Difference between revisions of "FOG Client"
|  (→Security Design) | |||
| (160 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | This article applies to the new FOG Client, version 0.10+ | |
| − | + | == The Different Installers == | |
| − | + | The different installers are located in your FOG server's web interface. The link is always at the very bottom of every page, even if you're not logged into the fog server. | |
| − | + | [[File:Fog client link.png]] | |
| − | + | [[File:New FOGClient download link.png]] | |
| − | <pre>UPDATE hosts SET hostPubKey="", hostSecToken="", hostSecTime="0000-00-00 00:00:00";</pre> | + | '''FOGService.msi''' - Windows only, and is ideal for network deployment. | 
| + | |||
| + | '''SmartInstaller.exe''' - This is the new default installer. It will work on all platforms. | ||
| + | |||
| + | '''Debugger.exe''' - This is not listed in the web interface but is available from github [https://github.com/FOGProject/fog-client/releases here]. Only use this when the above two are not working. This build has more detailed logs that you can use for troubleshooting or a bug report. | ||
| + | |||
| + | == Installing - Windows == | ||
| + | |||
| + | '''Prerequisites''' | ||
| + | * .NET Framework version 4.0+ (Note: .NET 4 client profile will NOT work) | ||
| + | You can download the framework from here:  | ||
| + | |||
| + | [https://www.microsoft.com/en-us/download/details.aspx?id=40779 Microsoft .NET Framework 4.5.1 (Offline Installer) for Windows Vista SP2, Windows 7 SP1, Windows 8, Windows Server 2008 SP2 Windows Server 2008 R2 SP1 and Windows Server 2012] | ||
| + | |||
| + | Windows 10 comes with a version of .Net that will work. | ||
| + | |||
| + | '''Installation''' | ||
| + | * May use SmartInstaller or msi. Simply download either one of them and run. | ||
| + | * Reboot to complete installation. | ||
| + | |||
| + | '''Windows Limitations''' | ||
| + | * CUPS printers are not yet supported | ||
| + | |||
| + | == Installing - Linux == | ||
| + | |||
| + | '''Prerequisites''' | ||
| + | * Mono (latest stable build) | ||
| + | * xprintidle - This dependency is optional. If not installed AutoLogOut will not run. xprintidle basically just returns the idle time of an x window, therefore on a system without a GUI it is not needed and should not be installed. It should be available in standard package managers.  E.G. apt-get, yum, or dnf | ||
| + | |||
| + | === Installing Mono === | ||
| + | |||
| + | Many distributions come with an out of date version of mono in their package manager. Therefore, do not attempt to install via your package manager without the below modifications or take a look at the instructions found on their website: https://www.mono-project.com/download/stable/#download-lin-centos | ||
| + | |||
| + | '''Debian:''' | ||
| + | <pre> | ||
| + | sudo apt install apt-transport-https dirmngr gnupg ca-certificates | ||
| + | sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF | ||
| + | echo "deb https://download.mono-project.com/repo/debian stable-buster main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list | ||
| + | sudo apt update | ||
| + | sudo apt install mono-complete | ||
| + | </pre> | ||
| + | |||
| + | '''Ubuntu pre 22.04:''' | ||
| + | <pre> | ||
| + | sudo apt install gnupg ca-certificates | ||
| + | sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF | ||
| + | echo "deb https://download.mono-project.com/repo/ubuntu stable-bionic main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list | ||
| + | sudo apt update | ||
| + | sudo apt install mono-complete | ||
| + | </pre> | ||
| + | |||
| + | '''Ubuntu 22.04 and later:''' | ||
| + | <pre> | ||
| + | sudo apt update | ||
| + | sudo apt install nuget | ||
| + | sudo apt install mono-complete | ||
| + | sudo apt install apt-transport-https | ||
| + | </pre> | ||
| + | |||
| + | '''CentOS''' | ||
| + | <pre> | ||
| + | rpmkeys --import "http://pool.sks-keyservers.net/pks/lookup?op=get&search=0x3fa7e0328081bff6a14da29aa6a19b38d3d831ef" | ||
| + | su -c 'curl https://download.mono-project.com/repo/centos8-stable.repo | tee /etc/yum.repos.d/mono-centos8-stable.repo' | ||
| + | yum install mono-complete | ||
| + | </pre> | ||
| + | |||
| + | '''openSUSE and SLES''' | ||
| + | |||
| + | You can install mono using SUSE One-Click files: [http://download.mono-project.com/repo/mono-complete.ymp http://download.mono-project.com/repo/mono-complete.ymp] | ||
| + | |||
| + | '''others''' | ||
| + | |||
| + | The FOG Client can be installed on any platform that can run the latest stable build of mono. To install: | ||
| + | |||
| + | * Check your package manager for <font color="red">mono-complete</font>. After installing it run <font color="red">mono --version</font>. Ensure the version is at least 4.2._ . If it not, remove the package. | ||
| + | * If your package manager had an old version of mono, see [http://www.mono-project.com/docs/compiling-mono/linux/ here] for how to compile mono | ||
| + | |||
| + | If your system either has systemd or initd the client will be automatically configured to run on startup. If your system does not have either, you will need to configure your system to run the manual start command below on startup. | ||
| + | |||
| + | To manually start and stop the service: | ||
| + | |||
| + | <pre> | ||
| + | sudo /opt/fog-service/control.sh start | ||
| + | </pre> | ||
| + | <pre> | ||
| + | sudo /opt/fog-service/control.sh stop | ||
| + | </pre> | ||
