1E Platform client requirements

Information that will help you design and plan the implementation of 1E in your organization. This includes all the prerequisites and dependencies, which are necessary to install 1E Client with 1E Platform features enabled.

1E Platform client features are not required if the 1E Client is being installed only to support PXE Everywhere, Shopping, or WakeUp. 1E Platform client features are required if you are using any of the following:

  • Experience Analytics.

  • Endpoint Troubleshooting.

  • Endpoint Automation.

  • Patch Insights.

  • Content Distribution - if using Content Distribution features of the 1E Platform. Also requires Content Distribution client to be enabled.

  • AppClarity - if using 1E as an inventory data source.

  • Application Migration - if using 1E as an inventory data source.

Certificates are essential for establishing a secure connection between the 1E Client and the 1E Platform. They ensure that communication is encrypted and that both parties can verify each others identity, preventing unauthorized access and ensuring data integrity.

1E Platform provides these options:

  • 1E Client Certificate Auto Provisioning: If you have moved away from an enterprise PKI, you can use the platform Certificate Service which provides you with an alternative to using your own PKI infrastructure.

  • Public Key Infrastructure and client certificates: 1E features require a PKI and certificates on client devices and servers. Please see below for client requirements, and Certificate requirements for server requirements. You need to have a PKI in your environment with at least one Issuing CA.

Implementation overview

If a valid client certificate is unavailable, the 1E Client generates a Certificate Signing Request (CSR) containing all the relevant information identifying the device. This includes the machine FQDN, the GUID and several certificate extensions unique to the 1E Client. The CSR is signed using an RSA key pair and the associated private key is stored locally in the machine store.

The signed CSR is sent to the 1E Platform certificate provisioning service which validates the request, processes the CSR and sends back a BASE64 encoded certificate. The request is authenticated using an authorization header in form of a signed-JWT. A shared secret between the 1E Platform and the 1E Client called the Provisioning Key is employed for JWT signing. The returned certificate is associated with the locally stored private key and pushed to the machine certificate store. This certificate is then used for the mutual TLS handshake to establish a secure communication channel between the 1E Client and the platform.

For details about configuring the 1E Client Auto-Provisioning for 1E Platform and the provisioning key, refer to Enhanced Settings.

How certificate management works

In addition to generating CSRs, the 1E Client is responsible for managing of all the certificates and private keys provisioned by it, including the following:

  • Check if the device already has a valid 1E provisioned client certificate in the certificate store. If not, the provisioning process starts. A certificate is marked as valid if it passes the following checks.

    • Certificate contains the custom 1E OID extensions.

    • Certificate has not expired.

    • Certificate will not have expired closer than a configurable threshold.

    • Certificate contains the Client Authentication EKU extension.

    • Certificate subject covers the machine FQDN.

    • Certificate has a usable private key.

  • Provision a new client certificate from the cloud service if required. This request is only generated if a client certificate has not been requested in the last 24 hours (this is the default), this setting is configurable.

  • Perform housekeeping activities every 1E Client start-up on the provisioned items, including:

    • Cleaning up expired certificates.

    • Cleaning up certificates without a usable private key.

    • Cleaning up orphaned (no associated private key) certificates.

    • Cleaning up orphaned private keys (no associated certificate).

    • Cleaning up certificates whose provisioning key hash OID (1.2.5.1.4.1.61249.4) value does not match the currently stored provisioning key’s hash.

  • Periodically check when running whether a new client certificate request is needed, if the one that is in use nears expiry. This happens, by default, every 8 hours on a background thread and can be controlled using the ClientCertificateProvisioning.AutoRenewalCheckHours configuration setting.

Platform configuration

For settings that control the behavior of the platform provisioning service refer to 1E Client settings. The certificate provisioning feature is enabled by default.

