Cette section aborde l’utilisation globale de WAPT.

Toutes les fonctionnalités de WAPT pour les Administrateurs, les Utilisateurs et les Gestionnaires de Déploiement sont expliquées en détail.

Deploying WAPT agent

Windows

Two methods are available to deploy the waptagent.exe.

The first method is manual and the procedure must be applied on each machine.

The second one is automated and relies on a GPO.

Note

The waptagent.exe installer is available at https://srvwapt.mydomain.lan/wapt/waptagent.exe.

If you do not sign the waptagent.exe installer with a commercial Code Signing certificate or a Code Signing certificate issued by the Certificate Authority of your Organization after having generated it, web browsers will show a warning message when downloading the installer. To remove the warning message, you must sign the .exe with a Code Signing certificate that can be verified by a CA bundle stored in the machine’s certificate store.

Indication

When to deploy the WAPT agent manually?

Manual deployment method is efficient in these cases:

  • testing WAPT;

  • using WAPT in an organization with a small number of computers, etc;

Manually

Attention

This operation requires Local Administrator rights on the local computer.

Download the WAPT agent from you’r WAPT server then launch the installer.

Download the WAPT agent to be deployed on computers

Download the WAPT agent to be deployed on computers

  • choose the language and click on Next to go to next step;

    Choose the installation language

    Choose the installation language

  • accept the license terms and click on Next to go to next step;

    Accepting the EULA

    Accepting the EULA

  • choose the installation directory and click on Next to go to next step;

    Select the installation folder for the WAPT agent

    Select the installation folder for the WAPT agent

  • choose the additional parameters and click on Next to go to next step;

    Indication

    leave Force-reinstall VC++ enabled checked. If the option box is ticked it is because its installation is necessary.

    Choose the installer's options

    Choose the installer’s options

  • choose the WAPT repository and the WAPT Server and click on Next to go to next step;

    Choose the WAPT repository and server

    Choose the WAPT repository and server

  • install the WAPT agent by clicking on Install;

    Summary of installation options

    Summary of installation options

  • wait for the installation of the WAPT agent to finish, then click on Finish to exit;

    Installation in progress

    Installation in progress

The installation of the WAPT agent is finished. With cmd.exe, launch a register to register the machine with the WAPT Server and an update to display the list of available WAPT packages.

End of WAPT agent installation

End of WAPT agent installation

Note

  • tick Register this host on WAPT Server to register the computer on the WAPT inventory server;

  • tick Update package list from repository to update the list of available packages;

To manage your Organization’s WAPT clients, visit the documentation on using the WAPT console.

Automatically

Important

Technical pre-requisites

Advanced network and system administration knowledge is required to achieve this procedure. A properly configured network will ensure its success.

Indication

When to deploy the WAPT agent automatically? The following method is useful in these cases:

  • a large organization with many computers;

  • a Samba Active Directory or Microsoft Active Directory for which you have enough administration privileges;

  • the security and the traceability of actions are important to you or to your Organization;

With waptagent

waptagent.exe is an InnoSetup installer, it can be executed with these silent switches:

waptagent.exe /VERYSILENT
  • Additional arguments available for waptdeploy

Description of available options for deploying the WAPT agent silently

Options

Description

/dnsdomain = mydomain.lan

Domain in wapt-get.ini filled in during installation.

/wapt_server = https://srvwapt.mydomain.lan

URL of the WAPT server in wapt-get.ini filled in during installation

/repo_url = https://repo1.mydomain.lan/wapt

URL of the WAPT repository in wapt-get.ini filled in during installation.

/StartPackages = basic-group

Group of WAPT packages to install by default.

/verify_cert= = 1 or relative path ssl\server\srvwapt.mydomain.lan.crt

Value of verify_cert entered during installation

/CopyServersTrustedCA = path to a bundle to copy to ssl\server.