| + | |||
| + | === Installing fog-client SmartInstaller === | ||
| + | |||
| + | * Download SmartInstaller.exe from your FOG server and run the installer with mono. | ||
| + | ** <font color="red">sudo mono SmartInstaller.exe</font> | ||
| + | * The client will install to /opt/fog-service , and fog.log will be located at /opt/fog-service/fog.log | ||
| + | |||
| + | The service is automatically configured to run on startup. To manually start and stop the service: | ||
| + | |||
| + | <pre> | ||
| + | sudo systemctl start FOGService | ||
| + | </pre> | ||
| + | <pre> | ||
| + | sudo systemctl stop FOGService | ||
| + | </pre> | ||
| + | |||
| + | To uninstall: | ||
| + | |||
| + | <pre> | ||
| + | sudo systemctl stop FOGService | ||
| + | sudo mono SmartInstaller.exe uninstall | ||
| + | </pre> | ||
| + | |||
| + | === Linux Limitations === | ||
| + | * The FOG Tray is currently incompatible on linux systems. Regardless of what you set during installation, it will not run. | ||
| + | * The following modules / features are not yet supported | ||
| + | ** Active Directory joining | ||
| + | ** PrinterManager | ||
| + | |||
| + | == Installing - OSX == | ||
| + | |||
| + | '''Prerequisites''' | ||
| + | * Mono (latest stable build) | ||
| + | |||
| + | '''Installing Mono''' | ||
| + | * If you are running El Capitan, navigate to [http://www.mono-project.com/download/#download-mac http://www.mono-project.com/download/#download-mac] and download <font color=”red”>Mono Universal Installer</font>  | ||
| + | * Otherwise, navigate to [http://www.mono-project.com/download/#download-mac http://www.mono-project.com/download/#download-mac] and download <font color=”red”>Mono 32-bit</font>  | ||
| + | |||
| + | '''Installation''' | ||
| + | * Download SmartInstaller.exe from your FOG server and run the installer with mono. | ||
| + | ** <font color="red">sudo mono SmartInstaller.exe</font> | ||
| + | * The client will install to /opt/fog-service , and fog.log will be located at /opt/fog-service/fog.log | ||
| + | * Reboot the system to complete the installation. | ||
| + | |||
| + | The service is automatically configured to run on startup. To manually start and stop the service: | ||
| + | |||
| + | <pre> | ||
| + | sudo launchctl load -w /Library/LaunchDaemons/org.freeghost.daemon.plist | ||
| + | </pre> | ||
| + | <pre> | ||
| + | sudo launchctl unload -w /Library/LaunchDaemons/org.freeghost.daemon.plist | ||
| + | </pre> | ||
| + | |||
| + | To uninstall: | ||
| + | |||
| + | <pre> | ||
| + | sudo launchctl unload -w /Library/LaunchDaemons/org.freeghost.daemon.plist | ||
| + | sudo mono SmartInstaller.exe uninstall | ||
| + | </pre> | ||
| + | |||
| + | '''OSX Limitations''' | ||
| + | * The follow modules / features are not yet supported | ||
| + | ** PrinterManager | ||
| + | |||
| + | '''Logging''' | ||
| + | |||
| + | You can find the client log file in /opt/fog-service/fog.log | ||
| + | |||
| + | == Additional Details == | ||
| + | |||
| + | === Features overview === | ||
| + | |||
| + | |||
| + | The purpose of the FOG Client is multi-fold. | ||
| + | |||
| + | The client allows the host to automatically: | ||
| + | * Auto logout -- Enables auto logout of users if inactive for specified period of time.  5 minute's is the minimum time as all others are way too soon, sometimes people may just be on a phone, or had to step out for a bathroom break. | ||
| + | |||
| + | * Client Updater -- (Only on legacy clients) Allows the client to update it's modules if you had to customize things, or found a more recent build was needed for your environment. | ||
| + | |||
| + | * Directory Cleaner -- (Only on legacy clients -- Only worked with Windows XP) Enables the client to remove directories on the host automatically.  It lost operation after Windows XP due to UAC controls and better security mechanisms especially needed.  Removed completely from the New client. | ||
| + | |||
| + | * Display Manager --  Enables the client to adjust the resolution of the system on a per system basis, or global basis. | ||
| + | |||
| + | * Power Management -- Allows you to specify a shutdown, WOL, or restart on a per-host basis. Format for the scheduling is CRON, and can be done on an individual host or through groups. There is no limit to the number of scheduled power tasks. | ||
| + | |||
| + | * Host Registration -- Registers additional mac addresses to a pre-existing host if registered.  The New client will also register the host under a pending status if the host is not already registered. | ||
| + | |||
| + | * Hostname Changer -- Changes the hostname and joins the domain automatically. | ||
| + | |||
| + | * Printer Manager -- Manages Printers for the host.  Legacy client only added printer or added/removed printers.  The No management for both new and legacy simply does nothing.  Will remove all printers under Add/Remove type and only add back the printers as needed (Only Assigned Printers).  Under Add Only (now FOG Managed Printers) only manages printers that are listed under the printer's GUI and those that are assigned to that host.  In legacy client, it only added printers and never removed.  Under the new client, it will ONLY manage printers assigned meaning if you remove a printer from a host, the new client will remove that printer. | ||
| + | |||
| + | * Snapins -- Allows you to install programs or run scripts on the host similar to GPO or PDQDeploy. | ||
| + | |||
