Installing the Detection and Response agent

There is a single, unified installer for Endpoint Detection and Response, Managed Detection and Response, and Endpoint Protection. When the installer is downloaded from a Site in the Management Console, it automatically deploys only the agents and components required for the Endpoint Protection and Detection and Response products enabled for that Site.

Note: If you already have Endpoint Protection enabled and installed, no additional steps or downloads are required to install a Detection and Response product once it is enabled in the Management Console. The existing agent will automatically install the newly enabled product the next time it checks in to the console.

To install products with the unified installer:

  1. In the Management Console, go to the Sites List and choose a Site where you want to install the agent.

  2. Go to the Endpoint Protection tab. Ensure the appropriate Detection and Response product is enabled. For more information, see Enabling Detection and Response.

  3. Follow the on-screen instructions to download the installer and run it on your devices.

Once installation is complete, no additional steps are required.

Note: A system extension is installed with Mac Agent version 9.6.4 or later. This system extension is required for securely isolating a device from the network. See Isolating and unisolating a device. If you silently install the Mac Agent using mobile device management (MDM), see this knowledge base article for configuration file requirements that prevent content filter and system extension dialog boxes from appearing to your customers. If you silently uninstall the Mac Agent, the system extension remains on the device.

Note: To use Detection and Response products on an M-Series Mac device, you must have Rosetta installed.

With Endpoint Protection enabled, you can disable Detection and Response for devices within a Site by assigning a custom Endpoint Protection policy to those devices with the "Install EDR / MDR Agent" setting disabled. For devices with existing EDR or MDR installations, setting this policy to Off will remove all EDR and MDR components from the device.

Disable the "Install EDR / MDR Agent" setting:

  1. In the navigation pane, go to Manage > Policies.

  2. From the Endpoint Protection tab, select the Policy associated with devices that you do not want to install the EDR or MDR agent on.

    Note: By default, System Policies (excluding the Unmanaged Policy) will have Install EDR / MDR Agent set to On and cannot be edited.

  3. Scroll down to Policy Settings. In the EDR / MDR section, select Off beside Install EDR / MDR Agent.

  4. In the Policy Usage section, identify which systems will be affected.

  5. Click Save.