Certificate bundle for https connections (to be defined by verify_cert)

/CopypackagesTrustedCA = path to a certificate bundle to copy into ssl

Certificate bundle for verifying package signatures

Indication

The iss file for the InnoSetup installer is available here: C:\Program Files (x86)\wapt\waptsetup\waptsetup.iss.

You may choose to adapt it to your specific needs. Once modified, you’ll just have to recreate a waptagent.

To learn more about the options available with InnoSetup, visit this documentation.

With waptdeploy

waptdeploy is a small binary that:

  • checks the version of the WAPT agent;

  • downloads via https the waptagent.exe installer;

  • launches the silent installer with arguments (checked options defined during the compilation of the WAPT agent);

/VERYSILENT /MERGETASKS= ""useWaptServer""
  • updates the WAPT Server with the WAPT agent status (WAPT version, package status);

    Note

    waptdeploy must be started as Local Administrator, that is why we advise you to use a GPO.

Description of available options for waptdeploy

Options

Description

--force = https://srvwapt.mydomain.lan

Location of repository where to get waptagent.exe

--hash =

Check that downloaded waptagent.exe setup sha256 hash match this parameter.

--minversion = 1.2.3

Install waptagent.exe if installed version is less than that

--tasks =

if given, pass this arguments to the /TASKS options of the waptagent installer. Default = installService,installredist2008,autoUpgradePolicy

--repo_url = http://wapt/wapt

URL of the WAPT repository in wapt-get.ini filled in during installation.

--setupargs =

Add this to the command line of waptagent.exe.

--wait =

Wait running and pending tasks to complete if waptservice is running before install.

--waptsetupurl = http://wapt/wapt/waptagent.exe

Explicit location where to download setup executable. Can be a local path (default=<repo_url>/waptagent.exe

With a GPO

Download waptdeploy.exe from you’r WAPT server.

Download the waptdeploy

Download the waptdeploy

Creating the GPO
  • create a new group strategy called install_wapt on the Active Directory server (Microsoft or Samba-AD);

  • add a new strategy: Computer configuration ‣ Strategies ‣ Windows configuration ‣ Scripts ‣ Startup ‣ Add;

    Creating a group strategy to deploy the WAPT agent

    Creating a group strategy to deploy the WAPT agent

  • click on Browse to select the waptdeploy.exe script;

    Finding the waptdeploy.exe file on your computer

    Finding the waptdeploy.exe file on your computer

  • copy waptdeploy.exe in the destination folder;

    Selecting the waptdeploy.exe script

    Selecting the waptdeploy.exe script

  • click on Open to import the waptdeploy.exe script;

    Selecting the waptdeploy.exe script

    Selecting the waptdeploy.exe script

  • click on Open to confirm the importation of the waptdeploy binary;

Passing arguments

Indication

Starting with version 1.3.7, it is necessary to provide the checksum of the waptagent.exe as an argument to the waptdeploy GPO.

This will prevent the remote machine from executing an erroneous/ corrupted waptagent binary.

--hash="checksum du WaptAgent" --minversion=1.5.1.23 --wait=15

Note

Parameters and waptagent.exe checksum to use for the waptdeploy GPO are available on the WAPT Server by visiting https://srvwapt.mydomain.lan.

Web console of the WAPT Server

Web console of the WAPT Server

  • copy the required parameters;

    add the *waptdeploy* script to the startup GPO

    add the waptdeploy script to the startup GPO

  • click on OK to go on to the next step;

    WAPTdeploy GPO to be deployed on next startup

    WAPTdeploy GPO to be deployed on next startup

  • click on OK to go on to the next step;

  • apply resulting GPO strategy to the Organization’s Computers OU;

Additional arguments available for waptdeploy
Description of available options for waptdeploy

Options

Description

--force = https://srvwapt.mydomain.lan

Location of repository where to get waptagent.exe

--hash =

Check that downloaded waptagent.exe setup sha256 hash match this parameter.

--minversion = 1.2.3

Install waptagent.exe if installed version is less than that

--tasks =

if given, pass this arguments to the /TASKS options of the waptagent installer. Default = installService,installredist2008,autoUpgradePolicy

--repo_url = http://wapt/wapt

URL of the WAPT repository in wapt-get.ini filled in during installation.

--setupargs =

Add this to the command line of waptagent.exe.

--wait =

Wait running and pending tasks to complete if waptservice is running before install.

--waptsetupurl = http://wapt/wapt/waptagent.exe

Explicit location where to download setup executable. Can be a local path (default=<repo_url>/waptagent.exe

--hash="43254648348435423486"--minversion=1.8.1 --waptsetupurl=http://srvwapt.mydomain.lan/wapt/waptagent.exe --wait=10

With a scheduled task

For waptdeploy to work best, you may execute the GPO upon computer shutdown;

You may also choose to launch waptdeploy using a scheduled task that has been set by GPO.

Indication

This method is particularly effective for deploying WAPT on workstations when the network is neither available on starting up or shutting down.

The method consists of using a GPO to copy waptdeploy.exe and waptagent.exe:

  • source: \mydomain.lan\netlogon\waptagent.exe

  • destination: C:\windows\temp\waptagent.exe

    WAPT agent installation progress

    WAPT agent installation progress

  • copy waptdeploy.exe and waptagent.exe in the netlogon share of your Active Directory Server;

  • then create a GPO to set up a scheduled task:

Task Create in *deploywapt* Properties window

Task Create in deploywapt Properties window

General tab in *deploywapt* Properties window

General tab in deploywapt Properties window

  • use S-1-5-18 as a user account;

  • check Run with highest privileges;

Trigger tab in *deploywapt* Properties window

Trigger tab in deploywapt Properties window

  • check Daily, select today’s date and Repeat Task every 1 hour;

Actions tab

Arguments:

--hash="43254648348435423486" --minversion=1.5.1.23 --waptsetupurl=C:\windows\temp\waptagent.exe --wait=10

Attention

The hash and min_version arguments will change in reality compared to the documentation as WAPT continues to improve.

Conditions tab in *deploywapt* Properties window

Conditions tab in deploywapt Properties window

Settings tab in *deploywapt* Properties window

Settings tab in deploywapt Properties window

  • check Run task as soon as possible after a scheduled start is missed;

To verify that your GPO is working, you can run the gpupdate /force command and verify that the schedule task is present on your computer.

Linux

Nouveau dans la version 1.8.

Starting with WAPT 1.8, a Linux agent is available for Debian, Ubuntu and RedHat / Centos.

Note

  • the following procedure installs a WAPT agent using Tranquil IT’s repositories for Debian/CentOS;

  • if you wish to install it manually, you can look for your corresponding version;

  • copy the link of the binary that you need, download and install it with dpkg / rpm;

Debian

Discovery

Important

Follow this procedure for getting the right packages for the WAPT Discovery Edition. For WAPT Enterprise Edition please refer to the next block.

Note

Not Available as of 2021-06-04.

WAPT Discovery will be release later. For the free version, refer to wapt-1.8 documentation https://www.wapt.fr/en/doc-1.8/

Enterprise

Important

Follow this procedure for getting the right packages for the WAPT Enterprise Edition. For WAPT Discovery Edition please refer to the previous block.

To access WAPT Enterprise resources, you must use the username and password provided by our sales department.

Replace user and password in the deb parameter to access WAPT Enterprise repository.

apt update && apt upgrade -y
apt install apt-transport-https lsb-release gnupg
wget -O - https://wapt.tranquil.it/debian/tiswapt-pub.gpg  | apt-key add -
echo "deb https://user:password@srvwapt-pro.tranquil.it/entreprise/debian/wapt-2.0/ $(lsb_release -c -s) main" > /etc/apt/sources.list.d/wapt.list
  • install WAPT agent using apt-get:

apt update
apt install tis-waptagent
Creating the agent configuration file
Copying the package-signing certificate
Copying the SSL/TLS certificate

Ubuntu

The most secure and reliable way to install the latest WAPT agent on Linux Ubuntu is using Tranquil IT’s public repository.