| + | * Task Reboot -- This will just check if the client is in a tasking (other than a snapin tasking).  If it is in a tasking, and the module is enabled, the host will be told to reboot.  There is a third portion though in that if the user is logged in, and enforce is not enabled nothing will happen. | ||
| + | |||
| + | * User Cleanup -- (Legacy clients only and again only on Windows XP).  Works similar to Directory Cleanup but the entries you make are "safe" user profiles.  If the user is not under this listing, it will be deleted.  Will not work with the new client, and even legacy clients will not work on anything beyond Windows XP due to UAC and Interactive Service utilities. | ||
| + | |||
| + | * User Tracker -- Just tracks who logs in/out of a client. | ||
| + | |||
| + | === Polling Behavior === | ||
| + | |||
| + | The new FOG Client found in FOG 1.3.0 and the Legacy FOG Client both rely on polling to get instructions. This means the FOG Client will regularly check with the specified FOG Server for settings and tasks. The New FOG Client's polling frequency can be adjusted in the FOG Web interface, by going to <font color="red">FOG Configuration -> FOG Settings -> FOG Client -> FOG_CLIENT_CHECKIN_TIME</font>. The minimum value is 30 seconds, anything specified lower than this will result in the FOG Client using 30 second polling intervals. | ||
| + | |||
| + | The checkin-time is not rigid. There is an automatic and random staggering that is added to the checkin time. This prevents a large number of FOG Clients checking in at once in the event that all computers are started at the same time via WOL tasks. | ||
| + | |||
| + | The frequency of the checkin-time determines how quickly the FOG Client will receive instructions from the FOG Server. If an image deployment is scheduled for a computer that is turned on, with a checkin-time of 60 seconds, means the FOG Client may begin initiating the task anywhere from 0 to 60 seconds + the random staggering time that is added. This same concept would apply to immediate power management tasks, snapin tasks, capture tasks, and so on. Scheduled tasks are not affected by this behavior, and if the target system is on when the scheduled task is to be ran, this will happen on time. | ||
| + | |||
| + | === Security Design === | ||
| + | |||
| + | Communications between the FOG Client (0.9.9+) and the FOG Server (1.3.0+) are secured using public key infrastructure. | ||
| + | |||
| + | A Certificate Authority and private key is generated on the FOG server during first installation in this location: | ||
| + | |||
| + | <pre>/opt/fog/snapins/ssl</pre> | ||
| + | |||
| + | The public certificate is generally located here: | ||
| + | <pre>/var/www/html/fog/management/other/ssl</pre> | ||
| + | |||
| + | The client installs your servers’ certificate and the FOG Project certificate. | ||
| + | |||
| + | The “FOG Project” CA (made by the FOG Project) serves two purposes: | ||
| + | |||
| + | *SYSTEM level services need to be digitally signed otherwise windows will throw security errors. This can also be used to ensure no tampering was done with the client files | ||
| + | |||
| + | *That certificate is used to “verify” upgrades. Lets say we release a patch for the client, the client will download the MSI from your server and check if it was signed by us. If the MSI was somehow tampered, the digital signature would no longer be valid. | ||
| + | |||
| + | Using HTTP over HTTPS has no security benefit to the client. Why? Because all traffic is already encrypted. Here’s a very basic overview of how the new client communicates | ||
| + | |||
| + | *Each client has a security token. This is used to prove to the server that the client is the actual host and not an impersonator. This token gets cycled constantly. When the client first makes contact, it encrypts its token and a proposed AES 256 key using RSA 4096 using your server’s public key. This public key is verified against the pinned server CA certificate by checking the x509 chain and fingerprints. | ||
| + | |||
| + | *If the server accepts the security token and the new AES key, all traffic from that point on is AES 256 encrypted using that securely transmitted key. | ||
| + | |||
| + | The whole point of our security model is to allow for secure communication over insecure medians. | ||
| + | Even then, the client installation has an HTTPS option, but it serves no real security benefit. | ||
| + | |||
| + | References:  | ||
| + | |||
| + | [https://forums.fogproject.org/topic/6325/invalid-security-token-without-any-security-tokens-being-set-also-ca-ssl-security-concerns/6 CA SSL security concerns] | ||
| + | |||
| + | [https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning Certificate and Public Key Pinning] | ||
| + | |||
| + | [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Certificate_and_Public_Key_Pinning Transport_Layer_Protection_Cheat_Sheet] | ||
| + | |||
| + | ==== Reset encryption data ==== | ||
| + | |||
| + | This pertains to the new fog client available in FOG 1.3.0 and above, and does not apply to the legacy fog client that was available in 1.2.0 and below. | ||
| + | |||
| + | The "Reset encryption data" button can be found in an individual host's "General" area. You may also find this button in Groups "General" area. The “Reset encryption data” is mainly doing one thing: Clearing the security token for a host or group of hosts. | ||
| + | |||
