Movere requires installation of a Movere Console (“Console”) before scanning can begin. The Movere Installer “Installer” can be downloaded by logging into your Movere tenant then clicking on the Console icon, which looks like a command prompt, in the top right hand corner:
This will download a ~2MB executable titled ‘Movere.Installer.exe’. While the Installer can be downloaded by any user with a valid Movere login (customer or partner), the Console itself can only be installed by a customer tenant user with the ‘Write’ claim within the Movere tenant that the Console is downloaded from:
Once downloaded, copy the Installer to the Windows device(s) you want to run the Console from. There is no limit on the number of Consoles that can be installed.
We recommend creating a dedicated service account for Movere to use AND using that account to log into the Windows device(s) the Console will be installed on, as the permissions required to open the Console will be set automatically as part of the installation process.
To begin the installation, right click on the installer and select ‘Run as administrator’:
On the ‘Notice and Acceptance’ popup you will find links to the terms and conditions governing the use of Movere. Once these items have been reviewed and approved check the ‘I Accept’ checkbox to proceed. The ‘OK’ button will remain greyed out until the ‘I Accept’ box has been checked:
Once the ‘Notice and Acceptance’ terms are accepted, the Installer wizard will appear. On the ‘Welcome’ tab, click ‘Next’:
NOTE: If the Installer wizard generates an error when clicking ‘Next’ or hangs without progressing to the ‘Log On’ tab, refer to the Troubleshooting section below.
On the ‘Log On’ tab, enter your username and password to authenticate with the Movere cloud. Each Console is customer specific i.e. one customer cannot use a different customers Console because the installation will install a set of certificates that are pinned to the Console device that are unique to that customer only. REMINDER: Only customer tenant users with the ‘Write’ scope can successfully authenticate. If your username and password are valid and TCP port 443 outbound is available, then you will see a ‘Logon Successful’ message after clicking on the Authenticate button:
The installation path defaults to the Documents folder in the user’s profile, but this location can be configured as required, e.g. c:\Movere\Console. The user permissions required to run the Console will be set automatically on the selected destination directory:
IMPORTANT: We recommend installing Movere to the default location C:\Users\user\Documents to ensure the user account installing Movere has full rights and access to the Movere folder. Installing to a different drive or folder can result in restricted access for the user account, which can impact the capture and uploading payloads.
Once installation is complete, Movere will confirm that the certificate created during the installation process has been successfully installed:
The certificate Movere creates during the installation process includes both the fully qualified domain name of the Windows device the Movere Console is installed on, as well as ALL active IP addresses detected on the device. The IP address(es) detected will be listed in the Subject Alternative Name field. There is no longer a need to disable IP addresses before or after installing the Movere Console. The Movere bots will be able to communicate across all of them, i.e. the user will no longer be required to tell the Console which one to use:
NOTE: The IP address(es) MUST be IPv4, Movere does not currently support IPv6 addresses as Subject Alternative Names.
During the installation, Movere will attempt to connect to the Internet over port 443 outbound via a TLS 1.2 connection. For installation to be successful, port 443 must be open and available on the device. If port 443 is blocked, restricted, or in use by another application, installation will fail. Similarly, if TLS 1.2 is not supported on the device, installation will fail.
To test connectivity prior to installation, open a browser and navigate to https://geo.movere.io/ip. If successful, the browser should display the IP address of the machine:
If an IP address does not appear, or a connection error occurs, then check that port 443 is open and available on the device and that TLS 1.2 is supported. The Microsoft PSPING tool can be used to confirm that port 443 is open. Refer step 6 below for further details on using PSPING.
Please also ensure all relevant Movere URLs are whitelisted. When connecting to the cloud, the Installer attempts to resolve the Movere URLs specific to the region housing the customers tenant. The full list of Movere URLs per region can be found here, and the region housing the customer tenant can be identified from the Stats tab:
If the Installer successfully connects to the cloud but fails to authenticate, please check that the credentials used are for a customer tenant user with the ‘Write’ scope.
IMPORTANT: Microsoft users as well as users registered to a partner tenant cannot be granted a ‘Write’ scope and thus cannot user their credentials to authenticate during installation or to upload payloads to Movere.
If the Installer wizard generates an error when clicking ‘Next’ or hangs without progressing to the ‘Log On’ tab, it is possible that a network setting or firewall is preventing installation. To test this, follow these steps:
- Open a browser and navigate to https://geo.movere.io/ip.
- Check for any proxy or firewall settings that would block connection to Movere’s URLs or that would restrict traffic to and from the internet over port 443.
- Check for an antivirus or security software that would block or restrict installation or port 443.
- Check port 443 inbound rules on the device to ensure Movere is correctly whitelisted.
- Check for any Group Policies that could prevent installation by the user or on the device.
- Use the Microsoft PSPING utility to test connectivity on port 443 to the Movere Console URL specific to the region housing the tenant, e.g. psping we-toolapi.movere.io:443. This test will confirm if the device the Console is being installed on can communicate with Movere.
- Attempt installation on a secondary device, such as a workstation, on the same network as the original device. If successful, this indicates there is a device setting or policy specific to the original device that is blocking installation of Movere.
- Attempt installation on a secondary device, such as a workstation, on a different network from the original device. If successful, this indicates there is a network setting, firewall, or policy specific to the original network that is blocking installation of Movere.
If the Console can be installed on a secondary device, (such as a workstation), it is possible to copy the Console to the original device while retaining all functionality by following these steps:
- Install the Console on the secondary device.
- Copy the ‘Movere’ folder from the secondary device to the original device to the same folder structure on the intended computer, i.e. C:\Users\<profilename>\Documents\Movere.
- Change the profilename value so that on the original device the path C:\Users\<profilename>\Documents\Movere contains a folder named ‘Console’.
- Run the following command from an admin command prompt against the ‘Movere’ folder to manually create the certificate with the required SAN entries on the original device:
Movere.Service -makecert -addsan:[NetworkInterface]
Where the NetworkInterface value is the Fully Qualified Domain Name or IP Address of the original device. This will create the certificates required for communication.
- Create a shortcut to the Movere Console executable on the original device by browsing to the Movere Console folder and right clicking the Console.WPF executable.