ePolicy Orchestrator (ePO) supports the use of a single package installer to help the deployment of MA. This package is separate from the standard ePO deployment mechanisms. It's intended to facilitate agent installation using logon scripts or other automated processes.
Because the MA installer requires a higher privilege level than most logged on users, the installer binary must have a way to elevate its privilege level. To work around this limitation, you can embed credentials in the binary installer package. The embedded credentials allow the binary to successfully install the software.
IMPORTANT: Because an installer package created for this purpose has embedded credentials, access to it must be severely restricted. Use installer packages with embedded credentials only in specific situations where another deployment method isn't available.
If you must use an installer package with embedded credentials, implement the following security precautions:
- Use a non-administrator account
Create an account with access only to the local administrators group on the intended clients. We recommend that you use a different account from what you normally use for operations.
- Change your passwords often
When you change your password, it invalidates lingering binaries with embedded credentials.
We recommend that you change this password, and create a new distribution binary. You must undertake this action at least weekly.
- Disable the account when not in use
If you deploy to multiple systems in batches, consider disabling the account when there are no deployments being performed. Disabling the account prevents the credentials from being used.
- Further limit the access of the account
The installer account requires only local administrator rights to the client systems. It mustn't have rights to access key servers such as:
- Active Directory master
- File servers
- Print servers
- Consider not using this method on key assets
When possible, don't use a package with embedded credentials on key server assets. An administrator can install the package directly onto the system.
- Enable security audit logs
Enable and monitor the use of this account. If the account is used correctly, it shows only a single logon to the intended clients at the time of deployment. Immediately investigate any other access attempts by this account.