Provisioning Key Setup

The provisioning key is a shared secret between the 1E Platform provisioning service and the 1E Client used to generate a signed JWT using the HS256 algorithm. To use the 1E Platform provisioning service a valid key must be stored in the client's persistent storage as follows:

During install

  • Windows: Pass the plain text provisioning key copied from the platform to MSIEXEC.

    Copy 
      msiexec /i 1E.Client-x64.msi SWITCH=<SWITCH_URL> BACKGROUNDCHANNELURL=<BGC_URL> PROVISIONINGKEY=<VALID_PROVISIONING_KEY> /qn /l*vx 1EClient-install.log

  • macOS: Pass the plain text provisioning key copied from the platform to the install.sh script bundled in the published .dmg file. This will store the provisioning key directly in persistent storage

    Copy 
    sudo sh install.sh SWITCH=<SWITCH_URL> BACKGROUNDCHANNELURL=<BGC_URL> PROVISIONINGKEY=<VALID_PROVISIONING_KEY>

Post install

You can set the provisioning key as a post installation step, this is important when you revoke a key.

  • Windows: Using an administrative console.

    Copy 
    cd "C:\Program Files\1E\Client" 
    .\1E.Client.exe -ProvisioningKey=<VALID_PROVISIONING_KEY>

  • macOS:

    Copy 
    cd "Applications/1E Client.app/Contents/MacOS"
    sudo ./1E\ Client -ProvisioningKey=<VALID_PROVISIONING_KEY>

    To set the provisioning key post-install, refer to -provisioningkey=value.

1E features require a PKI and certificates on client devices and servers. Please see below for client requirements, and Certificate requirements for server requirements. You need to have a PKI in your environment with at least one Issuing CA.

1E requires each Issuing CA has:

  • A Certificate Revocation List (CRL) Distribution Point (CDP) that uses HTTP/S.

  • This HTTP/S CDP information is included in certificates issued to 1E Server and client devices.

If you have an existing PKI and have just added a new CDP to support HTTP/S then you will need to re-issue certificates to your servers and devices.

  • 1E deliberately does not work with self-signed certificates for security reasons. Therefore, 1E client or Server cannot be installed on the same server as a Root CA, because its certificate is self-signed.

  • 1E uses TLSv1.2. If your PKI is using SHA512, then please ensure that your environment has relevant updates applied, as described in https://support.microsoft.com/en-us/help/2973337.

  • If you want 1E to manage legacy OS that Microsoft no longer supports, there may be issues with encrypted certificates described in Common client requirements.

Client Certificates

If you have configured 1E Server to require client certificates, each device requires a certificate with the following properties, so the 1E Platform client can be authenticated by the 1E Switch. Refer to Certificate requirements.

  • All 1E Client certificate requests get routed to a special .client.platformURL, for example acme.client.uk.cloud.1e.com.

  • The 1E Client has a setting which skips the local trust chain check during the client certificate selection process. Previously, client certificates needed to be trusted locally to be viable for presentation to the Switch. The default setting is true.

    SkipLocalTrustCheckForClientCertificates

  • The 1E Client requires that the client certificate it presents to the platform has both the Signature and Encryption request handling options. These options are the defaults if provisioning using a Computer Certificate template from a Microsoft Windows Certificate Authority. If you are using a custom template, or an alternative certificate authority, you should confirm that both these options are enabled.

Client certificate properties:

  • Issued by a trusted Certificate Authority (CA):

    • The certificate for the Root CA in the Certification Path must exist in the Trusted Root CA store of the client.

    • If the issuing CA is not the Root CA then the certificate for the issuing CA and any intermediate CA in the Certification Path must exist in the Intermediate CA store of the client.

    • If either of these CA certificates is different from those used by the 1E Web Server, they will need to be exported and imported on the 1E Web Server.

    • Most organizations have automated distribution of these CA certificates to clients and servers, using Group Policy for example.

  • Enhanced Key Usage - has at least Client Authentication.

  • Key Usage - has at least Digital Signature and Key encipherment.

  • Private key - for workgroup and non-Windows devices, the private key must be exportable.

