About LAN deployment
If one of the devices on the LAN has the Agent installed, the deployment to the remaining devices can be initiated from the Agent Browser and the Web Portal.
For information on deploying from the Agent Browser, refer to LAN deployment using the Agent Browser (Windows only).
The LAN deployment from the Web Portal works for both Windows and macOS. Deployment of a Windows Agent must be initiated from a device with a Windows Agent installed, and deployment of a macOS Agent must be initiated from a macOS device with a macOS Agent installed.
This method of deployment has prerequisites that weaken the overall security of the environment. It should only be used if Active Directory deployment is not an option.
IMPORTANT In the past, PsExec has been utilized by some viruses to remotely run malicious code. PsExec itself is not a virus, nor does it run malicious code on its own. Adding a registry key to enable access to the ADMIN$ share, making exceptions to any A/V product and opening ports is by definition going to weaken the overall security of the environment. By using LAN Deploy you acknowledge that you are aware of this.
NOTE After you have deployed the Agent, reverse all changes you made to allow LAN deployment.
The device you want to use for deployment must meet the following criteria:
- It must be online, and selected as a Network Node with network scanning. Refer to Network discovery in the current UI and Network Discovery in the New UI.
- It must have completed a full audit in order to populate the discovered devices list. Refer to Audits.
- To deploy an Agent across a LAN, you need to have a username and password for the device or devices you're going to deploy to. We recommend that you cache these credentials in the Web Portal so that you do not have to enter them each time for each device. Refer to Cache logon credentials.
Further Windows requirements
|Enable remote access to the Admin$ share||Starting with Windows Vista, UAC has by default required elevated privileges to access the administrative shares. Details on this can be found here: Microsoft Support Article (951016).
You can enable this share either by accessing the Microsoft support article above and downloading the Fix It to make a Registry entry, or you can copy the following into an Administrative Command Prompt window:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
|File and printer sharing||File and printer sharing must be enabled on the devices you wish to deploy to. Ports 445 and 139 Inbound must be open.|
|Password||You cannot authenticate as a user with a blank password. The user account with the correct permissions to enable an install must have a password to work using PsExec.|
|Antivirus||This process assumes that all antivirus programs are configured to allow the use of PsExec, which can stop the use of this program.|
Further macOS requirements
|Remote Login||Needs to be ON.
Navigate to Apple menu > System Preferences > Sharing, and set Remote Login to ON. You can also use the Terminal or SSH and run the following command as root: systemsetup -setremotelogin on. If root is not enabled, make sure you run the command in the following format: sudo systemsetup -setremotelogin on.
|Firewall||Needs to be OFF. If Firewall is ON, then Remote Login needs to be allowed to connect.
Navigate to Apple menu > System Preferences > Security or Security & Privacy > Firewall > set Firewall to OFF. If it is set to ON, then configure the Firewall Options to allow incoming connections.
You can cache logon credentials (Agent Deployment Credentials) at the account or site level. When deploying from a site, any details entered at the site level will be used in addition to those specified at the account level, unless you turn this option off. For further information on how to cache logon credentials, refer to the Agent Deployment Credentials section in Account Settings and Site Settings in the current UI and Windows credentials and SSH credentials in the New UI.
IMPORTANT A Windows Agent can only be deployed from a Windows device with a Windows Agent installed, and the macOS Agent can only be deployed from a macOS device with an macOS Agent installed.
For information on the discovery and deployment steps, refer to Network discovery.