| + | Each host has a security token used by the client. This token is private; only the client knows it and is protected. It is used to prove the identity of the host, ensuring no one ‘fakes’ being a certain host. So when you 'Reset Encryption Data", you are essentially telling the server that the first host to say that they are the host in question gets ‘locked’ in (pinned is the technical term). | ||
| + | |||
| + | In order to have encrypted traffic, the handshake must occur. During the handshake the server proves its identity to the client, and the client proves its identity to the server (using the security token). If the handshake fails (due to a bad security token), encryption cannot occur. | ||
| + | |||
| + | The most common scenario where the security tokens for a client will be incorrect is if you manually uninstall a client, and then install it. | ||
| + | |||
| + | If your Web interface is functional, you may place all computers into a group, and use the group to reset encryption on all hosts by simply clicking the "Reset encryption" button on the group's basic page. If you're web interface isn't working correctly and you need to manually reset the encryption for all hosts, you may follow the below steps. | ||
| + | |||
| + | <pre> | ||
| + | mysql | ||
| + | use fog | ||
| + | UPDATE hosts SET hostPubKey="", hostSecToken="", hostSecTime="0000-00-00 00:00:00"; | ||
| + | </pre> | ||
| + | |||
| + | === Maintain Control Of Hosts When Building New Server === | ||
| + | |||
| + | Related Article: [[Migrate FOG]] | ||
| + | |||
| + | This section only applies if your hosts have the new FOG client installed. The new FOG Client has been available in FOG since FOG 1.3.0. | ||
| + | |||
| + | Because of the security model of FOG 1.3.0 and the new client, without the proper CA and ssl certificates present on a new fog server, any currently deployed hosts with the new fog client installed will ignore the new server and not accept commands from it. This is by design. | ||
| + | |||
| + | In order to maintain control of existing hosts with existing new fog client deployments, you must copy this directory from the old server to the new server: | ||
| + | |||
| + | * <font color="red">/opt/fog/snapins/ssl</font> | ||
| + | |||
| + | Copy the directory to a temporary location first. I would suggest <font color="red">/root</font> | ||
| + | |||
| + | <pre>cp -R /opt/fog/snapins/ssl /root</pre> | ||
| + | |||
| + | Then you can use scp to copy the directory (or some other method) to your new fog server. Run the below command from the '''old''' server, Where x.x.x.x is the new fog server's address: | ||
| + | |||
| + | <pre>scp -rp /opt/fog/snapins/ssl root@x.x.x.x:/root</pre> | ||
| + | |||
| + | Or, the reverse. Run the below command from the '''new''' server, where x.x.x.x is the old fog server's address. | ||
| + | |||
| + | <pre>scp -rp root@x.x.x.x:/opt/fog/snapins/ssl /root</pre> | ||
| + | |||
| + | Next, install fog. After the installation is complete, delete the ssl folder the installer made, and place your old ssl (from /root that you copied) in there. The ownership should be fogproject:apache on Red-Hat variants, should be fogproject:www-data on Debian variants. <font color="red">IMPORTANT:</font> Then '''re-run the installer.''' Instructions for the folder manipulation are below, assuming you followed the above instructions. On the '''new''' server: | ||
| + | |||
| + | <pre> | ||
| + | rm -rf /opt/fog/snapins/ssl | ||
| + | cp -R /root/ssl /opt/fog/snapins/ssl | ||
| + | chown -R fogproject:apache /opt/fog/snapins/ssl  #or fogproject:www-data for ubuntu and debian | ||
| + | </pre> | ||
| + | |||
| + | If you do not care about maintaining control of existing hosts with existing new fog client deployments (because there is only 1 or 2), you can recreate your CA with the -C argument during installation:  | ||
| + | |||
| + | <pre>./installfog.sh -C</pre> | ||
| + | |||
| + | <font color="red">Note:</font> Recreating the CA (<font color="red">--recreate-CA</font> or <font color="red"> -C</font>) is '''very strongly advised against''' if you have many clients deployed already, because it resets the identity of the FOG Server. This causes all fog clients to distrust the server, and will require total reinstallation of all fog clients in an environment. However, you may recreate the keys (<font color="red">--recreate-keys</font>) safely and be able to still control the fog clients. | ||
| + | |||
| + | === FOG Client 0.10.0+ Installation Options === | ||
| + | |||
| + | ==== Smart Installer ==== | ||
| + | |||
| + | SmartInstaller Switches | ||
| + | |||
| + | All switches with <font color="red">--{OPTION}</font> can also be used as <font color="red">/{OPTION}</font> | ||
| + | |||
| + | * <font color="red">--server=</font> Specify the server address. Default is fogserver | ||
| + | * <font color="red">--webroot=</font> Specify the webroot. Default is /fog | ||
| + | * <font color="red">-h</font> or <font color="red">-https</font> Use https for server communication | ||
| + | * <font color="red">-r</font> or <font color="red">-rootlog</font> Put fog.log in the root of the filesystem | ||
| + | * <font color="red">-s</font> or <font color="red">--start</font> Automatically start the service after installation. Linux only | ||
| + | * <font color="red">-t</font> or <font color="red">--tray</font> Enabled the FOG Tray and notifications - Windows and OSX only. | ||
| + | * <font color="red">-u</font> or <font color="red">--uninstall</font> Uninstall the client | ||