  • Revocation information is included - references at least one CRL Distribution point that uses HTTP.

    • Has a Subject Name of type Common Name (CN=<computername>) or Subject Alternative Name (DNS Name=<computername>) where <computername> depends on the type of device:

    • On domain-joined Windows PCs this must be the computername FQDN of the computer, for example W701.ACME.LOCAL

    • On workgroup Windows PCs and non-Windows devices, this must be the computername of the computer - as returned by the hostname command, for example on Windows PC this could be W701, and on a Mac this could be MAC01.local.

    1E clients and Switches use OpenSSL and its validation process to verify certificates.

Certificate storage requirements by OS type:

  • Windows devices - the certificate is stored in the Windows Local Computer personal certificates store.

  • Non-Windows devices - except for the Mac - the client does not use proprietary certificate stores. Instead, the client requires the certificate to exist as a .pfx file in the client installation folder structure, refer to Client certificates in Deploying 1E Client on Linux.

  • MacOS - you have a choice of storing the client certificate in the macOS Key Store or using the .pfx file approach required by other non-Windows devices, refer to Certificate files in Deploying 1E Client on macOS.

Considerations when requesting your certificate:

  • The certificate can be used only on the server it was intended, that has the correct computername FQDN and DNS Alias FQDN.

  • It is not possible to use the Create Certificate Request method in IIS Manager Server Certificates, because it does not support all the above requirements.

  • If you have a Microsoft CA, and a suitable Web Server template has been issued and enabled in the Directory Enrollment Policy, then it is possible to Request New Certificate in the Certificates (Local Computer) mmc snap-in and use the Certificate Enrollment wizard.

  • Many organizations have their own process for submitting a Certificate Signing Request (CSR). Please ensure all the above requirements are specified. Security administrators sometimes have difficulty providing a certificate with one or more Subject Alternative Names (SAN), and it helps to explain these are type DNS.

Anonymous Client Certificates

  • Are available on all supported platforms (Windows, macOS and Linux) when ClientCertificateSelection is set to anonymous

  • Provide greater flexibility to you when you deploy client authentication certificates, because you can instruct the 1E Client to select any valid and locally-trusted client certificate, ignoring FQDN matches.

To enable this feature, set the ClientCertificateSelection configuration setting to anonymous. The trusted anonymous certificates are marked as viable, but client certificates which pass FQDN checks are still prioritised while attempting a Switch connection.

The ClientCertificateSelection configuration setting can also be set when you install the 1E Client on supported platforms.

If the 1E Client presents an anonymous client certificate, this will be visible in the 1E Portal device pillar as shown.

1E Platform client integration with Content Distribution allows clients to make use of Content Distribution features for more efficient downloading of content from different HTTP sources, including the 1E Background Channel. Using this feature needs the following settings enabled, you can do this during the 1E Client installation:

  • Content Distribution client module - enabled (off by default).

  • 1E integration with Content Distribution - enabled (on by default).

With the 1E integration setting enabled, the client will automatically detect if the Content Distribution client module is enabled and use it to download content from HTTP sources when requested. 1E use of Content Distribution works irrespective of whether Content Distribution is integrated with Microsoft Configuration Manager, or using 1E ActiveEfficiency or Content Distribution features. The Content Distribution client is included in 1E Client 24.5 and later requires 1E Platform with Content Distribution features enabled. Content Distribution is the replacement for ActiveEfficiency.

Configuration Manager is not a prerequisite for 1E integration with Nomad, but you will need to consider the following:

Configuration Manager client present

You do not need to make any configuration changes to Content Distribution for it to integrate with 1E, other than enable the Content Distribution client module in the 1E Client, or have a legacy version of the Content Distribution client installed.

Please refer to 1E Content Distribution features documentation for guidance on designing and deploying Content Distribution.

