Windows XP/2003/Vista/Windows7-8/2008/2008-R2
Agent.msi /qn SERVER=rEPC.ribeye.com JOIN_PARAMS=Default;786b6057-209c-4535-ab79-e737d691d58b;8d59e1ad84daa7d48401d17c2ee6852e4500e2fb;k5PqP52jysuuxm+boVpzcP2QFia5AG/yqG2YF8K2jko=
REM --- End of the script
:_End
The following is a trimmed version of the script without preliminary checking. Only the install string of the agent is called.
@ECHO OFF

REM --- Deploy to Windows XP/2003/Vista/Windows7-8/2008/2008-R2

Agent.msi /qn SERVER=rEPC.ribeye.com JOIN_PARAMS=Default;786b6057-209c-4535-ab79-e737d691d58b;8d59e1ad84daa7d48401d17c2ee6852e4500e2fb;k5PqP52jysuuxm+boVpzcP2QFia5AG/yqG2YF8K2jko=

REM --- End of the script

:_End
Insert the relevant value names as follows:
·       Agent.msi | replace with the name of the Agent installer.
·       SERVER=rEPC.ribeye.com | replace rEPC.ribeye.com with the name of the intended 'Root Endpoint Coordinator' server for your deployment environment (FQDN format is recommended).
(Tip: obtain the Agent.msi string from the EM UI on the "Generate Agent Installer page." Simply replacing the /i switch with /qn for a quite, non-interactive install.)


 

Attachments

    Outcomes