Posted on 21st April 2016 by Darren Wallace

Deploying and Managing the NetSweeper Mac WAgent

Hi All. This blog is combining two new recent themes I’ve been using; Customer Requests and Proxies!

This time, I had a customer who wished to rollout a new NetSweeper proxy solution. In order to avoid the multiple proxy authentication popups, but still allow user level filtering and, more importantly, logging, a local Agent (called the “WAgent”) needed to be installed and configured. To help wit this problem I wrote this blog to give you a guide on deploying and managing NetSweeper Mac WAgent

The ingredient list

So, what do we need for this?

  1. The proxy server address configured on the client devices.
    • This is to force the clients to actually use the proxy, rather than bypass it.
  2. The proxy server’s certificate installed and trusted locally.
      • This is to allow the proxy server to inspect SSL traffic. Annoying but required in most / all UK education institutions.
  3. The WAgent installed locally.
      • To be used to identify the logged in user to the proxy solution, as detailed above.
  4. The WAgent configured correctly
      • So it knows which server it should be passing the information the WAgent collects to.

Right, lets start working the list!

Working the list: Proxy server address

Well, remember my last post on using a profile to configure proxies? Boom, done!

Don’t like the profile method, how about scripted?

Moving on!

Working the list: Proxy server certificate

Another nice easy one. Simply grab the Proxy server’s certificate that you need to deploy, and utilise the “Certificates” payload in a profile to push it out.

PM - profile - Certificates

This profile will deploy the certificate to the client devices’ keychain, and set the trust settings to ‘always trust’. This will ensure that the certificate is trusted at a system level for all users.

Moving on!

Working the list: WAgent tool

Now this is where things get fun complicated (ok, sometimes my definition of fun is weird).

The installer my customer was provided is a .app installer

WAgent Configorator

Before you get the pitch forks out, there is an arguably valid reason.

WAgent config

The installer helps configure the locally installed WAgent with the settings it needs to work. Unfortunately this same ‘good intention’ means we can’t deploy the Agent using the provided installer.

(Don’t worry, I’ll come back to configuring it in the next section)

What I did find is, if you right click and hit “Show Package Contents” on this “WAgent Configurator”, and go to “Contents” -> “Resources” you get a regular looking .mpkg file!

WAGent installer

More importantly, this can then be deployed using your weapon deployment tool of choice. I’d suggest if you’re using something like Casper or DeployStudio, stick this installer on as a “At Reboot” or “Postponed” installation.

Moving On!

Working the list: WAgent Settings

Ooo, so close now, just one item left, configuring the WAgent properly!

After some digging and testing, I found that the settings the WAgent Configurator.app sets are of the standard .plist variety and stored in /Library/Preferences/con.netsweeper.WAgent-Configurator.plist.

More importantly, these settings can be managed through the use of everyone’s favourite, Configuration Profiles (Woo! Go NetSweeper Devs!)

WAgent Settings: How should I do it?

Well, I think you’ve got two choices:

  1. Pick a ‘packaging’ Mac, install the WAgent and run the configurator app to set it up.
    1. Test this and make sure it all works.
    2. Then use Tim Sutton’s MCXToProfile to convert the plist at /Library/Preferences/con.netsweeper.WAgent-Configurator.plist to a configuration profile.
    3. Deploy this as you wish (Munki, Casper, local install, other MDM of choice etc).
  2. Grab a copy of the profile I’ve used from GitHub here.
    1. Change lines 20 and 24 to the address of your NetSweeper box
    2. Change lines 22 and 28 to the port of your NetSweeper box
    3. Deploy this as you wish (Munki, Casper, local install, other MDM of choice etc).

Job done.

Summary

There you go, hopefully that’ll give other Mac Admins using NetSweeper a heads up on how to deploy their Mac Agent. As always, if you have any questions, queries or comments, let us know below and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.