Deploy Skyhigh Client Using Trellix ePO

To deploy and manage the policies, you must configure Trellix ePO. We have both On-prem and Cloud ePO within ePO. 

It is necessary to push Trellix Agent from ePO to the endpoint while deploying Skyhigh Client (SC) using Trellix ePO. You need to install the Skyhigh Client software on the endpoint after pushing the Trellix Agent. Once the Skyhigh Client policy is configured, deploy the policy.

▼ Skyhigh Client Deployment using ePO Cloud

Deploy Trellix Agent   

1. In ePO, click on System Tree at the top of the page, and then click the New Systems button at the top of the System Tree.
2. In the How to add systems section at the top, select the radio button labeled Create and download agent installation package. 
3. In the Agent version, for Windows, select the Windows radio button, and for Mac, select the Non-Windows radio button, and select the required Trellix Agent versions. Then, click OK in the bottom-right corner of the page.
4. When ePO is done generating the package, click the Agent Package link to download the installation package, and then click Close.
5. Copy the FramePkg.exe (for Windows) and agentPackages.zip (for macOS, it will have install.sh within the package) file to the endpoint you intend to manage, and then execute it.
6. Go back to the ePO system tree, select the root of the tree (My Organization), and then select This Group and All Subgroups in the Preset drop-down.  This will let you see all managed endpoints in the entire system tree. You should see the hostname of your endpoint in the list.  If it does not appear, then wait for the agent to check in and refresh the page.

Deploy RTW Build to ePO Cloud

The current RTW build will be pushed from the Trellix to the ePO cloud.

1. In ePO Cloud, go to the Menu > Software > Advanced Deployment.
2. Click New Deployment at the top of the page.
3. Name the deployment Deploy Skyhigh Client, and select the latest Skyhigh Client Version in the Package drop-down. 
4. Set the Action to Install.
5. Select the systems for which the Skyhigh Client has to be deployed.
6. Set the Start Time drop-down to Run Immediately. 
7. Click Save.
8. To enforce the deployment, click System Tree at the top of the ePO interface, select your endpoint, and then click Wake Up Agents.  This will cause ePO to attempt to connect to the Client.  To follow the status of the wake-up call, go to Menu > Automation > Server Task Log.   
   If the task fails to complete successfully, then you can manually update with the following steps:
   1. Open a command prompt on the Client machine.
   2. Change directory to C:\Program Files\SCP\Agent.
   3. Run the command cmdagent -s (for Windows) and /Library/McAfee/agent/bin/cmdagent -s (for MacOS).  This should open the Skyhigh Agent Status Monitor window.
   4. Click the top four buttons to kick off an agent synchronization. (Collect and Send Props, Send Events, Check New Policies, and Enforce Policies)
9. Once the task is completed, confirm on the endpoint by navigating to the Start menu and looking for a Skyhigh Client folder. 
10. In Windows, you will find Skyhigh Client. Open Skyhigh Client and check if you have a Policy Name and Policy Revision value. If these are blank, then repeat step 8(d) to do another agent communication to pull the policy.
11. In macOS, click Skyhigh Client icon at the top right corner to find the details.
12. Review Skyhigh Client to confirm that the policy has been updated. You should see the policy along with the Always Redirecting status, and you can see the Active Proxy field, which will show where proxy requests are being sent.

Configure Skyhigh Client Policy  

1. Log in to ePO Cloud. Click the menu on the top-left and go to Policy Catalog.
2. In the Product drop-down, select Skyhigh Client Proxy.
3. A default policy called Skyhigh Default is created by default. This is a read-only policy. Click New Policy to create a new Skyhigh Client policy.
4. In the Policy Catalog, go to the respective policy, under Actions, click Edit.
5. Under Skyhigh Client Settings, in the Proxy Servers page, you can assign the Proxy Server by entering the IP or Hostname of the proxy and the Proxy Port. Click Add.
6. Under Client Configuration, in Traffic Redirection Settings, enable the required options using the radio button.
7. Go to System Tree, under System Name, select your system.
8. Click the Policies tab. In Product, select Skyhigh Client.
9. In Actions, select Edit the Assignment.
10. In Inherit from, select Break inheritance and assign the policy and settings below.
11. Select the created policy in Assigned Policy.
12. Click Save.
     