| + | * <font color="red">--upgrade</font> Upgrade the client | ||
| + | * <font color="red">-l=</font> or <font color="red">--log=</font> Specify where to put the SmartInstaller log | ||
| + | |||
| + | Reference: [https://news.fogproject.org/fog-client-v0-11-0-released-2/ https://news.fogproject.org/fog-client-v0-11-0-released-2/] | ||
| + | |||
| + | ==== MSI Switches ==== | ||
| + | |||
| + | <font color="red">msiexec /i FOGService.msi /quiet USETRAY="0" HTTPS="0" WEBADDRESS="192.168.1.X" WEBROOT="/fog" ROOTLOG="0"</font> | ||
| + | |||
| + | Firstly, all options are optional. Here’s what they all do: | ||
| + | |||
| + | * <font color="red">USETRAY=</font> defaults to <font color="red">"1"</font>, if <font color="red">"0"</font> the tray will be hidden | ||
| + | |||
| + | * <font color="red">HTTPS=</font> defaults to <font color="red">"0"</font>, if <font color="red">"1"</font> the client will use HTTPS (not recommended) | ||
| + | |||
| + | * <font color="red">WEBADDRESS=</font> defaults to <font color="red">"fogserver"</font>, this is the ip/dns name of your server | ||
| + | |||
| + | * <font color="red">WEBROOT=</font> defaults to <font color="red">"/fog"</font> | ||
| + | |||
| + | * <font color="red">ROOTLOG=</font> defaults to <font color="red">"0"</font>, if <font color="red">"1"</font> the fog.log will be at C:\fog.log, otherwise %PROGRAMFILES%\FOG\fog.log | ||
| + | |||
| + | Reference: [https://forums.fogproject.org/topic/6222/msi-silent-install-without-tray-icon/2 https://forums.fogproject.org/topic/6222/msi-silent-install-without-tray-icon/2] | ||
| + | |||
| + | === FOG Client with Sysprep === | ||
| + | |||
| + | If you plan to use Sysprep before image capture and are also planning to use the FOG Client, You '''must''' disable the <font color="red">FOGService</font> service from running at boot before you Sysprep to take your image, and then re-enable it within your <font color="red">SetupComplete.cmd</font> file so that it is re-enabled '''after''' the image deployment is complete. | ||
| + | |||
| + | Failing to do so will break the Sysprep post-deployment process with an error message that says "Windows Setup could not configure Windows to run on this computer’s hardware.” | ||
| + | |||
| + | * Disable FOGService: <font color="red">Windows Control Pannel -> View by Small Icons -> Administrative Tools -> Services -> Right click FOGService -> Properties -> Startup Type -> Disabled</font> | ||
| + | |||
| + | * Re-enable FOGService post-imaging: | ||
| + | |||
| + | Create the below file. | ||
| + | |||
| + | <font color="red">C:\Windows\Setup\scripts\SetupComplete.cmd</font> | ||
| + | |||
| + | Place these lines within the file, and then save. | ||
| + | |||
| + | <pre>sc config FOGService start= delayed-auto | ||
| + | shutdown -t 0 -r</pre> | ||
| + | |||
| + | As the filename indicates, the script is called by windows after an image is deployed and post-sysprep operations are complete. It will re-enable the FOGService and then reboot the computer gracefully. After the computer reboots, the FOGService will start automatically and rename the computer if necessary, reboot if necessary, join the domain and reboot if necessary, and then perform any associated snapins. | ||
| + | |||
| + | <font color="red">Note:</font> SetupComplete.cmd will not automatically run on OEM versions of windows, but will automatically run on Non-OEM versions of Windows. If you're using an OEM copy, you can use firstlogoncommands in unattend.xml to call SetupComplete.cmd | ||
| + | |||
| + | |||
| + | An example of the firstlogincommands might be: | ||
| + | <pre><component name=“Microsoft-Windows-Shell-Setup” processorArchitecture=“amd64” publicKeyToken=“31bf3856ad364e35” language=“neutral” versionScope=“nonSxS” xmlns:wcm=“http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance”> | ||
| + | <FirstLogonCommands> | ||
| + | <SynchronousCommand wcm:action=“add”> | ||
| + | <Description>SetupComplete</Description> | ||
| + | <Order>1</Order> | ||
| + | <CommandLine>C:\Windows\Setup\Scripts\SetupComplete.cmd</CommandLine> | ||
| + | <RequiresUserInput>false</RequiresUserInput> | ||
| + | </SynchronousCommand> | ||
| + | </FirstLogonCommands></pre> | ||
| + | |||
| + | === More Information === | ||
| + | |||
| + | More information about the fog client can be found here: [https://github.com/FOGProject/fog-client https://github.com/FOGProject/fog-client] | ||
Latest revision as of 23:26, 6 February 2025
This article applies to the new FOG Client, version 0.10+
Contents
The Different Installers
The different installers are located in your FOG server's web interface. The link is always at the very bottom of every page, even if you're not logged into the fog server.
FOGService.msi - Windows only, and is ideal for network deployment.
SmartInstaller.exe - This is the new default installer. It will work on all platforms.
Debugger.exe - This is not listed in the web interface but is available from github here. Only use this when the above two are not working. This build has more detailed logs that you can use for troubleshooting or a bug report.
Installing - Windows
Prerequisites
- .NET Framework version 4.0+ (Note: .NET 4 client profile will NOT work)
You can download the framework from here:
Windows 10 comes with a version of .Net that will work.
Installation
- May use SmartInstaller or msi. Simply download either one of them and run.
- Reboot to complete installation.
