diff --git a/docs/code_signing.md b/docs/code_signing.md index 4a74c44b..cf8d5fec 100644 --- a/docs/code_signing.md +++ b/docs/code_signing.md @@ -51,6 +51,47 @@ However, the best way to submit a whitelisting request to your AV for the TRMM a Right click `"C:\Program Files\TacticalAgent\tacticalrmm.exe"` > `Properties` > `Digital Signatures` tab. -Serial Number: `0fef30ccce9d30183067160018796558` +## Code signing certificate info + +Digicert OV code signing cert used by agents v2.7.0 and above: + + - Serial Number: `0f558fcc46f23aa4e2688052f3a9459f` + + - Thumb Print: `5f67afdbb3adc263965f5ed0c732e45575434449` + +Digicert OV code signing used by agents v2.6.2 and below: + + - Serial Number: `0fef30ccce9d30183067160018796558` + + - Thumb Print: `0e4844266294100d3f93e1cc7eecf61e9206bb14` + +Amidaware code signing used only by the dynamic EXE installer after May 3, 2024 at 4:59 PM PST: + + - Serial Number: `0229c833c9bda1fe0a306f4b12b6ab3cf40f5790` + + - Thumb Print: `17a930357440276bfaee23220e2f7e8f1a208556` + +Amidaware Code Signing [Root CA](https://amidaware.com/amidaware-root.crt): + + - Serial Number: `2d4486df7eba0c6659d79106783caac1a83ffb41` + + - Thumb Print: `45492337c44055dbb3910a90d4ed02758ebc0ebd` + +#### Code Signing Changes for Dynamic EXE Installers +Starting May 3, 2024, at 4:59 PM PST, all new [dynamically generated](./install_agent.md#dynamically-generated-executable) EXE installers, including deployment link installers, will now be signed with Amidaware's own code signing certificate, issued by Amidaware's Code Signing Root CA. This change has been prompted by industry-wide modifications to code signing practices, which now necessitate the use of hardware tokens or HSMs (Hardware Security Modules). These requirements make it unfeasible for us to continue using our Digicert code signing certificate for signing these dynamically generated installers. + +While we have already transitioned to using Digicert's HSM to store our private key, this approach now incurs a cost for **each** executable signed. Given the volume of dynamic EXEs we currently generate and sign for all our customers, currently around 250,000 per month as of May 2024, this would result in costs around **$62,000.00 USD** per month—an unsustainable increase from the previously **nonexistent** cost. + +Please note that the Inno Setup installer (`tacticalagent-vX.X.X-windows-arch.exe`), utilized by both the [Powershell](./install_agent.md#powershell) and [Manual](./install_agent.md#manual) installation methods, as well as the agent update method, will continue to be signed with our Digicert OV code signing certificate. The `tacticalrmm.exe` agent binary will also continue being signed with our Digicert OV cert. + +As a reminder, the dynamic EXE installer is a generally one-time use **standalone program** that simply serves as a convenience wrapper around the Manual installation method. It automates the process by downloading the Inno Setup installer and executing it with the necessary command-line arguments—mirroring the functionality provided by the Powershell installer but delivered in an EXE format. + +#### Optional Root CA Installation for Dynamic EXE: + +For those using the dynamic EXE installation method, installing Amidaware's Code Signing Root CA on your system before you attempt installation can help ensure a smoother installation process. This step is entirely optional and is not needed for existing agents of if you use any of the other installation methods. To install the Root CA, you can run the following PowerShell command (as admin): + +```powershell +Invoke-WebRequest -Uri "https://amidaware.com/amidaware-root.crt" -OutFile "amida-root.crt"; Import-Certificate -FilePath "amida-root.crt" -CertStoreLocation Cert:\LocalMachine\Root +``` + -Thumb Print: `0e4844266294100d3f93e1cc7eecf61e9206bb14` diff --git a/docs/images/agent_installagent.png b/docs/images/agent_installagent.png new file mode 100644 index 00000000..ed76f002 Binary files /dev/null and b/docs/images/agent_installagent.png differ diff --git a/docs/images/dynamic_exe.png b/docs/images/dynamic_exe.png new file mode 100644 index 00000000..eb74d23a Binary files /dev/null and b/docs/images/dynamic_exe.png differ diff --git a/docs/images/manual_install.png b/docs/images/manual_install.png new file mode 100644 index 00000000..77fa3f46 Binary files /dev/null and b/docs/images/manual_install.png differ diff --git a/docs/images/manualagentupdate.png b/docs/images/manualagentupdate.png index a007befc..62c202a5 100644 Binary files a/docs/images/manualagentupdate.png and b/docs/images/manualagentupdate.png differ diff --git a/docs/images/powershell_install.png b/docs/images/powershell_install.png new file mode 100644 index 00000000..414eb828 Binary files /dev/null and b/docs/images/powershell_install.png differ diff --git a/docs/images/siteagentinstall.png