[KB3675] Deploy the ESET Remote Administrator Agent via SCCM or GPO (6.x)

Alert: ESET North America offices closed July 3, 2020

[KB3675] Deploy the ESET Remote Administrator Agent via SCCM or GPO (6.x)

Issue

Distribute the ESET Remote Administrator Agent (ERA Agent) installer file for distribution via Group Policy Object (GPO) or System Center Configuration Manager (SCCM)
An alternate method to distribute ERA Agent in enterprise environments or environments with a high number of client computers

End of support for version 6.4 and 6.5 of ESET Remote Administrator / MDM

ESET Remote Administrator version 6.5 is currently in Limited Support status and will soon be in Basic Support status. It is expected to reach End of Life status in December 2020.

ESET Remote Administrator version 6.4 is currently in End of Life status and no longer available for download.

The MDM functionality in ESET Remote Administrator version 6 is currently in End of Life status and no longer available for download

To see the list of products and dates for ESET end-of-life, visit the ESET End of Life policy (Business products)
See our instructions for migrating ESET Remote Administrator to version 7 (ESMC).

Details

This article explains how to create a modified version of the ERA Agent Installer file for distribution in large and enterprise-level environments. The .msi file for the ERA Agent is separated from the .bat file available from ESET Remote Administrator and then modified so that it will be able to recognize the proper certificate and port for communication with your ERA Server after distribution to client computers.

Solution

Getting Started with ERA: Step 4 of 6

← Add Client Computers | Deploy ESET endpoint solutions →

This article is for ESET Remote Administrator version 6.4 and later.

Version 6.3 and earlier 6.x users, go to the process below.

View permissions needed for least privilege user access

ERA 6.5 User Permissions

This article assumes that your ERA user has the correct access rights and permissions to perform the tasks below.

If you are still using the default Administrator user, or you are unable to perform the tasks below (the option is grayed out), see the following article to create a second administrator user with all access rights (you only need to do this once):

Create a second administrator user in ESET Remote Administrator 6.5

A user must have the following permissions for the group that contains the modified object:

*Functionality*	*Read*	*Use*	*Write*
Certificates	✓	✓

A user must have the following permissions for each affected object:

*Functionality*	*Read*	*Use*	*Write*
Groups & Computers	✓	✓	✓

A user must have the following permissions for their home group:

*Functionality*	*Read*	*Use*	*Write*
Stored Installers	✓	✓	✓
Agent Deployment	✓	✓

Once these permissions are in place, follow the steps below.

Default certificates

Peer certificates and Certification Authority created during the installation are by default contained in the static group All.

On your ERA Server, click the appropriate ERA 6.5 Agent installer file below and save the file to a shared folder your client computers can access. Visit our Knowledgebase article for a complete list of ERA 6.5 Component installers.

Agent	Windows	Linux	macOS
64-Bit	64-bit Download	64-bit Download
32-Bit	32-bit Download	32-bit Download	32-bit Download

Open ESET Remote Administrator Web Console (ERA Web Console) in your web browser and log in.
Click Deploy ERA Agent.

Figure 1-1
Click the image to view larger in new window

In the Use GPO or SCCM for deployment section, click Create Script.

Figure 1-2
Click the image to view larger in new window

Click Create Package. Save the install_config.ini file to the same shared folder from Step 2. For customers using custom certificates, refer to the Custom certificates with ERA Online Help topic for more details.

Figure 1-3
Click the image to view larger in new window

Client computers need read/execute access

Verify all appropriate client computers have read/execute access to the folder containing the .msi and .ini files. Right-click the folder from Step 2 and click Properties. Click the Security tab. Review each machine and confirm the check box next to Read & execute is selected under the Allow column. If not, click Edit, adjust the settings and click Apply.

Figure 1-4

Refer to one of the processes below to deploy the package:

Once you have completed the instructions from the appropriate article, proceed to Step 5, deploy ESET endpoint products to your client computers if you are performing a new installation of ERA.

Version ERA Server 6.3 and earlier 6.x versions

End of support for version 6.3, 6.2 and 6.1

These products no longer receive detection engine updates. No technical support or patches are available for this version. Basic support may continue, but is not guaranteed. Documentation is not created or updated.

