Skip to main content

Client Deployment via MDM

For company-wide rollout of the Lacework Edge Clients, we recommend using a Mobile Device Management (MDM) tool, such as Intune, Jamf or Kandji.

Common Features

Always-On Functionality

When deploying via MDM, you can enable an "Always-On" mode for the Client. When enabled, the following measures are taken:

  • The UI options for Quit, Logout, and Disconnect are hidden.
  • Users will still be able to terminate the application, however it will be automatically restarted by a MacOS Launch Agent.
  • On Windows, users will not be permitted to terminate EdgeGuardian.exe from Task Manager.

See your MDM-specific instructions to enable Always-On.

Default Lacework Edge tenant for Client logins

Both the MacOS and Windows clients use a file called environments.json to determine which environment the client should log into. In this file, you can specify the account to which the client should connect by default.

For both clients, the file can be found in the following location:

  • MacOS: /private/var/root/Library/Group Containers/647VU45UJX.edgeguard/environments.json
  • Windows: C:\ProgramData\EdgeGuardian\EdgeGuardian\environments.json

If this file does not exist, you can create it. The format is as follows:

[
  {
    "name": "001 - _account_name_ (edge-guardian.io)",
    "domain_suffix": "edge-guardian.io",
    "login_params": "/api/v1/login?account=_account_name_",
    "echo_ips": ["13.248.203.97", "76.223.84.31"]
  }
]

Replace _account_name_ in both the name and login_params line with the name of your Lacework Edge tenant.

If you are editing this file on a host running the client currently, you will need to restart the client after saving. Once restarted, to switch to the environment you defined, click the gear icon → Advanced → Environments and choose the environment you defined.

Guest User Mode

A "guest user" is a user whose device has Lacework Edge installed via MDM, but has not authenticated via single-sign on. You can learn more about guest users here.

To enable guest user support on the client, download the CLI, and run the following command:

egcli nervecenter create-user-pii --user.role ROLE_GUEST --user.display_name "Guest User"

In response to that command, the CLI will return the UUID of the guest user you generated, like so:

{
    "uuid": "$user_uuid",
    ...
}

Next, run the following command with the CLI, using the UUID you collected from the last step:

egcli nervecenter create-token --user_uuid "insert_user_uuid_here"

In response to that command, the CLI will return the token secret for the guest user you generated, like so:

{
    "account_name": "your-account-name",
    "uuid": "$uuid",
    "secret": "$secret",
    ...
    "creator_role": "ROLE_GUEST",
    "status": "ACTIVE",
}

From this response, copy the token $uuid and the $secret, concatenate them with a , and copy the value into the environments.json as the api_token field, like so:

[
  {
    "name": "001 - _account_name_ (edge-guardian.io)",
    "domain_suffix": "edge-guardian.io",
    "login_params": "/api/v1/login?account=_account_name_",
    "echo_ips": ["13.248.203.97", "76.223.84.31"],
    "api_token": "$uuid,$secret"
  }
]

Note: The API token has limited permissions within Lacework Edge. You may safely delete the token at any time, but you will need to redeploy existing clients if you delete the api_token that is in use.

MacOS Configuration Profiles

We currently have 2 versions of the Configuration Profile available, to be used for Client deployment as part of an MDM:

Profile - Standard

  • Allows Lacework Edge System Extension
  • Allows Lacework Edge Transparent Proxy
  • Enables Notifications
  • Enables Lacework Edge to start at login
  • Disables automatic client updates
  • Disables onboarding screen

Profile - Always On

  • Allows Lacework Edge System Extension
  • Allows Lacework Edge Transparent Proxy
  • Enables Notifications
  • Enables Lacework Edge to start at login
  • Disables automatic client updates
  • Disables onboarding screen
  • Hides UI options to Quit, Logout, or Disconnect the Lacework Edge Client.
  • Use with Pre-install script to create a LaunchAgent that will restart the Lacework Edge Client if closed.