b/docs/images/siteagentinstall.png index c0e33319..bd0918bb 100644 Binary files a/docs/images/siteagentinstall.png and b/docs/images/siteagentinstall.png differ diff --git a/docs/install_agent.md b/docs/install_agent.md index f547e4cb..27892cdb 100644 --- a/docs/install_agent.md +++ b/docs/install_agent.md @@ -15,36 +15,52 @@ ``` See [here for other screenshot examples](av.md). -## Dynamically Generated Executable +## UI -The generated exe is simply a wrapper around the Manual install method, using a single exe / command without the need to pass any command line flags to the installer. -All it does is download the generic installer from the agent's github [release page](https://github.com/amidaware/rmmagent/releases) and call it using predefined command line args that you choose from the web UI. -It "bakes" the command line args into the executable. +Click **Agents > Install Agent**. -From the UI, click **Agents > Install Agent**. +![agentinstall](./images/agent_installagent.png) You can also **right click on a site > Install Agent**. This will automatically fill in the client / site dropdown for you. ![siteagentinstall](images/siteagentinstall.png) -## PowerShell -The PowerShell method is very similar to the generated exe in that it simply downloads the installer from GitHub and calls the exe for you. ## Manual -The manual installation method requires you to first download the generic installer and call it using command line args. +![manualinstall](./images/manual_install.png) + +The 'Manual' installation method requires you to first download the Inno Setup installer and call it using command line args. + This is useful for scripting the installation using Group Policy or some other batch deployment method. +This or the Powershell method are also the preferred method of installing if you don't want [this](./faq.md#help-ive-been-hacked-and-there-are-weird-agents-appearing-in-my-tactical-rmm) to happen. + +## Dynamically Generated Executable + +The dynamically generated exe is a standalone binary which is simply a wrapper around the Manual install method, using a single exe / command without the need to pass any command line flags to the installer. +All it does is download the Inno Setup installer and call it using predefined command line args that you choose from the web UI. +It "bakes" the command line args into the executable. +Please note that using this method can result in [this](./faq.md#help-ive-been-hacked-and-there-are-weird-agents-appearing-in-my-tactical-rmm). + +![dynamicinstall](./images/dynamic_exe.png) + +## PowerShell + +The PowerShell method is also a wrapper around the Manual install method and functionally identical to the dynamically generated EXE installer but in powershell format instead of EXE format. + +![powershellinstall](./images/powershell_install.png) + + !!!tip You can reuse the installer for any of the deployment methods, you don't need to constantly create a new installer for each new agent.
The installer will be valid for however long you specify the token expiry time when generating an agent. ## Using a Deployment Link -Creating a deployment link is the recommended way to deploy agents. The main benefit of this method is that the executable is generated only whenever the deployment download link is accessed, whereas with the other methods it's generated right away and the agent's version is hardcoded into the exe. -Using a deployment link will allow you to not worry about installing using an older version of an agent, which will fail to install if you have updated your RMM to a version that is not compatible with an older installer you might have lying around. +Using a deployment link will allow you to not worry about installing using an older version of an agent, which will fail to install if you have updated your RMM to a version that is not compatible with an older installer you might have lying around. The deployment link method uses the dynamic EXE method behind the scenes. To create a deployment, from the web UI click **Agents > Manage Deployments**. ![managedeployments](images/managedeployments.png) diff --git a/docs/update_agents.md b/docs/update_agents.md index a04b5433..b92b6f50 100644 --- a/docs/update_agents.md +++ b/docs/update_agents.md @@ -31,7 +31,7 @@ For example, agents older than version 1.3.0 must first be updated to 1.3.0 befo You should never need to do this but might be needed to troubleshoot agents that are not updating automatically. -Download the `tacticalagent-vX.X.X.exe` executable from the [github releases page](https://github.com/amidaware/rmmagent/releases) and place it somewhere on the filesystem. +Download the `tacticalagent-vX.X.X.exe` installer from the link generated by the [Manual](./install_agent.md#manual]) install method and place it somewhere on the filesystem. Open CMD as admin and call the exe like so: