While we recommend using the Movere Console to deliver Movere Bots to targeted Windows endpoints, Movere supports individual manual placement (direct copy to) and bulk placement (copy to multiple endpoints via management tools such as Microsoft System Center Configuration Manager). Several manual steps are required to prepare the Movere bots for deployment outside of the Movere Console which are detailed below.
Configuring the Movere Bots to run without using the Movere Console to deploy them:
- The Movere Console must already be installed on at least one Windows device to gain access to the Movere Bots,
- A Magic Word needs to have been set and at least one set of credentials (Windows, SQL, Linux, etc.) provided via the Manage Credentials tab,
- The Movere Console must NOT be running, and the Movere Service must NOT be installed as a Windows Service. If it has, then the service titled Movere.Service can be stopped and delete via an admin command prompt using the commands:
- c:\sc stop Movere.Service
- c:\sc delete Movere.Service
Failure to stop and remove an existing Movere Service will result in all Bots deployed, either individually or via a bulk deployment platform, to fail.
NOTE: The Movere Service can also be removed by uninstalling then reinstalling the Movere Console.
If you are planning to run both Inventory and ARC scans, the ARC scan must be configured first. To configure the ARC scan, follow these steps:
- Open the Movere Console and enter your Magic Word.
- On the main tab, select the Windows Devices and Windows ARC check-boxes:
- On the ‘ARC’ tab, set the desired ARC scan duration and frequency:
- Close the Movere Console.
You can manually confirm that the ARC module has been enabled by reviewing the Bot2/Bot4 config files in the Bot2/Bot4 folders located in the directory the Movere Console is installed in.
Config file location (NOTE: There are two Bot2 and Bot4):
Value in the Bot2 and Bot4 config files to review to confirm the ARC module has been enabled:
If the ArcEnabled flag is set to “true” then the ARC module has been enabled. If it is set to “false”, then it can be manually set it to “true”, but we recommend against manually editing the config files as the ARC interval and duration will also need to be set manually and any errors made will cause the scan to fail. By using the Movere Console to enable the ARC module, all values will be set correctly.
The ARC interval and duration can be confirmed by reviewing the Arc2/Arc4 config files in the Arc2/Arc4 folders, also located in the directory where the Console is installed.
Config file location (NOTE: There are two Arc2 and Arc4):
Value in the Arc2 and Arc4 config files to review to confirm the ARC interval and duration:
NOTE: If you intend to collect ARC data from SQL then you will need to manually set the “CollectSql” value above to “true” (refer row 12 in the screenshot above).
The fully qualified name and IP address(es) of the device the Movere Console is running/listening on should also be reviewed. The ServiceHostUrl value in the Arc2 and Arc4 config files contains these values (refer below):
If the ServiceHostUrl value has not been changed from the default (https://localhost), then no scans have been run from this Movere Console installation. You can set the ServiceHostUrl manually or by running a local scan (e.g. localhost). After this scan has been completed, verify that the ServiceHostUrl value has been updated with the correct values.
Running the Movere Bots without using the Movere Console to deploy them:
Open the Movere.Service.exe.config file using a text editor (e.g. Notepad). This file resides within the folder where the Console is installed:
Set the “MaximumDevices” value to a number higher than the number of devices you intend to scan. The default is 1,000, but this can be set to any number required:
This setting acts as a limiter on the number of security tokens the Movere Console will release and must be higher than the number of devices you plan to scan. No further security tokens will be released from that Movere Console installation once this number has been reached. If this does occur, then stop the current scan, increase this value, then start a new scan.
If the default value is altered, then the Movere.Service.exe.config file must be saved. If the text editor prohibits the file from being saved to the same location, save it to an alternative location, (e.g. Desktop), then manually move it back into the folder housing the Movere Console. You will be asked to replace the existing file which confirms that you are placing it in the correct location.
In the same configuration file, set a unique PassPhrase. In the screenshot below we’re using ‘Movere.1’, but you will set this to a PassPhrase of your choosing:
In addition to the Movere Service config, the PassPhrase must also be manually added to the Bot2 and Bot4 config files:
The PassPhrase is the key item required to deploy and start Movere Bots when distributing them outside of the Movere Console. The Bots use this value to securely establish the initial connection to the Movere Console. If this value is missing or the PassPhrase provided to the Bots does not match the one provided to the Movere Console, then the scan(s) will fail.
Once the PassPhrase has been set, create a folder (e.g. “Local”) that will house the binaries to be delivered to each targeted Windows endpoint using a delivery vehicle other than the Movere Console. Copy the following files into this folder:
- The exe file in the FrameworkVerifier folder located in the directory where the Console is installed,
- The Arc2/Arc4 folders after reviewing and confirming the ARC interval/duration and ServiceHostUrl values are both set and accurate,
- The Bot2/Bot4 folders after configuring the Passphrase to the Bot2/Bot4 config files and confirming that the ArcEnabled value is set to ”true”; and
- The txt file (optional). If the Token.txt file is included in the local package, then each targeted endpoint will attempt to upload its payload to Movere directly (bypassing the Movere Console) via port 443 outbound on each device being scanned. If this port is unavailable, then the Bots will send their payload(s) to the Movere Console for upload. If you only want the targeted endpoints sending their payload(s) back to the Movere Console, then do not include the Token.txt file in the local package.
The local package to be delivered to each targeted endpoint should look like this:
Once the local package has been created, install and start the Movere service on the Console device.
Important: Installing the Movere service must be done only after adding the PassPhrase to the Movere.service.exe config file. The easiest way to install and start the Movere service (once the PassPhrase in place) is to run a local scan (Ae.g. localhost):
After this scan has completed, the Movere service will automatically install and start:
Once the Movere service has been installed and started, copy or distribute the local package created above to the target endpoint(s) and start the FrameworkVerifier.exe file using the following command:
In the above example consolehost.domain.com is the fully qualified name of the device the Movere Console service is running/listening on.
The FrameworkVerifier will start the appropriate Bot (Bot2 or Bot4) which in turn will contact the Movere Console device listening on port 443 using the PassPhrase specified in the Bots config file. If the PassPhrases match, a Token2.txt file will appear within the local folder deployed to the targeted endpoint(s). Once this occurs, the scan will begin. The encrypted payload will then be sent back to the Movere Console for upload to Movere.
If the Token.txt file is included in the local package, then the endpoint will attempt to upload its payload directly to Movere in the cloud from the target endpoint(s) via port 443. If the targeted endpoint(s) cannot reach the Internet, then they will send their payload(s) to the Movere Console for upload. If all communications with Movere are to occur via the Movere Console, do not include the Token.txt file in the local package.