Profile - Root CA Install

  • Installs the trusted Lacework Edge root CA to the OS trust store
  • Used for Content Inspection, please follow these directions to populate this file and deploy the Root CA.

Transparent SSO for AzureAD

If you enabled Transparent SSO for your Windows clients, please ensure you configure the environments.json fields as well:

[
  {
    "name": "001 - _account_name_ (edge-guardian.io)",
    "domain_suffix": "edge-guardian.io",
    "login_params": "/api/v1/login?account=_account_name_",
    "echo_ips": ["13.248.203.97", "76.223.84.31"],
    "azure_app_id": "uuid-created-during-integration",
    "account_name": "_account_name_"
  }
]

If you are editing this file on a host running the client currently, you will need to restart the client after saving. Once restarted, to switch to the environment you defined, click the gear icon → Advanced → Environments and choose the environment you defined.

Uninstall macOS Client

Commands to uninstall Lacework Edge. To be run as a admin/root user. This will:

  • Gracefully quit the Lacework Edge application.
  • Close the SystemExtension process.
  • Delete the application
#!/bin/bash
if pgrep EdgeGuardian; then
    osascript -e 'quit app "Lacework Edge"'
fi
killall -1 com.edgeguard.tunnel
/Applications/Lacework\ Edge.app/Contents/MacOS/Lacework\ Edge --uninstall
rm -rf /Applications/Lacework\ Edge.app/

jamf

FireFox Add-On

  • Create a new Configuration Profile.
  • Application & Custom Settings > Upload.
  • Preference Domain: org.mozilla.firefox
  • Configuration profile contents:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "[http://www.apple.com/DTDs/PropertyList-1.0.dtd](http://www.apple.com/DTDs/PropertyList-1.0.dtd)">
<plist version="1.0">
<dict>
    <key>EnterprisePoliciesEnabled</key>
    <true/>
    <key>ExtensionSettings</key>
    <dict>
        <key>edgeguard@edgeguard.io</key>
        <dict>
            <key>installation_mode</key>
            <string>force_installed</string>
            <key>install_url</key>
            <string>[https://edgeguard-app.s3.us-west-1.amazonaws.com/firefox-extension/default/edgeguardian_extension.xpi](https://edgeguard-app.s3.us-west-1.amazonaws.com/firefox-extension/default/edgeguardian_extension.xpi)</string>
        </dict>
    </dict>
</dict>
</plist>
  • Scope the configuration profile for your target devices.

MacOS Client

info

The following jamf documentation describes how to create and install custom apps such as Lacework Edge:

Package Installer

Download EdgeGuardian-Installer.pkg here

  • Navigate to Settings → Computer Management → Packages and click New
  • Give the package an easy to remember name such as EdgeGuardian
  • Click Upload Package and choose EdgeGuardian-Installer.pkg
  • Click Save

Configuration Profile

Download the Configuration Profile here

  • Navigate to Computers → Configuration Profiles and choose Upload
  • Give your configuration profile an easy to remember name, i.e., Lacework Edge Profile
  • Upload the Configuration Profile you downloaded
  • Set Level to Computer Level
  • Scope the configuration profile for your target devices
  • Click Save

Pre Install Script

Download the Pre Install Script here

  • To upload the script navigate to Settings → Computer Management → Scripts and click New
  • Name the script Lacework Edge Pre Install
  • Add the contents of the below Pre Install Script making the changes required.
    • Install an environments file that sets the login account
      • Replace <account_name> with your account name, e.g. edgycorp
    • Optionally creates a LaunchAgent that will restart Lacework Edge app if closed
      • Set alwaysOn to true create the LaunchAgent to reopen Lacework Edge
      • Setting alwaysOn to false will unload the LaunchAgent if it was previously loaded.
  • Click Save