Configuration Manager client not present

You must ensure the following bits are enabled in the relevant Content Distribution installer properties and their corresponding registry values. These are enabled by default in the Content Distribution client module of the 1E Client, but if you modify the following properties for any other purposes, then you must ensure these bits are set:

  • CompatibilityFlags bit 1 - enable long hashes.

  • SpecialNetShare bit 13 - enable HTTP(S).

If you have any configuration baselines or other policies that control Content Distribution settings, then these will need to be reviewed. Review is especially important if you have upgraded from legacy Content Distribution Branch 6.x where these bits were disabled by default.

1E real-time instructions are written in the 1E native language DEXCode, which is very like SQL but with additional logic, functions, and methods. Scripts can be downloaded when an instruction runs or actual command text is embedded in the instruction. You will very probably want to use scripts in the instructions you download from 1E or instructions you write yourself. Therefore, you must ensure the appropriate scripting environment is present on Agent devices.

  • Windows 1E clients can use PowerShell scripts. Ensure your client devices have an appropriate version of PowerShell installed to support any custom scripts you may develop. Refer to PowerShell on Windows OS.

  • Non-Windows clients can use bash as their scripting medium. This should be present on all non-Windows client devices.

For more information about SCALE and writing your own instructions, please refer to:

PowerShell

PowerShell is used by some instructions (that have PowerShell commands embedded or scripts that are downloaded) and some of these require PowerShell 3.0 or later, although some scripts will support PowerShell 2.0. PowerShell scripts are supported only on Windows OS. If you are installing or upgrading PowerShell, it is best to install the latest version available. However, do not expect full forward or backward compatibility between PowerShell versions.

To determine the version of PowerShell on a computer, start PowerShell (command prompt or ISE) and enter one of the following commands: $PSVersionTable.PSVersion or $PSVersionTable for more detail.

The table below shows which versions of PowerShell are supported on each OS version and Service Pack, and if it is built-in or needs to be installed.

OS Version

PowerShell v5.0

PowerShell v5.1

Notes

Windows Server 2022

 

RTM (Notes 3,4)

Note 1

Windows 11

 

RTM (built-in)

 

Windows Server 2016, 2019, 2022

RTM (Note 9)

RTM (Notes 3,4)

Note 1

Windows 10

RTM (built-in)

Anniversary Update (built-in)

 

  1. PowerShell is not installed by default on these OS but is an optional feature that should be enabled using Server Manager.

  2. PowerShell 5.0 is part of WMF 5.0 without any other prerequisites. Refer to https://www.microsoft.com/en-us/download/details.aspx?id=50395.

  3. PowerShell 5.1 is part of WMF 5.1 with prerequisite of .NET Framework 4.6 or later. Refer to https://www.microsoft.com/en-us/download/details.aspx?id=54616.

  4. In these Server OS, PowerShell 5.1 is referred to as the Desktop Experience. You can use the PowerShell Core version if you prefer.

Please refer to https://support.microsoft.com/en-gb/help/17455/lifecycle-faq-net-framework for details of Microsoft support for .NET Framework.

  • Support for 4, 4.5, and 4.5.1 ended on January 12, 2016

  • Support for 4.5.2, 4.6 and 4.6.1 ended on April 26, 2022

Bash and Perl

  • Bash and Perl are required for the installation of all non-Windows 1E Client.

  • 1E instructions support the use of Bash scripts on all supported non-Windows OS.

  • To see if an Instruction requires a Bash script, look in its Instruction Definition XML file for the Scripting. Run method. Bash is the preferred choice when developing custom Instructions for non-Windows OS.

  • There are slight differences between OS implementations of Bash, particularly on the Mac. Therefore, 1E recommends testing custom Bash scripts on each supported OS.

  • In addition to but not included are various ports used to communicate with Microsoft services, including Certificate Services and Identity Provider (IdP).

  • If Content Distribution module is being used by 1E Client on Windows computers, it has additional port requirements of its own.

  • Additional outgoing ports may need to be opened on clients if instructions need to connect to non-platform content sources.