Secureframe Agent: Employee Installation Device Guide

Supported Operating Systems

Secureframe Agent is a read-only agent designed to help your organization be secure by reporting on key device settings that are required for Compliance frameworks.

The data being sent to Secureframe is the minimum information required to determine if a device is compliant.

These are the current operating system versions we support:

OS Supported version(s)
MacOS 12.x or higher (Monterey, Ventura, Sonoma, Sequoia)
Windows 10, 11
Linux CentOS 7.1+, Ubuntu 16.04+


Installing the Secureframe Agent on Your Device

If you have received an Onboarding email from Secureframe, it is likely that your Employees has partnered with us to streamline their compliance objectives. 

For employees, the set of tasks may include taking Security Awareness Training, Policy Reviews, Background Checks (if applicable) and finally installing a Device Management. 

For the purpose of this article, lets focus on how to properly download and install the Device Management, also known as the Secureframe Agent.

 

Downloading your Agent package

  • Log into Secureframe and visit the Employee Onboarding page
  • From the left side bar, click Device Management from the list
  • Choose the operating system from the selection and click "Download Agent".
    (Note: The file will look different depending on your Operating System. The below example is how both the downloaded package and install guide appears on MacOS devices.)

Installing your Agent package

  • Windows: Double click your downloaded package and click "Yes"
  • MacOS: Double click your downloaded package and click "Install"
  • Linux:
    Open a terminal, go to the folder with your downloaded package, and run the following command according to your Operating System
    • Ubuntu (.deb):
      "sudo dpkg -i secureframe-agent.deb"
    • CentOS (.rpm):
      "sudo rpm -i secureframe-agent.rpm"

Once you have downloaded  the Agent, you will need to click on the "If you have downloaded the agent or your operating system is not listed, click here to pass the onboarding installation step" link in the Employee Onboarding section.

Installation Notes:

  • Multiple Devices - Each device downloads a unique installation package which lets Secureframe link users and devices. Please DO NOT download and install the same installation package on multiple devices. That may cause a conflict on reporting device statuses and/or disappearing devices.
  • Windows Defender warnings - If using Windows Defender, you may encounter an unknown publisher error due to unrecognized app. At this time, are Secureframe Agent packages are signed for users joined after Feb 8th 2025. Please consult with your admin if this is a problem and note that manual evidence can always be uploaded if you choose not to install the Agent.  

Checking for Hard Drive Encryption

Once the Secureframe Agent is downloaded on your computer, this will assist your Secureframe admins to ensure that a few important compliance checks are set properly like Hard Drive Encryption. 

Here are step-by-step instructions for setting up hard drive encryption on a device.

Windows:

To enable device encryption, please complete the following instructions from Microsoft:

  1. Select Start > Settings > Privacy & security  > Device encryption.
  2. If Device encryption is turned off, turn it On.

If Device encryption doesn't appear in that menu, it isn't available for your device.

Device encryption via BitLocker requires Windows Pro edition or higher. This is a Microsoft licensing limitation.

Mac:

In order to pass this check, FileVault must be enabled.

To enable Filevault (instructions from here):

  1. On your Mac, choose Apple menu  > System Settings, click Privacy & Security in the sidebar, then click FileVault on the right. (You may need to scroll down the right-side list.)
     
  2. Click Turn On. You might be asked to enter your password.
     
  3. Choose how to unlock your disk and reset your login password if you forget it:
    1. iCloud account: Click “Allow my iCloud account to unlock my disk” if you already use iCloud. Click “Set up my iCloud account to reset my password” if you don’t already use iCloud.
    2. Recovery key: Click “Create a recovery key and do not use my iCloud account.” Write down the recovery key and keep it in a safe place.
  4. Click Continue.

Linux:

This checks for the following configurations for the hard drive:

  • The drive mounted as root needs to be encrypted. The encryption process will vary based on the flavor of Linux being used.
  • ZFS encryption is not currently supported because of a limitation in osquery.
  • *If your Linux device is not 'checking in' after restarting, please refer to this article.

Checking for Antivirus

Once the Secureframe Agent is downloaded on your computer, this will assist your Secureframe admins to ensure that a few important compliance checks are set properly like Antivirus software.