▼ Skyhigh Client Deployment using ePO On-Prem

Authenticate the Secure Web Gateway (On-Prem)

It is recommended to enable authentication for SCP in SWG (on-prem).

1. Log in to SWG and click Policy at the top of the interface.
2. In the policy pane on the left, click Add > Rule Set from Library.
3. Go to Authentication > Authentication With Skyhigh Client Proxy.
4. Click Auto-Solve Conflict. Click Solve by referring to existing objects. Click OK.
5. Click on Show details and then click the Authenticate: Skyhigh Client  link on that rule.
6. Enter your customer ID number in the Customer ID field, and then click the Change... button to enter the shared passphrase.
7. Click OK to save the settings object, and then Save Changes on the top-right.

Deploy Trellix Agent   

1. In ePO, click on System Tree at the top of the page, and then click the New Systems button at the top of the System Tree.
2. In the How to add systems section at the top, select the radio button labeled Create and download agent installation package.  Then, click OK in the bottom-right corner of the page.
3. When ePO is done generating the package, click the Agent Package link to download the installation package, and then click Close.
4. Copy the FramePkg.exe (for Windows) and agentPackages.zip (for MacOS, it will have install.sh within the package) file to the endpoint you intend to manage, and then execute it.
5. Go back to the ePO system tree, select the root of the tree ("My Organization"), and then select This Group and All Subgroups in the Preset drop-down.  This will let you see all managed endpoints in the entire system tree.  You should see the hostname of your endpoint in the list.  If it does not appear, then wait for the agent to check in and refresh the page.

Check In the SC Package into the ePO main repo  

• You can install Skyhigh Client using the cloud security portal or through downloads or policy downloads.
• You can check the SC package into the ePO main repository in two ways:

1. Go to Main Menu (three lines) > Main Repository > Check In Package.  In Check In Package, choose the required build in the File path. Click Ok, and then Next.

• Package Info: contains build details such as Name, Version, Minor Version, Type, and Language of the build you're checkin
• Choose the branch however you want to post it as Current, Previous, or an Evaluation branch
  • Current: Current build is what we want to post to all the clients
  • Previous: Earlier version of current build
  • Evaluation: Any build that needed to be tested or the older version of build
• Options: Enable the Options to move the existing package to the Previous branch using 

2. You can follow these steps to check in the SC package:
   1. Navigate to Software > Catalog Utilities & Connectors > Packages.
   2. Select the required package in Actions > Check in at another branch to check in.
   3. Select the required client package branch.
   4. Click Check In.

Deploy Skyhigh Client

1. In ePO on Prem, go to the Menu > Software > Product Deployment.
2. Click New Deployment at the top of the page.
3. Name the deployment Deploy SC, and select the latest SC Version (Skyhigh Client 5.0.0.x) in the Package drop-down. 
4. Set the Action to Install.
5. Set the Start Time drop-down to Run Immediately. 
6. Click Save.
7. Click System Tree at the top of the ePO interface, select your endpoint, and then click Wake Up Agents. This will cause ePO to attempt to connect to the client.  To follow the status of the wake-up call, go to Menu > Automation > Server Task Log.   
   If the task fails to complete successfully, then you can manually update it with the following steps:
   1. Open a command prompt on the client machine.
   2. Change directory to C:\Program Files\SCP\Agent.
   3. Run the command cmdagent /s.  This should open the Skyhigh Agent Status Monitor window.
   4. Click the top four buttons to kick off an agent synchronization. (Collect and Send Props, Send Events, Check New Policies, and Enforce Policies).
8. Once the task is completed, confirm on the endpoint by navigating to the Start menu and looking for a Skyhigh Client folder. 
9. In Windows, you will find Skyhigh Client. Open Skyhigh Client and check if you have a Policy Name and Policy Revision value. If these are blank, then repeat step 7(d) to do another agent communication to pull the policy.
10. In macOS, click Skyhigh Client icon at the top right corner to find the details.
11. Review Skyhigh Client to confirm that the policy has been updated. You should see the policy along with the Always Redirecting status, and you can see the Active Proxy field, which will show where proxy requests are being sent.