Windows Limitations
- CUPS printers are not yet supported
Installing - Linux
Prerequisites
- Mono (latest stable build)
- xprintidle - This dependency is optional. If not installed AutoLogOut will not run. xprintidle basically just returns the idle time of an x window, therefore on a system without a GUI it is not needed and should not be installed. It should be available in standard package managers. E.G. apt-get, yum, or dnf
Installing Mono
Many distributions come with an out of date version of mono in their package manager. Therefore, do not attempt to install via your package manager without the below modifications or take a look at the instructions found on their website: https://www.mono-project.com/download/stable/#download-lin-centos
Debian:
sudo apt install apt-transport-https dirmngr gnupg ca-certificates sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF echo "deb https://download.mono-project.com/repo/debian stable-buster main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list sudo apt update sudo apt install mono-complete
Ubuntu pre 22.04:
sudo apt install gnupg ca-certificates sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF echo "deb https://download.mono-project.com/repo/ubuntu stable-bionic main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list sudo apt update sudo apt install mono-complete
Ubuntu 22.04 and later:
sudo apt update sudo apt install nuget sudo apt install mono-complete sudo apt install apt-transport-https
CentOS
rpmkeys --import "http://pool.sks-keyservers.net/pks/lookup?op=get&search=0x3fa7e0328081bff6a14da29aa6a19b38d3d831ef" su -c 'curl https://download.mono-project.com/repo/centos8-stable.repo | tee /etc/yum.repos.d/mono-centos8-stable.repo' yum install mono-complete
openSUSE and SLES
You can install mono using SUSE One-Click files: http://download.mono-project.com/repo/mono-complete.ymp
others
The FOG Client can be installed on any platform that can run the latest stable build of mono. To install:
- Check your package manager for mono-complete. After installing it run mono --version. Ensure the version is at least 4.2._ . If it not, remove the package.
- If your package manager had an old version of mono, see here for how to compile mono
If your system either has systemd or initd the client will be automatically configured to run on startup. If your system does not have either, you will need to configure your system to run the manual start command below on startup.
To manually start and stop the service:
sudo /opt/fog-service/control.sh start
sudo /opt/fog-service/control.sh stop
Installing fog-client SmartInstaller
-  Download SmartInstaller.exe from your FOG server and run the installer with mono.
- sudo mono SmartInstaller.exe
 
- The client will install to /opt/fog-service , and fog.log will be located at /opt/fog-service/fog.log
The service is automatically configured to run on startup. To manually start and stop the service:
sudo systemctl start FOGService
sudo systemctl stop FOGService
To uninstall:
sudo systemctl stop FOGService sudo mono SmartInstaller.exe uninstall
Linux Limitations
- The FOG Tray is currently incompatible on linux systems. Regardless of what you set during installation, it will not run.
-  The following modules / features are not yet supported
- Active Directory joining
- PrinterManager
 
Installing - OSX
Prerequisites
- Mono (latest stable build)
Installing Mono
- If you are running El Capitan, navigate to http://www.mono-project.com/download/#download-mac and download Mono Universal Installer
- Otherwise, navigate to http://www.mono-project.com/download/#download-mac and download Mono 32-bit
Installation
-  Download SmartInstaller.exe from your FOG server and run the installer with mono.
- sudo mono SmartInstaller.exe
 
- The client will install to /opt/fog-service , and fog.log will be located at /opt/fog-service/fog.log
- Reboot the system to complete the installation.
The service is automatically configured to run on startup. To manually start and stop the service:
sudo launchctl load -w /Library/LaunchDaemons/org.freeghost.daemon.plist
sudo launchctl unload -w /Library/LaunchDaemons/org.freeghost.daemon.plist
To uninstall:
sudo launchctl unload -w /Library/LaunchDaemons/org.freeghost.daemon.plist sudo mono SmartInstaller.exe uninstall
OSX Limitations
-  The follow modules / features are not yet supported
- PrinterManager
 
Logging
You can find the client log file in /opt/fog-service/fog.log
Additional Details
Features overview
The purpose of the FOG Client is multi-fold.
The client allows the host to automatically:
- Auto logout -- Enables auto logout of users if inactive for specified period of time. 5 minute's is the minimum time as all others are way too soon, sometimes people may just be on a phone, or had to step out for a bathroom break.
- Client Updater -- (Only on legacy clients) Allows the client to update it's modules if you had to customize things, or found a more recent build was needed for your environment.
- Directory Cleaner -- (Only on legacy clients -- Only worked with Windows XP) Enables the client to remove directories on the host automatically. It lost operation after Windows XP due to UAC controls and better security mechanisms especially needed. Removed completely from the New client.
- Display Manager -- Enables the client to adjust the resolution of the system on a per system basis, or global basis.
- Power Management -- Allows you to specify a shutdown, WOL, or restart on a per-host basis. Format for the scheduling is CRON, and can be done on an individual host or through groups. There is no limit to the number of scheduled power tasks.
- Host Registration -- Registers additional mac addresses to a pre-existing host if registered. The New client will also register the host under a pending status if the host is not already registered.
- Hostname Changer -- Changes the hostname and joins the domain automatically.
