Technical Tip: How to get the MSI installer to enroll the agent automatically
| Description | This article describes how to get the MSI installer to enroll the agent automatically. |
| Scope | FortiDLP. |
| Solution | Enrollment Code or Bundle: Starting with the v6.0 Reveal Agent, it is possible to specify either an enrollment code or a file path to a bundle file. The processes for specifying the code instead of the bundle filepath are identical, except for the use of either a BUNDLE_FILEPATH or ENROLL_CODE parameter.
The benefits of the enrollment code method are that it can be multiple use and there is no need to manage bundle files on a shared file server.
In earlier versions of the platform, it was not possible for enrollment codes to be tied directly to users, but this restriction no longer exists. As such the remaining benefit to using bundle files is gained only from using a unique bundle per user to ensure each machine can only be enrolled once.
Methods: When running the MSI installer manually, the user will be prompted to supply an enrollment bundle or code to enroll the agent with the Reveal Platform. If however, the user wants to use the /qn flag to perform an unattended install (for example via GPO or SCCM push) the enrollment credentials (bundle or code) must be specified as part of the command.
Method 1 - Direct command: With an admin prompt enter the appropriate MSI command, for example:
msiexec.exe /i agent_x64_release_signed.msi /qn /norestart ENROLL_CODE=<code>
Method 2 - MSI transform file: In order to do this, first acquire the orca.exe tool from the Windows SDK. Open the Reveal Agent MSI in Orca, and select Transform -> New Transform. Next, find the 'Property' table.
If using the enrollment code, add this to the property table as shown (note the code has been truncated here for security):
If using a bundle, specify the full UNC path to the location of an accessible file shared with the bundle file. This can be a multiple-use bundle, or if planning to use a different bundle for each machine, it is possible to include Windows Environment Variables such as %COMPUTERNAME% which will be automatically replaced on each machine.
Then add a new row to this table, with Property = BUNDLE_FILEPATH and Value set to the path to the enrollment bundle as shown in the screenshot above. Note that the path must be fully qualified, including either the correct drive root or resolvable fileserver name.
Select Transform -> Generate transform:
 |