  • add Tranquil IT’s repository in apt repository lists:

Discovery

Important

Follow this procedure for getting the right packages for the WAPT Discovery Edition. For WAPT Enterprise Edition please refer to the next block.

Note

Not Available as of 2021-06-04.

WAPT Discovery will be release later. For the free version, refer to wapt-1.8 documentation https://www.wapt.fr/en/doc-1.8/

Enterprise

Important

Follow this procedure for getting the right packages for the WAPT Enterprise Edition. For WAPT Discovery Edition please refer to the previous block.

To access WAPT Enterprise resources, you must use the username and password provided by our sales department.

Replace user and password in the deb parameter to access WAPT Enterprise repository.

apt update && apt upgrade -y
apt install apt-transport-https lsb-release gnupg
wget -O - https://wapt.tranquil.it/debian/tiswapt-pub.gpg  | apt-key add -
echo "deb https://user:password@srvwapt-pro.tranquil.it/entreprise/ubuntu/wapt-2.0/ $(lsb_release -c -s) main" > /etc/apt/sources.list.d/wapt.list
  • install WAPT agent using apt-get:

apt update
apt install tis-waptagent
Creating the agent configuration file
Copying the package-signing certificate
Copying the SSL/TLS certificate

CentOS

Discovery

Enterprise

The most secure and reliable way to install the latest WAPT agent on Linux CentOS is using Tranquil IT’s public repository.

  • add Tranquil IT’s repository in yum repository lists:

Important

Follow this procedure for getting the right packages for the WAPT Enterprise Edition. For WAPT Discovery Edition please refer to the next block.

To access WAPT Enterprise resources, you must use the username and password provided by our sales department.

Replace user and password in the baseurl parameter to access WAPT Enterprise repository.

cat > /etc/yum.repos.d/wapt.repo <<EOF
[wapt]
name=WAPT Server Repo
baseurl=https://user:password@srvwapt-pro.tranquil.it/entreprise/centos7/wapt-1.8/
enabled=1
gpgcheck=1
EOF

Important

Follow this procedure for getting the right packages for the WAPT Discovery Edition. For WAPT Enterprise Edition please refer to the previous block.

cat > /etc/yum.repos.d/wapt.repo <<EOF
[wapt]
name=WAPT Server Repo
baseurl=https://wapt.tranquil.it/centos7/wapt-1.8/
enabled=1
gpgcheck=1
EOF
  • install WAPT agent using yum:

    wget -q -O /tmp/tranquil_it.gpg "https://wapt.tranquil.it/centos7/RPM-GPG-KEY-TISWAPT-7"; rpm --import /tmp/tranquil_it.gpg
    yum install tis-waptagent
    

Creating the agent configuration file

The requisites for your WAPT agent to work are:

  • wapt-get.ini config file in /opt/wapt/;

  • a public certificate of the package-signing authority in /opt/wapt/ssl/;

You need to create and configure the wapt-get.ini file in /opt/wapt (Configuring the WAPT agent).

An example of what it should look like is present further down on this page. You may use it after changing the parameters to suit your needs.

vim /opt/wapt/wapt-get.ini
[global]
repo_url=https://srvwapt.mydomain.lan/wapt
wapt_server=https://srvwapt.mydomain.lan/
use_hostpackages=1
use_kerberos=0
verify_cert=0

Copying the package-signing certificate

You need to copy manually, or by script, the public certificate of your package signing certificate authority.

The certificate should be located on your Windows machine in C:\Program Files (x86)\wapt\ssl\.