Policy

  • Navigate to Computers → Policies and choose New
  • Give your configuration profile an easy to remember name such as Lacework Edge Policy
  • Set the desired trigger and execution frequency
  • Click on Package → Configure and Add the previously uploaded Lacework Edge package
  • Click on Scripts → Configure and Add the previously uploaded Lacework Edge pre-install script
    • Ensure the script will run in a step before the package is installed
  • Scope the policy for your target devices
  • Click Save

iOS Client

Install App

  • Navigate to Mobile Devices Apps and click + New
  • Select App Store app or apps purchased in volume and click Next
  • Select Enter Manually
  • Enter the following information:
  • Under Scope select the devices you wish to deploy the app to.
  • Click Save

Enable Always-On VPN Guest Mode

Download VPN Configuration Profile here

This is only supported on Lacework Edge iOS Client version 1.06 and above

Create Guest token if not already created

  • Navigate to Configuration Profiles and click Upload
  • Navigate to VPN in the new mobile device configuration profile
  • Replace the Password and Verify Password fields with your guest token.
  • Under Custom Data replace the following values:
    • Config.iOS.ApiToken - your guest token.
    • Config.iOS.AccountName - your account name.
    • Config.iOS.LoginParams - your account name, replacing the __account_name__ in /api/v1/login?account=__account_name__.
      • For example if your account name is lwedge, the value should be /api/v1/login?account=lwedge
  • Under Scope select the devices you wish to deploy Always-On VPN Guest Mode to.
  • Click Save

KACE Cloud

FireFox Add-On

Creating a Custom Profile for deploying the Firefox Add-on.

  • Select the Libraries tab in top navigation.
  • Click the Custom Profiles icon.
  • Click Add New > Configuration Profile.
  • In the Add New Custom Profile view:
    • Provide and Name and Description.
    • Click Add New Configuration.
    • Name: Install Lacework Edge Add-on
    • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Extensions/ExtensionSettings
    • DateType: String
    • Value: 
          <enabled/>
          <data id="ExtensionSettings" value='
          {
              "edgeguard@edgeguard.io": {
                  "installation_mode": "force_installed",
                  "install_url": "https://edgeguard-app.s3.us-west-1.amazonaws.com/firefox-extension/default/edgeguardian_extension.xpi"
              }
          }'/>
  • Click Save

Kandji

FireFox Add-On

MacOS Client

info

The following Kandji documentation describes how to create and install apps such as Lacework Edge:

Custom App

Download EdgeGuardian-Installer.pkg here

  • Create a new Custom App Blueprint Item
  • In “Install Details” choose Installer Package (install .pkg or .mpkg)
  • Upload the EdgeGuardian-Installer.pkg you downloaded
  • (Optional) If you wish to audit the installation to prevent users from uninstalling the application:
    • Under Settings → Installation, choose Audit and Enforce
    • Add the Audit Script
  • Click Add Pre-install Script and enter the contents of the Pre Install Script

Custom Profile

Download the Configuration Profile here

  • Create a new Custom Profile Library Item
  • Upload the Configuration Profile you downloaded
  • Save and add the item to your blueprint

Audit Script

Download the Audit Script here

This audit script will do the following:

  • Keeps app installed, will reinstall if it is uninstalled
  • If desired, keeps version pinned to version set in variable version
    • Un-comment version to pin the client from a specific version. Commented-out by default.
  • Ensures environments file is installed
    • This is needed if environments.json is being set in the pre install script and needs to be enforced.
    • Comment-out the environments variable if you do not need to enforce the setting of environments.json
  • (optional) Ensures the Always On LaunchAgent is loaded
    • Set the alwaysOn variable to true to run blueprint if LaunchAgent is not loaded
    • Setting the alwaysOn variable to false will unload the LaunchAgent if it was previously loaded

Pre Install Script

Download the Pre Install Script here

This pre-install script will do the following:

  • Install an environments file that sets the login account
    • Replace <account_name> with your account name, e.g. edgycorp
  • Optionally creates a LaunchAgent that will restart Lacework Edge app if closed
    • Set alwaysOn to true create the LaunchAgent to reopen Lacework Edge
    • Setting alwaysOn to false will unload the LaunchAgent if it was previously loaded.

