This topic describes key computer configuration decisions you must make before installing Carbon Black App Control agents on endpoints.

  • CLI Management configuration options allow you to designate a user or group, or a password usable by anyone, to perform certain agent management activities in conjunction with VMware Carbon Black Support. Especially if you have systems that will be permanently offline, it is best to choose one of these options before creating policies and distributing agent installation packages. See "Advanced Configuration Options" in the VMware Carbon Black App Control User Guide for more details.
  • Rules file and agent installer packages must be uploaded to the server from the VMware Carbon Black User Exchange. Beginning with Carbon Black App Control Server v8.1.4, rules and agent installers have been separated from the server installation to allow for greater flexibility in updates.
    • For a new Carbon Black App Control server, you must upload the rules file and agent package installers to the server before agents can be downloaded to endpoints.
    • For a server upgraded from a previous version, your previous rules and agent installers remain in place, but there might be new rule and agent updates.
  • Policies determine the groups of security settings available to endpoints — every agent belongs to a policy. See "Creating and Configuring Policies" in the VMware Carbon Black App Control User Guide if you have not yet created policies.
  • Script Rules are best created and enabled before you deploy agents. This ensures that all files matching those rules are in the inventory and can be approved or banned if you choose. Script rules created or enabled after an agent is deployed require that endpoints be rescanned before the files they identify are inventoried. See "Script Rules" in the VMware Carbon Black App Control User Guide for more details.
  • Review the expired certificate validation setting, especially if you will be running endpoints offline. If you intend to allow file approval by certificates that have expired, make this choice before you download and install the agents on permanently offline endpoints — otherwise, they cannot use expired certificates. See "Approval with Expired Certificates" in the VMware Carbon Black App Control User Guide for more details.
  • Initial Policy assignment to an endpoint can be determined by Active Directory data, as described in "Assigning Policy by Active Directory Mapping" in the VMware Carbon Black App Control User Guide — or by the agent installer, as described in Downloading Agent Installers. Although you can change this decision later, determining how you want policies assigned before installing agents is recommended.
  • Preparing a reference endpoint for a “snapshot” of files can give you a baseline for the files in your environment if you plan to closely monitor changes in your file inventory. Ideally, this is a clean computer onto which you install only the applications that you would like to run on some or all of your systems. After the endpoint is prepared, you can install the agent and, after initialization is complete, use the Snapshot process as described in "Monitoring Change: Baseline Drift Reports" in the VMware Carbon Black App Control User Guide.