To see the list of products and dates for ESET end-of-life, visit ESET End of Life policy (Business products)
See migration instructions for ESET Remote Administrator to version 7

Prerequisites

The Orca database editor tool must be installed on your computer. Orca is available as part of the Windows SDK. You can also use Orca's successor SuperOrca which is available for download separately from Windows SDK and has a manual.
The ERA Agent installer file must be present on your system. You can download the installer file from within ESET Remote Administrator. Click here for step-by-step instructions.

To access the .msi Agent installer file

When you export the Agent installer file from ERA, it will be a .bat file. Run the .bat file as though you were installing Agent, but do not complete the installation. Doing this will download the .msi, which you can then edit to create your MST file. See below for step-by-step instructions:

Double click the .bat file to run it and click Cancel when the ESET Setup Wizard is displayed. This will download the .msi installer file without overwriting your existing ERA Agent.
The .msi file will automatically be downloaded to the following directory:

C:\ProgramData\ESET\RemoteAdministrator\Agent\SetupDate\Installer

Edit the ESET Remote Administrator installer file

Click Start → All Programs → Orca to launch Orca database editor.
Click File → Open, navigate to the ERA Agent installer file that you want to apply the transformation file to, select it and then click Open.
Click Transform → New Transform.

Figure 2-1
Click the image to view larger in new window

Select Property from the Tables section, right-click anywhere in the list of property values and select Add Row from the context menu.

Figure 2-2
Click the image to view larger in new window

Add the property P_HOSTNAME and type the hostname or IP address of your ESET Remote Administrator Server (ERA Server) into the Value field.

Repeat steps 4 and 5 to add the property P_PORT, where the value is the port used to connect to your ERA Server (2222 by default).

Figure 2-3
Click the image to view larger in new window

Open ESET Remote Administrator Web Console (ERA Web Console) in your web browser and log in. How do I open ERA Web Console?

Click Admin → Certificates → Peer Certificates, locate the Agent certificate for the ERA Agents you will be distributing, click it and select Export as Base64. Save the exported file to your Desktop.

Figure 2-4
Click the image to view larger in new window

Click Certificate Authorities, click your ERA Certificate Authority and select Export public key as Base64. Save the exported file to your Desktop.

Figure 2-5
Click the image to view larger in new window

In Orca, add the following three rows to the file (see steps 4 and 5 above for instructions). See below for property value details:

P_CERT_CONTENT: Copy the contents of the peer certificate file into the value field (open it in a text editor such as notepad).

P_CERT_PASSWORD: Only create this if your peer certificate requires a password. Enter the password to use the peer certificate.

P_CERT_AUTH_CONTENT: Copy the contents of the Certificate Authority public key file into the value field (open it in a text editor such as notepad).

Important!

Both P_CERT_CONTENT and P_CERT_AUTH_CONTENT must be of Base64 encoding.

Alternative method: make the certificate available locally

For special cases, you can substitute this method for step 10.

Export the peer certificate for the Agent, and the public key of the certificate authority used to sign the Server's peer certificate from the ERA Server. Make these files available to client computers using a shared folder or another resource that all clients can access.

In Orca, add the following three rows to the file (see steps 4 and 5 above for instructions). See below for property value details:

P_CERT_PATH: The path to the exported .pfx certificate.

P_CERT_PASSWORD: Only create this if your peer certificate requires a password. Enter the password to use the peer certificate.

P_CERT_AUTH_PATH: The path to the public key of the Certificate Authority that will be used to install ERA Agent.

Click Transform → Generate Transform and save the transform file to your Desktop. Refer to one of the processes below to deploy the file:
- How do I deploy the ESET Remote Administrator Agent using GPO?
- How do I deploy the ESET Remote Administrator Agent using SCCM?

Figure 2-6
Click the image to view larger in new window

Once you have completed the instructions from the appropriate article, proceed to Step 5, deploy ESET endpoint products to your client computers if you are performing a new installation of ERA.

Last Updated: Mar 23, 2020