Microsoft Intune

FireFox Add-On

  • Select Devices > Configuration profiles > Create profile
  • Choose Platform: Windows 10 and later
  • Select Create
  • In Basics enter a name and description and select Next
  • In Configuration settings enter:
    • Name: Install Lacework Edge Add-on
    • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Extensions/ExtensionSettings
    • Date Type: String
    • Value: 
      <enabled/>
      <data id="ExtensionSettings" value='
      {
          "edgeguard@edgeguard.io": {
              "installation_mode": "force_installed",
              "install_url": "https://edgeguard-app.s3.us-west-1.amazonaws.com/firefox-extension/default/edgeguardian_extension.xpi"
          }
      }'/>
  • Select Next
  • (Optional) Add scope tags
  • Select Next
  • In Assignments choose the users to assign configuration profile too.
  • Select Next
  • In Review + Create Select Create

MacOS Client

Configuration Profile

Download the Configuration Profile here

  • From the Microsoft Intune admin center portal, navigate to Devices → Configuration profiles
  • Click Create profile
  • Set Platform to macOS
  • Set Profile type to Templates and choose Custom then click Create
  • Give your profile a name, description and click Next
  • Set the Custom configuration profile name to something like Lacework Edge Settings. This will be the name shown to users.
  • Set the Deployment channel to User
  • Upload the .mobileconfig file downloaded from the above link, and click Next
  • Assign the app to your desired groups, users, or devices.
  • Click Create

Add Installation Script

Download edgeguardian-intune-installer.zsh here

This installer script will download and install the latest version of the Lacework Edge application. Setting the script frequency to every 1 day will ensure that the latest version of the application is installed on devices. Before uploading the script to Intune, you will need to edit the script to set the account_name variable to the name of your account.

  • In the edgeguardian-intune-installer.zsh set the account_name variable
    • Replace <account_name> with your account name, e.g. edgycorp
  • (optional) Ensures the Always On LaunchAgent is loaded
    • Set the alwaysOn variable to true to create an alwaysOn LaunchAgent
    • Setting the alwaysOn variable to false will unload the LaunchAgent if it was previously loaded
  • From the Microsoft Intune admin center portal, navigate to Devices → macOS → Shell Scripts
  • Click Add.
  • Give the script a name and description, and click Next.
  • Upload the edgeguardian-intune-installer.zsh file downloaded from the above link.
    • Run script as signed-in user: No
    • Hide script notifications on devices: Yes
    • Script frequency: Every 1 day
    • Max number of times to retry if script fails: 3
    • Click Next.
  • Assign the script to your desired groups, users, or devices, and click Next.
  • Click Add to complete creating the script.

Create custom attributes for macOS devices

Download edgeguardian-version-attribute.sh

This creates a custom attribute containing the version of the Lacework Edge application installed that can be used to monitor the version of the application installed on devices.

  • From the Microsoft Intune admin center portal, navigate to Devices → macOS → Custom attributes → Add.
  • Enter a name and description and click Next.
  • Set the data type of attribute to String.
  • Upload the edgeguardian-version-attribute.sh file downloaded from the above link.
  • Click Next.
  • Assign the custom attribute to your desired groups, users, or devices, and click Next.
  • Click Add to complete creating the custom attribute.

Windows Client

Intune offers 2 routes by which you can roll-out the Windows Client to your company workstations, depending on your companies preferences:

  • Win32 app
    • Uses the Lacework Edge EXE installer
    • Has all dependencies included in installer
    • Requires use of the Microsoft Win32 Content Prep Tool to convert to an IntuneWin package
  • Windows Line-of-business app
    • Uses the Lacework Edge MSI installer, no conversion required
    • Requires you to assure that all of the Client dependencies are met before installation

Win32 App

Prepare App

Note: These steps use EdgeGuardian.x64.exe as its example. Change to EdgeGuardian.arm64.exe if deploying the arm64 version.