- Printer Manager -- Manages Printers for the host. Legacy client only added printer or added/removed printers. The No management for both new and legacy simply does nothing. Will remove all printers under Add/Remove type and only add back the printers as needed (Only Assigned Printers). Under Add Only (now FOG Managed Printers) only manages printers that are listed under the printer's GUI and those that are assigned to that host. In legacy client, it only added printers and never removed. Under the new client, it will ONLY manage printers assigned meaning if you remove a printer from a host, the new client will remove that printer.
- Snapins -- Allows you to install programs or run scripts on the host similar to GPO or PDQDeploy.
- Task Reboot -- This will just check if the client is in a tasking (other than a snapin tasking). If it is in a tasking, and the module is enabled, the host will be told to reboot. There is a third portion though in that if the user is logged in, and enforce is not enabled nothing will happen.
- User Cleanup -- (Legacy clients only and again only on Windows XP). Works similar to Directory Cleanup but the entries you make are "safe" user profiles. If the user is not under this listing, it will be deleted. Will not work with the new client, and even legacy clients will not work on anything beyond Windows XP due to UAC and Interactive Service utilities.
- User Tracker -- Just tracks who logs in/out of a client.
Polling Behavior
The new FOG Client found in FOG 1.3.0 and the Legacy FOG Client both rely on polling to get instructions. This means the FOG Client will regularly check with the specified FOG Server for settings and tasks. The New FOG Client's polling frequency can be adjusted in the FOG Web interface, by going to FOG Configuration -> FOG Settings -> FOG Client -> FOG_CLIENT_CHECKIN_TIME. The minimum value is 30 seconds, anything specified lower than this will result in the FOG Client using 30 second polling intervals.
The checkin-time is not rigid. There is an automatic and random staggering that is added to the checkin time. This prevents a large number of FOG Clients checking in at once in the event that all computers are started at the same time via WOL tasks.
The frequency of the checkin-time determines how quickly the FOG Client will receive instructions from the FOG Server. If an image deployment is scheduled for a computer that is turned on, with a checkin-time of 60 seconds, means the FOG Client may begin initiating the task anywhere from 0 to 60 seconds + the random staggering time that is added. This same concept would apply to immediate power management tasks, snapin tasks, capture tasks, and so on. Scheduled tasks are not affected by this behavior, and if the target system is on when the scheduled task is to be ran, this will happen on time.
Security Design
Communications between the FOG Client (0.9.9+) and the FOG Server (1.3.0+) are secured using public key infrastructure.
A Certificate Authority and private key is generated on the FOG server during first installation in this location:
/opt/fog/snapins/ssl
The public certificate is generally located here:
/var/www/html/fog/management/other/ssl
The client installs your servers’ certificate and the FOG Project certificate.
The “FOG Project” CA (made by the FOG Project) serves two purposes:
- SYSTEM level services need to be digitally signed otherwise windows will throw security errors. This can also be used to ensure no tampering was done with the client files
- That certificate is used to “verify” upgrades. Lets say we release a patch for the client, the client will download the MSI from your server and check if it was signed by us. If the MSI was somehow tampered, the digital signature would no longer be valid.
Using HTTP over HTTPS has no security benefit to the client. Why? Because all traffic is already encrypted. Here’s a very basic overview of how the new client communicates
- Each client has a security token. This is used to prove to the server that the client is the actual host and not an impersonator. This token gets cycled constantly. When the client first makes contact, it encrypts its token and a proposed AES 256 key using RSA 4096 using your server’s public key. This public key is verified against the pinned server CA certificate by checking the x509 chain and fingerprints.
- If the server accepts the security token and the new AES key, all traffic from that point on is AES 256 encrypted using that securely transmitted key.
The whole point of our security model is to allow for secure communication over insecure medians. Even then, the client installation has an HTTPS option, but it serves no real security benefit.
References:
Certificate and Public Key Pinning
Transport_Layer_Protection_Cheat_Sheet
Reset encryption data
This pertains to the new fog client available in FOG 1.3.0 and above, and does not apply to the legacy fog client that was available in 1.2.0 and below.
The "Reset encryption data" button can be found in an individual host's "General" area. You may also find this button in Groups "General" area. The “Reset encryption data” is mainly doing one thing: Clearing the security token for a host or group of hosts.
Each host has a security token used by the client. This token is private; only the client knows it and is protected. It is used to prove the identity of the host, ensuring no one ‘fakes’ being a certain host. So when you 'Reset Encryption Data", you are essentially telling the server that the first host to say that they are the host in question gets ‘locked’ in (pinned is the technical term).
In order to have encrypted traffic, the handshake must occur. During the handshake the server proves its identity to the client, and the client proves its identity to the server (using the security token). If the handshake fails (due to a bad security token), encryption cannot occur.
The most common scenario where the security tokens for a client will be incorrect is if you manually uninstall a client, and then install it.
If your Web interface is functional, you may place all computers into a group, and use the group to reset encryption on all hosts by simply clicking the "Reset encryption" button on the group's basic page. If you're web interface isn't working correctly and you need to manually reset the encryption for all hosts, you may follow the below steps.
mysql use fog UPDATE hosts SET hostPubKey="", hostSecToken="", hostSecTime="0000-00-00 00:00:00";
Maintain Control Of Hosts When Building New Server
Related Article: Migrate FOG
This section only applies if your hosts have the new FOG client installed. The new FOG Client has been available in FOG since FOG 1.3.0.
