Background
The EvoInstall.ps1 PowerShell script is a script for installing the Evo Credential Provider or the Evo LDAPS Agent. With the script, a user can:
- Install the latest version of the credential provider or agent
- Update the credential provider or agent to their latest version
- Remove the credential provider or agent
- Check the current installed version
Where to get the script:
https://download.evosecurity.com/release/installers/evoinstall-latest.zip
Installation
| Mandatory Arguments | Description |
|---|---|
| -Json | A configuration file for installation parameters. See following sections for a better description |
| -Product | The product can be either “credpro” or “ldapagent” to install the credential provider or the LDAPS Agent respectively. |
| Common Optional Arguments | Description |
|---|---|
| -Interactive | This causes the Windows installer dialogs to appear. If running the script in a non-elevated shell, this flag must be set or otherwise the script will fail |
| -Log | This flag causes the installer to generate a log file at %TEMP%\EvoSecureLogin_install.log or %TEMP%\EvoLDAPSAgent_install.log |
When installing the credential provider or LDAPS agent, the script will download the most recent MSI package in zip format from the website, verify the checksum, unzip the file, run the installer from MSI file, and then cleanup/delete the MSI file.
Credential Provider
The latest version of the Evo Credential Provider can be installed by a simple usage of the script like:
EvoInstall.ps1 -json “c:\\path\\to\\config.json” -product credpro
The most important argument of course is the JSON configuration file. The configuration file will have a JSON format like:
{
"EnvironmentUrl": "https://acmecorp.evosecurity.com",
"EvoDirectory": "acmecorp",
"CredentialMode": "SecureAndElevatedLogin",
"FailSafeUser": "wileyc",
"AccessToken": "Your access token",
"ApiKey": "abc123ECPSECRET",
"MFATimeOut": 0,
"OnlyEvoLoginCredential": true
}
| Parameter | Description |
|---|---|
| EnvironmentUrl | URL registered for the MSP under which they manage all their clients. It starts with “https://” and ends with “.evoscurity.com” (no trailing slash) |
| EvoDirectory | This is the Evo directory for an MSP client. This could be an on-premise LDAP client, Evo Cloud directory, or an Azure AD directory |
| CredentialMode | Can be SecureAndElevatedLogin, SecureLogin, or ElevatedLogin. Most clients will use SecureAndElevatedLogin which allows them to perform Secure Logins (regular MFA login) and Elevated Logins (MFA to an elevated session). SecureLogin permits regular MFA logins, and ElevatedLogin only performs MFA to an elevated session |
| FailSafeUser | This is the name of an account for which the system will not perform MFA logins but will just accept a regular Windows login |
| ApiKey | For elevated logins, this parameter is necessary to decrypt the credentials. |
| MFATimeOut | This is an integer value between 0 and 1440 minutes for which a locked workstation can be unlocked with solely providing the username/password and not requiring MFA. |
| OnlyEvoLoginCredential | This is a boolean of either true or false (no quotes). True means the workstation will be limited to only using the Evo Credential Provider for logins. False means the workstation can login with other credential providers. Usually, you will want to set this to true to secure workstations. |
LDAPS Agent
The latest version of the LDAPS Agent can be installed with the following command:
EvoInstall.ps1 -json “c:\\path\\to\\config.json” -product ldapagent
The JSON config file has some parameters that are in common with the credential provider and others that are different. The JSON config file will have a format like:
{
"EnvironmentUrl": "https://acmecorp.evosecurity.com",
"EvoDirectory": "acmecorp",
"AccessToken": "ABC123",
"ApiKey": "abc123LDAPSECRET",
"SyncSecurityGroup": ""
}
| Parameter | Description | |
|---|---|---|
| EnvironmentUrl | URL registered for the MSP under which they manage all their clients. It starts with “https://” and ends with “.evoscurity.com” (no trailing slash) | |
| EvoDirectory | This is the Evo directory for an MSP client. This could be an on-premise LDAP client, Evo Cloud directory, or an Azure AD directory | |
| AccessToken | This is the access token which will be supplied by Evo. This is a token that is good for 24 hours. Typically it rotates every 3 hours | |
| ApiKey | This is a key used for encoding credentials. THIS KEY IS DIFFERENT THAN THE ONE FOR THE CREDENTIAL PROVIDER. | |
| SyncSecurityGroup | This specifies the AD security group from which LDAP users will be synced. It can be empty or not specified altogether in which all AD users will be synced. Very often customers will create a special AD group and only add the users they wish to sync to this group. |
Optional JSON Config File Parameter
In addition to the JSON parameters listed above for the credential provider and LDAPS agent, there is an optional parameter that can be specified to use a specific MSI file instead of the most latest from the website.
{
... other parameters
"MSIPath": "\\\\\\\\companyshare\\\\packages\\\\evo\\\\EvoLDAPSAgentSetup.msi"
}
| Parameter | Description |
|---|---|
| MSIPath | Windows path to an MSI or ZIP file. It can have the form of c:\path\to\some.msi or use a share like \\companyshare\path\to\some.msi. Just remember that in JSON, the \ character needs to be escaped as \\. |
Upgrading
The script has the capability to upgrade the credential provider or the LDAPS agent to the most current version. The user just has to provide the -upgrade option on the command line.
To upgrade the credential provider, use the following command:
EvoInstall.ps1 -upgrade -product credpro
To upgrade the LDAPS agent, use the following command:
EvoInstall.ps1 -upgrade -product ldapagent
See the installation section for the optional arguments -Interactive and -Log.
Removing
The script can remove an installation for the credential provider or LDAPS agent.
To delete the credential provider, use the following command:
EvoInstall.ps1 -remove -product credpro
To delete the LDAPS agent, use the following command:
EvoInstall.ps1 -remove -product ldapagent
See the installation section for the optional arguments -Interactive and -Log. However, for the -Log option, note that the name of the log file will be *_remove.log instead of *_install.log.
Check the Currently Installed Version
The script can report what the currently installed version of the credential provider or LDAPS agent is.
To report the current version of the credential provider, use the following command:
EvoInstall.ps1 -check -product credpro
To report the current version of the LDAPS agent, use the the following command:
EvoInstall.ps1 -check -product ldapagent