Copy your certificate(s) in /opt/wapt/ssl using WinSCP or rsync if you are deploying on Linux or MacOS.

Copying the SSL/TLS certificate

If you already have configured your WAPT server to use correct Nginx SSL/TLS certificates, you must copy the certificate in your WAPT Linux agent.

The certificate should be located on your Windows machine in C:\Program Files (x86)\wapt\ssl\server\.

Copy your certificate(s) in /opt/wapt/ssl/server/ using WinSCP or rsync if you are deploying on Linux or MacOS.

Then, modify in your config file the path to your certificate.

vim /opt/wapt/wapt-get.ini

And give absolute path of your cert.

verify_cert=/opt/wapt/ssl/server/YOURCERT.crt

Attention

If you are not using SSL/TLS certificates with your WAPT Server, you must change it in /opt/wapt/wapt-get.ini the following lines to 0:

verify_cert=0

Registering

Attention

  • beware, by default, WAPT takes the system language by default for packages, you may have to define the language in wapt-get.ini with locales=.

  • restart the WAPT service:

    systemctl restart waptservice.service
    
  • finally, execute the following command to register your Linux host with the WAPT server:

    wapt-get register
    wapt-get update
    

Congratulations, your Linux Agent is now installed and configured and it will now appear in your WAPT Console with a pinguin icon!!

Unsupported features

  • installing updates on shutdown;

  • WAPT console is not currently available on linux;

  • any Windows specific feature;

Particularities with domain functionality

  • testing was carried out with sssd with an Active Directory domain and kerberos authentication;

  • to integrate a machine in the Active Directory domain, you can choose to follow this documentation

  • to force the update of Organizational Units on the host, you can apply a gpupdate from the WAPT console;

  • in order for Active Directory groups to function properly, you must verify that the id hostname$ command returns the list of groups the host is member of;

Attention

We have noticed that the kerberos LDAP query does not work if the reverse DNS record is not configured correctly for your domain controllers. These records must therefore be created if they do not exist.

MacOS

Discovery

Enterprise

Nouveau dans la version 1.8.

Attention

Currently, the agent has only been tested on High Sierra (version 10.13) and Mojave (10.14) while the latest MacOS version is Catalina (10.15). Catalina may have introduced changes that could prevent the agent from working.

Installing the WAPT Agent package from Tranquil IT’s public repository

  • download WAPT agent for Apple Mac OSX from Tranquil IT’s public repository

    sudo curl <PastedLink> tis-waptagent.pkg
    
  • install the downloaded package:

    sudo installer -pkg tis-waptagent.pkg -target /
    

Creating the agents configuration file

The requisites for your WAPT agent to work are:

  • wapt-get.ini config file in /opt/wapt/;

  • a public certificate of the package-signing authority in /opt/wapt/ssl/;

You need to create and configure the wapt-get.ini file in /opt/wapt (Configuring the WAPT agent).

An example of what it should look like is present further down on this page. You may use it after changing the parameters to suit your needs.

sudo vim /opt/wapt/wapt-get.ini
[global]
repo_url=https://srvwapt.mydomain.lan/wapt
wapt_server=https://srvwapt.mydomain.lan/
use_hostpackages=1
use_kerberos=0
verify_cert=0

Copying the package-signing certificate

You need to copy manually, or by script, the public certificate of your package signing certificate authority.

The certificate should be located on your Windows machine in C:\Program Files (x86)\wapt\ssl\.

Copy your certificate(s) in /opt/wapt/ssl using WinSCP or rsync.

Copying the SSL/TLS certificate

If you already have configured your WAPT server to use correct Nginx SSL/TLS certificates, you must copy the certificate in your WAPT Mac agent.

The certificate should be located on your Windows machine in C:\Program Files (x86)\wapt\ssl\server\.

Copy your certificate(s) in /opt/wapt/ssl/server/ using WinSCP or rsync.