  • Create a folder called EdgeGuardian-Install in the folder containing IntuneWinAppUtil.exe.
  • Download the EXE installer for your target platform and add it to EdgeGuardian-Install.
  • Download edgeguardian-intune-installer.ps1 and place it in EdgeGuardian-Install.
    • Edit this file to update the variables at the top to match your envrioment.
      The only setting that is required is $egAccount = "[account_name]"
  • Create the IntuneWin package using the Microsoft Win32 Content Prep Tool.
    • Run it in a command prompt such as follows: 
      IntuneWinAppUtil.exe -c .\EdgeGuardian-Install -s .\EdgeGuardian-Install\edgeguardian-intune-installer.ps1 -o .
    • This will generate a package called edgeguardian-installer.intunewin, which you will use in the next step.
Add New App
  • Browse to the Intune admin center
  • Browse to Apps → All apps and click + Add
  • App Type: Under the Other heading, select Windows app (Win32) and click Select
  • App package file: choose the edgeguardian-installer.intunewin file you generated and click OK
  • App information:
    • Name and description: leave or modify the defaults as you see fit
    • Publisher: EdgeGuardian
    • Logo: Download the lacework-edge logo here
    • All other settings can be left blank or set as you see fit
  • Program:
    • Install command: 
      powershell.exe -ExecutionPolicy Bypass -File .\edgeguardian-intune-installer.ps1
    • Uninstall command: 
      EdgeGuardian.x64.exe /quiet /uninstall
    • All other settings should be left as default.
  • Requirements:
    • Operating system architecture: 64-bit
    • Minimum operating system: Windows 10 2004
    • All other settings should be left as default
  • Detection rules (optional):
    • Rules format: Manually configure detection rules
    • Click + Add to create a new detection rule
      • Rule Type: File
      • Path: C:\Program Files\EdgeGuardian
      • File or folder: EdgeGuardian.exe
      • Detection method: File or folder exists
  • Dependencies and Supercedence: these can be left blank
  • Assignments: Assign this app to the users/groups of your choosing
  • Review + create: Click Create

Windows Line-of-Business app

Prepare App

Download the MSI installer for the platform to which you are deploying:

In order for the MSI-installed Lacework Edge Client to function, you must have the following packages deployed prior to installation:

You can build Intune Apps for these packages to deploy them prior to the Lacework Edge Client installer. Please consult the Intune Documentation for assistance with those tasks.

Add New App
  • Browse to the Intune admin center
  • Browse to Apps → All apps and click + Add
  • App Type: Under the Other heading, select Line-of-business app and click Select
  • App package file: choose the .msi file you downloaded and click OK
  • App information:
    • Name and description: leave or modify the defaults as you see fit
    • Publisher: EdgeGuardian
    • Logo: Download the lacework-edge logo here
    • All other settings can be left blank or set as you see fit
  • Assignments: Assign this app to the users/groups of your choosing
  • Review + create: Click Create

Google Workspace Admin Console

Chrome Browser Extension

Google Workspace can be used to deploy the Lacework Edge Chrome extension to chrome browsers that use a profile logged into a workspace account.

  • Lacework Edge Chrome extension ID: imfinkcmabafkffjdgiojfecjlhppepn
  • Lacework Edge Chrome extension + update URL: imfinkcmabafkffjdgiojfecjlhppepn;https://clients2.google.com/service/update2/crx

Google Guide to Installing extensions

  • In the Admin Console, Navigate to Devices > Apps & extensions > Users & browsers
  • Select the Users, Groups, or Organizational Unit you wish apply the extension install policy.
  • Choose Add Chrome app or extension by ID from the + button at the bottom right.
  • Enter the ID and pick From the Chrome Web Store: imfinkcmabafkffjdgiojfecjlhppepn
  • Click Save
  • Change the Installation policy from Allow install to either Force install or Force install + pin to browser toolbar.
  • Click SAVE at the top of the page to save the policy and deploy the extension.

MacOS Variation

Deploy this Chrome Extension Profile to devices enrolled in Google Chrome Cloud Management.

  • Installs the Lacework Edge extension
  • Pins the extension icon to the toolbar