Here are step-by-step instructions for enabling antivirus on a device. 

Windows:

Confirm that your antivirus solution is running: 

  • If you are using Windows Security or Windows Defender as your antivirus, check that Real-time protection is enabled:
    Real-time_protection_enabled.png
  • If you are using a different antivirus solution, please check that it is enabled and running by opening the Services menu and confirming that your antivirus is "Running".
     
  • If you have confirmed that your antivirus is running but is still not passing the check, please contact support with the specific name of your antivirus solution and the devices that are not passing.
     
  • Currently we check for specific verified antivirus programs. If you do not see your antivirus solution in this list and believe that it should be included, please contact support with the name of your antivirus solution.
    Click here to see the list of antivirus programs
    • Antivirus de Microsoft Defender
    • Antivírus do Microsoft Defender
    • Antivirus Microsoft Defender
    • Avast Antivirus
    • AVG Antivirus
    • Bitdefender Antivirus
    • Bitdefender Endpoint Security Tools Antimalware
    • CrowdStrike Falcon Sensor
    • ESET Security
    • McAfee LiveSafe
    • McAfee VirusScan
    • Microsoft Defender Antivirus
    • Microsoft Defender Antivírus
    • Norton 360
    • Norton Security
    • Sentinel Agent
    • Sophos Intercept X
    • Symantec Endpoint Protection
    • Trend Micro Security Agent
    • Windows Defender
    • Windows Defender Antivirus

Mac:

Confirm that Gatekeeper is enabled, this is usually turned on by default (more information here).

 

Linux:

The Secureframe Agent does not currently pull Native Anti-Virus due to Linux not having a native antivirus solution. 

  • *If your Linux device is not 'checking in' after restarting, please refer to this article.

Checking for Password Policy

Once the Secureframe Agent is downloaded on your computer, this will assist your Secureframe admins to ensure that a few important compliance checks are set properly like a proper Password Policy.

Here are step-by-step instructions to enable password policy requirements for a device.

Windows:

  • The following requirements must be enforced to pass this check:
    • Minimum password length: 8 characters
    • Password must meet complexity requirements: Enabled
       
  • "gpedit.msc" or "secpol.msc" must be installed in order to set a password policy 
    • These comes installed on Windows 10/11 Pro
    • If you are on Windows 10/11 Home, this is how to download and install "gpedit.msc":
      • Download this Batch script
      • Right-click it and select "Run as Administrator"
      • Wait up to 10 minutes for the script to download and install "gpedit.msc"
      • Follow the instructions for "Group Policy method"
  • The requirements can be set via Group Policy or Local Security Policy.
    • Group Policy method:
      • Open the Run program and enter "gpedit.msc"
      • Go to "Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy"
        • Set "Minimum password length" to 8
        • Set "Password must meet complexity requirements" to "Enabled"
    • Local Security Policy method:
      • Open the Run program and enter "secpol.msc"
      • Go to Security Settings -> Account Policies -> Password Policy
        • Set "Minimum password length" to 8
        • Set "Password must meet complexity requirements" to "Enabled"
           
  • If not all your Windows devices come with these programs or it would be too time-consuming to edit these settings on each device, we recommend instead using an MDM to enforce these settings.
     

Mac:

You will need to create a device profile with requireAlphanumeric set to true and minLength >= 8.

Linux:

The Password Policy check will not pass until you have both updated the password requirements and changed your password to comply with these requirements. These instructions were taken in part from this article.

The Password Policy check requires:

  • Minimum password length of at least eight characters.
  • The classes of characters are digits, upper letters, lower letters, and special characters.
  • Minimum class of at least three for each password, meaning that multiple classes must be represented in the password.
  1. Install the augeas-lenses library and PAM module by running the following commands in your terminal:
sudo apt install augeas-lenses
sudo apt install libpam-pwquality
  1. Some Linux distributions may already have these libraries installed. See here for more technical information about the PAM module.
  2. Open the /etc/pam.d/common-password file.
  3. Find the line that includes pam_pwquality.so.
  4. Add minlen=8 minclass=3 to the end of that line. An example would look something like this:
password requisite pam_pwquality.so retry=3 minlen=8 minclass=3
  • *If your Linux device is not 'checking in' after restarting, please refer to this article.
     