Then, modify in your wapt-get.ini config file the path to your certificate.

sudo vim /opt/wapt/wapt-get.ini

And give absolute path of your cert.

verify_cert=/opt/wapt/ssl/server/YOURCERT.crt

Attention

If you are not using SSL/TLS certificates with your WAPT Server, you must set the following lines to 0 in /opt/wapt/wapt-get.ini:

verify_cert=0

Registering

Attention

Beware, by default, WAPT takes the system language by default for packages, you may have to define the language in wapt-get.ini with locales=.

  • restart the WAPT service:

    sudo launchctl unload /Library/LaunchDaemons/com.tranquilit.tis-waptagent.plist
    sudo launchctl load /Library/LaunchDaemons/com.tranquilit.tis-waptagent.plist
    
  • finally, execute the following command to register your MacOS host with the WAPT server:

  • you must logon as root to run:

    wapt-get register
    
  • then switch back to normal user for the following:

    sudo wapt-get update
    

Congratulations, your MacOS Agent is now installed and configured and it will now appear in your WAPT Console with an apple icon!

Unsupported features

  • installing updates on shutdown;

  • WAPT console is not currently available on linux;

  • any Windows specific feature;

Particularities with domain functionality

  • testing was carried out with sssd with an Active Directory domain and kerberos authentication;

  • to integrate a machine in the Active Directory domain, you can choose to follow this documentation

  • to force the update of Organizational Units on the host, you can apply a gpupdate from the WAPT console;

  • in order for Active Directory groups to function properly, you must verify that the id hostname$ command returns the list of groups the host is member of;

Attention

We have noticed that the kerberos LDAP query does not work if the reverse DNS record is not configured correctly for your domain controllers. These records must therefore be created if they do not exist.

Updating the WAPT agents

The test-waptupgrade package has also been uploaded on the repository.

The test-waptupgrade package contains the WAPT agent with arguments specified during the installation of WAPT on your Administrator’s computer.

New WAPT agent in the repository

New WAPT agent in the repository

Note

This package is a standard WAPT package designed to upgrade WAPT agents on client machines.

Upgrading the WAPT agents using the xxx-waptupgrade package is a two step process:

  • first the package copies the new waptagent.exe file on the client computer and creates a new scheduled task that will run waptagent.exe with predefined installation flags two minutes after the creation of the scheduled task. At that point the package itself is installed and the inventory on the server shows the package installation as OK, with correct version installed, but the inventory will still show the old version as the agent is not yet updated.

  • after two minutes the scheduled task starts and runs waptagent.exe. waptagent.exe shutdowns the local WAPT service, upgrades the local WAPT install, and then restarts the service. The scheduled task is then automatically removed and the WAPT agent sends back its inventory to the WAPT server. Now the inventory on the server will show the new version of the agent.

From an administrator point of view, looking at the console you will see the following steps:

  • xxx-waptupgrade package starts being installed;

  • xxx-waptupgrade is installed, the machine is up to date from a package list point of view, but the version in the inventory is still the old version of the WAPT agent;

  • after two minutes the computer connectivity status switches to disconnected as the WAPT agent is updated;

  • after around two minutes the client computer gets back up online in the console and updates its inventory and shows the new version;

  • the most common issue with the upgrading process is the local antivirus blocking the installation (WAPT is a software installer that keeps a websocket opened to a central management server, so this behavior may be flagged as suspicious by an antivirus, even though this method is the basis of end point management…). If you have an issue when deploying the upgrade, please check your antivirus console and whitelist the waptagent.exe. Another option is to re-sign the waptagent.exe binary if your organization has an internal code signing certificate;

  • the second most common issue is that for some reason another program is locking a DLL that ships with WAPT. This can happen with poorly designed software installers that pick up the local %PATH% variable first and then find WAPTs own openssl or python DLL;

  • the third most common issue is a defective Windows install that does not run scheduled tasks properly, and yes we have seen this!!