Because of the security model of FOG 1.3.0 and the new client, without the proper CA and ssl certificates present on a new fog server, any currently deployed hosts with the new fog client installed will ignore the new server and not accept commands from it. This is by design.
In order to maintain control of existing hosts with existing new fog client deployments, you must copy this directory from the old server to the new server:
- /opt/fog/snapins/ssl
Copy the directory to a temporary location first. I would suggest /root
cp -R /opt/fog/snapins/ssl /root
Then you can use scp to copy the directory (or some other method) to your new fog server. Run the below command from the old server, Where x.x.x.x is the new fog server's address:
scp -rp /opt/fog/snapins/ssl root@x.x.x.x:/root
Or, the reverse. Run the below command from the new server, where x.x.x.x is the old fog server's address.
scp -rp root@x.x.x.x:/opt/fog/snapins/ssl /root
Next, install fog. After the installation is complete, delete the ssl folder the installer made, and place your old ssl (from /root that you copied) in there. The ownership should be fogproject:apache on Red-Hat variants, should be fogproject:www-data on Debian variants. IMPORTANT: Then re-run the installer. Instructions for the folder manipulation are below, assuming you followed the above instructions. On the new server:
rm -rf /opt/fog/snapins/ssl cp -R /root/ssl /opt/fog/snapins/ssl chown -R fogproject:apache /opt/fog/snapins/ssl #or fogproject:www-data for ubuntu and debian
If you do not care about maintaining control of existing hosts with existing new fog client deployments (because there is only 1 or 2), you can recreate your CA with the -C argument during installation:
./installfog.sh -C
Note: Recreating the CA (--recreate-CA or -C) is very strongly advised against if you have many clients deployed already, because it resets the identity of the FOG Server. This causes all fog clients to distrust the server, and will require total reinstallation of all fog clients in an environment. However, you may recreate the keys (--recreate-keys) safely and be able to still control the fog clients.
FOG Client 0.10.0+ Installation Options
Smart Installer
SmartInstaller Switches
All switches with --{OPTION} can also be used as /{OPTION}
- --server= Specify the server address. Default is fogserver
- --webroot= Specify the webroot. Default is /fog
- -h or -https Use https for server communication
- -r or -rootlog Put fog.log in the root of the filesystem
- -s or --start Automatically start the service after installation. Linux only
- -t or --tray Enabled the FOG Tray and notifications - Windows and OSX only.
- -u or --uninstall Uninstall the client
- --upgrade Upgrade the client
- -l= or --log= Specify where to put the SmartInstaller log
Reference: https://news.fogproject.org/fog-client-v0-11-0-released-2/
MSI Switches
msiexec /i FOGService.msi /quiet USETRAY="0" HTTPS="0" WEBADDRESS="192.168.1.X" WEBROOT="/fog" ROOTLOG="0"
Firstly, all options are optional. Here’s what they all do:
- USETRAY= defaults to "1", if "0" the tray will be hidden
- HTTPS= defaults to "0", if "1" the client will use HTTPS (not recommended)
- WEBADDRESS= defaults to "fogserver", this is the ip/dns name of your server
- WEBROOT= defaults to "/fog"
- ROOTLOG= defaults to "0", if "1" the fog.log will be at C:\fog.log, otherwise %PROGRAMFILES%\FOG\fog.log
Reference: https://forums.fogproject.org/topic/6222/msi-silent-install-without-tray-icon/2
FOG Client with Sysprep
If you plan to use Sysprep before image capture and are also planning to use the FOG Client, You must disable the FOGService service from running at boot before you Sysprep to take your image, and then re-enable it within your SetupComplete.cmd file so that it is re-enabled after the image deployment is complete.
Failing to do so will break the Sysprep post-deployment process with an error message that says "Windows Setup could not configure Windows to run on this computer’s hardware.”
- Disable FOGService: Windows Control Pannel -> View by Small Icons -> Administrative Tools -> Services -> Right click FOGService -> Properties -> Startup Type -> Disabled
- Re-enable FOGService post-imaging:
Create the below file.
C:\Windows\Setup\scripts\SetupComplete.cmd
Place these lines within the file, and then save.
sc config FOGService start= delayed-auto shutdown -t 0 -r
As the filename indicates, the script is called by windows after an image is deployed and post-sysprep operations are complete. It will re-enable the FOGService and then reboot the computer gracefully. After the computer reboots, the FOGService will start automatically and rename the computer if necessary, reboot if necessary, join the domain and reboot if necessary, and then perform any associated snapins.
Note: SetupComplete.cmd will not automatically run on OEM versions of windows, but will automatically run on Non-OEM versions of Windows. If you're using an OEM copy, you can use firstlogoncommands in unattend.xml to call SetupComplete.cmd
An example of the firstlogincommands might be:
<component name=“Microsoft-Windows-Shell-Setup” processorArchitecture=“amd64” publicKeyToken=“31bf3856ad364e35” language=“neutral” versionScope=“nonSxS” xmlns:wcm=“http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance”> <FirstLogonCommands> <SynchronousCommand wcm:action=“add”> <Description>SetupComplete</Description> <Order>1</Order> <CommandLine>C:\Windows\Setup\Scripts\SetupComplete.cmd</CommandLine> <RequiresUserInput>false</RequiresUserInput> </SynchronousCommand> </FirstLogonCommands>
More Information
More information about the fog client can be found here: https://github.com/FOGProject/fog-client