Checking for Screen Lock / Session Timeout

Once the Secureframe Agent is downloaded on your computer, this will assist your Secureframe admins to ensure that a few important compliance checks are set properly like Screen Lock or Session Timeout.

Here are step-by-step instructions to enable screen lock / session timeout for a device.

Windows:

There are two methods to enable Windows screen lock.

Method 1 (via Control Panel):

  • Open Control Panel > Screen Saver, or hit the Windows key and search for Screen Saver.
     
  • This should open a window similar to this screenshot:
     
  • Set the Wait value to 15 minutes or fewer.
     
  • Check the box next to On resume, display logon screen
     
  • Click Apply to save the new settings.
     

 

Method 2 (via registry entries):

  • The Secureframe Agent checks for the following registry settings to be enabled:
    • HKEY_USERS\%\Control Panel\Desktop\ScreenSaveActive
      • The value should be 1
      • Forces the screensaver to run after screen lock
    • HKEY_USERS\%\Control Panel\Desktop\ScreenSaverIsSecure
      • The value should be 1
      • This ensures that a password is required to login after screen lock
    • HKEY_USERS\%\Control Panel\Desktop\ScreenSaveTimeOut
      • The value should be <= 900
      • This is how many seconds of inactivity before screen lock (900 seconds = 15 minutes)
         
    • "%" represents your Security identifier or SID. It will look something like "S-#-#-#...-####" where # are numbers.
  • There are multiple ways to set these registry keys. The following instructions use the Registry Editor:
    • Click the Windows menu and type in Registry Editor, right click and Run as administrator
       
    • On the left side, click on HKEY_USERS > % > Control Panel > Desktop
      • Remember that "%" is your SID
         
    • Right click on the Desktop name and select New > DWORD (32-bit) Value
      • Type the registry key name e.g. ScreenSaverIsSecure and hit enter
      • Double click this new key to open a window and enter the desired value
         
    • Repeat for all registry keys that are not present or set to a passing value.

       
  • After configuring the keys, you can start a Sync for the Secureframe Agent. The newly configured device should now pass the check: 
  •  
    • On the Asset Inventory page, the screen lock check for the device is updated when the device has checked in with the correct configuration AND the Secureframe Agent integration has been synced. 
      Screenshot_2023-02-28_at_11.11.34_AM.png

Mac:

You will need to create a device profile with askForPassword set to true and loginWindowIdleTime <= 900.

Linux:

The Secureframe Agent does not pull Screen Lock information due to the data being different depending on the flavor of linux being used.

Firewall

Here are step by step instructions for Secureframe Agent (Mac, PC and Linux) for Firewall enforcement for user endpoints.
 

Windows:

Check settings in the Windows Security Center to enable the firewall.

Mac:

Ensure that Firewall is enabled (instructions here).

Linux:

This check is looking to see if the Debian Uncomplicated Firewall (UFW) is installed and configured. More information on Uncomplicated Firewall (UFW).

  • * If your Linux device is not 'checking in' after restarting, please refer to this article.

Uninstall Secureframe Agent From Your Device

Devices will automatically de-register 30 days after being uninstalled. Deleting the device from Asset Inventory before 30 days will result in the device re-populating. If you cannot wait for the automatic expiration, please contact support.

Windows

Use the "Add or remove programs" dialog to remove “Fleet osquery." It might also be named "Orbit Osquery" for older versions of the agent.

Mac

Open the Terminal App and run the cleanup script below and please run these scripts as two commands (ex. run the first two lines together at once):

sudo launchctl stop com.fleetdm.orbit
sudo launchctl unload /Library/LaunchDaemons/com.fleetdm.orbit.plist

sudo pkill fleet-desktop || true
sudo rm -rf /Library/LaunchDaemons/com.fleetdm.orbit.plist /var/lib/orbit /usr/local/bin/orbit /var/log/orbit /opt/orbit/

Linux

Uninstall the package with the corresponding package manager:

  • Ubuntu
sudo apt remove fleet-osquery -y
  • CentOS
sudo rpm -e fleet-osquery

Related to

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.