Action1 5 Documentation 5 Action1 Deployer (Recommended)

Action1 Deployer (Recommended)

Action1 Deployer (replaced Endpoint Discovery) enables you to automatically detect networked endpoints, deploy Action1 agents and keep them up-to-date. Action1 Deployer is a management service that runs inside your network and discovers workstations and servers that reside in an Active Directory domain or an organizational unit (OU). On top of that, you can manually add computers from a workgroup to the Action1 Deployer configuration. Follow the instructions below to set up it in your environment.

Action1 Agent Deployment

Step 1. Installing the Action1 Deployer service

  1. Go to the Agent Deployment page in the Configuration section and select + Configure.
  2. On the Install Deployer step, download the installation package or copy a link. The installer name is unique and indicates your organization. The Action1 Deployer supports both 32- and 64-bit systems.
  3. Choose the right server to install the Action1 Deployer service. Since this service is responsible for managing agents running on your remote endpoints, it’s crucial for this server to be enabled 24/7. 
  4. Right-click the Deployer installer and run it as administrator.
  5. Provide administrative credentials. They will be used to automatically deploy Action1 agents on your endpoints.
Installing Action1 Deployer

Required Permissions

We suggest you don’t use a default Administrator account but create a dedicated domain account for Action1 Deployer service.

    • The account must have read-only access to the Active Directory domain.
    • The account must be granted Logon as a service right (on the local computer). The installer will attempt to grant this right to the specified account.
    • The account must be a member of the local Administrators group on the server where Action1 Deployer service resides. You can add a dedicated domain account to local Administrators groups manually.
    • The account must be a member of the local Administrators group on all of your managed endpoints. You can add a dedicated domain account to local Administrators groups manually, with a script, or via Group Policy. Note that the account itself does not require any domain administrative rights to Active Directory, only local permissions are needed.
    • In case you plan on discovering endpoints that reside in a workgroup, make sure all workgroup computers leverage the same local user with the same password. The Deployer must be set up under these credentials in order to access workgroup computers.

How to create a dedicated domain account for Action1 Deployer?

  1. On a domain controller, start Active Directory Users and Computers and navigate to your domain / Users.
  2. Create a new user for the Action1 Deployer service, e.g.,  “Action1Deployer”.

How to add the Action1 Deployer service account to the local Administrators manually?

Consider adding a service account to the local Administrators group manually if for some reason you don’t want to leverage a Group Policy or when you install the Deployer service for testing purposes. Perform the steps below on the server where you’re going to install the Action1 Deployer service and on the endpoints it should manage.

 

  1. Navigate to the Local Users and Groups / Groups.
  2. Locate the Administrators group and select Add to group.
  3. Enter the service account name (e.g, domain\Action1Deployer). Make sure to use a domain account.

How to add the Action1 Deployer service account to local Administrators via Group Policy?

Leverage Group Policy if you have multiple endpoints in your infrastructure and want to automate the agent delivery process.

 

  1. On a domain controller, start Active Directory Users and Computers and navigate to your domain.
  2. Create a domain global security group, e.g.,  “Action1LocalAdmins” and make Action1Deployer a member of this group.
  3. Start the Group Policy Management Console (GPMC).
  4. Locate an effective domain policy (most likely Default Domain Policy) or create a new Group Policy object that applies to the entire domain or just the needed OUs with your managed endpoints.
  5. Right-click a policy and select Edit.
  6. Navigate to Computer Configuration / Policies / Windows Settings / Security Settings / Restricted Group.
  7. Right-click an empty space and select Add Group. Specify the name of the group dedicated to Action1 Deployer (Action1LocalAdmins). 
  8. Configure settings. In the Members of this group section, click Add and select the account you’ve created (Action1Deployer). In the This group is a member of section, click Add and select Administrators.
  9. To apply these changes, run `gpupdate /force` in the command prompt.

Why does Action1 Deployer need these permissions?

Membership in local Administrators is required to copy executables to the \\machinename\admin$\Action1 folder and configure a Windows service called Action1 Update on all managed endpoints. This service in turn will install and update Action1 agents.

The Action1 Deployer WILL NOT send these credentials to Action1 Cloud or anywhere else outside of the Deployer installation. The only location where they will be stored is the local Service Control Manager (SCM) database maintained by the Windows operating system in the encrypted format and stored by the Windows operating system as an LSA secret and never leave your environment.

What is an LSA secret? A Local Security Authority (LSA) secret is a piece of data that is accessible only to SYSTEM account processes running on the local computer. Some of these secrets are credentials that must persist after reboot, and they are stored in encrypted form on the hard disk drive. Credentials stored as LSA secrets include account passwords for Windows services (including Action1 Deployer service) that are configured on the computer. This is the only place where your Active Directory password will be stored.

Step 2. Checking Status

  1. After the Action1 Deployer installs itself into %ProgramFiles%\Action1\Connector or %ProgramFiles(x86)%\Action1\Connector depending on the type of the system, the Action1 Deployer will securely connect to Action1 Cloud using embedded information about your organization that includes an authentication certificate for mutual authentication and a private encryption key, specific to your organization.
  2. On the Check Status step, verify that Action1 Deployer has been successfully installed and connected to Action1 Cloud.
Checking Action1 Deployer connection status

Step 3. Configuring the Deployment Scope

Proceed to the Deployment Scope step to finish the configuration process and start using Action1.

  • All computers in Active Directory domains or OUs—specify one or several domains or organizational units, separated by commas (e.g., widgets.local, organization.com/Servers). You’ll have an option to exclude domain controllers or all the machines running Windows Server OS.
  • Computers in the list—connect to Action1 specific computers. Note that you can discover endpoints that reside in a workgroup too. Provide computer names, separated by commas.
  • Additionally, exclude computers from the list that shouldn’t be connected to Action1 Cloud.

How it works? Once you specify the scope of deployment (such as an Active Directory domain or list of computers), the Action1 Deployer service will automatically reach out to each managed computer, copy the Action1 agent executable into \\computername\admin$\Action1 folder (which maps to %WinDir%\Action1 locally), and then create and start the Action1 Agent service. Bypassing the Action1 Deployer, the Action1 agents will connect to Action1 Cloud and discovered devices will appear in the Endpoints list.

Configuring Action1 Deployer scope

If you manage multiple organizations, you should install the Action1 Deployer for each organization and configure settings individually. 

Endpoints dashboard

NOTE: To disconnect an endpoint from Action1 Cloud, on the Endpoints page select an option to uninstall the Action1 agent and then add this endpoint to the excluded list on the Agent Deployment page. Otherwise, the Action1 Deployer will try reinstalling the agent you’ve removed.