Summary

Prerequisites and dependencies that are common to all client features and modules of the 1E Client.

This section is part of the design phase of implementation.

Review Design Considerations first if you need to design and plan the deployment of 1E Client and the 1E solutions it supports in your organization.

1E Client contains client features and modules for Tachyon, Nomad, Shopping/WSA and WakeUp clients. You can optionally enable and configure clients during and after installation.

Installation account for Windows

The 1E Client installer installs a service as local system, therefore the installation account for Windows clients must be capable of being elevated in order to run the installer. The simplest way of achieving this is for the account to have full local administrator rights (as a member of the localgroup administrators, either directly or indirectly).

Installation account for non-Windows

To install the 1E Client on a non-Windows client the installation account must have privileges to run the sudo command.

1E Client supports only Tachyon client features on non-Windows devices. 

On this page:



Supported platforms

CategoryProductNotes
Windows OS
  • Windows Server 2019
  • Windows Server 2016
  • Windows 10 CB 21H1
  • Windows 10 CB 20H2
  • Windows 10 CB 2004
  • Windows 10 CB 1909
  • Windows 10 CB 1903
  • Windows 10 CB 1809
  • Windows 10 CB 1803
  • Windows 10 CB 1709
  • Windows 8.1

Professional and Enterprise editions of Windows 10 are supported.

The 1E Client for Windows zip is available for download from the 1E Support Portal.

All versions are provided with 32-bit & 64-installers, and can be installed on physical and virtual computers.

This list is automatically updated to show only those OS versions in mainstream support by Microsoft, and therefore supported by 1E, and by 1E Client 5.0. However the following OS continue to be supported as exceptions to help customers during their migration to the latest OS:

  • Windows Server 2012 R2
  • Windows 7 SP1

Please refer to Constraints of Legacy OS regarding end of mainstream support.

For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search.

Please refer to https://1eportal.force.com/s/support-for-msft-rapid-release-cycle for details of which Current Branch versions are supported by 1E products, and known issues regarding specific versions.

For installation guidance on Windows, please refer to Deploying 1E Client on Windows.

The following 1E Client features and modules are supported on Windows OS:

  • Tachyon client
  • Shopping client
  • Shopping WSA (workstation OS only, not server OS)
  • WakeUp client
  • Nomad client
Runtime libraries

  • .NET Framework 4.8
  • .NET Framework 4.7.2
  • .NET Framework 4.7.1
  • .NET Framework 4.7
  • .NET Framework 4.6.2
  • .NET Framework 4.6.1
  • .NET Framework 4.6


One of these versions of .NET Framework is required, but only by the WSA executable in the Shopping module. It is not required by any other 1E Client features or modules.

This list is automatically updated to show only those .NET Framework versions in mainstream support by Microsoft, and therefore supported by 1E, and by 1E Client 5.0.

For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search.

Other Windows Software

  • Visual C++ 2013 Redistributable
  • PowerShell 3.0 (or later)
  • Nomad 6.3.100 (or later)

1E Client installer includes the redistributable package for Visual C++ 2013.

PowerShell is not a prerequisite for installation of the 1E Client. PowerShell is used by some Tachyon instructions (that have PowerShell commands embedded or scripts that are downloaded) and some of these require PowerShell 3.0 or later.

1E Client provides Tachyon client features. It also includes the Nomad client module which replaces the legacy Nomad Branch client. Tachyon client features can optionally use Nomad to download content (feature enabled by default) if the Nomad client module in 1E Client is enabled (module disabled by default) or Nomad Branch 6.3.100 or later is running.

For more details please refer to Design Considerations: Downloading Tachyon client content and Nomad integration. 

Non-Windows OS

macOS

  • macOS Catalina 10.15
  • macOS Mojave 10.14
  • macOS High Sierra 10.13

Linux

  • CentOS 7
  • Red Hat Enterprise Linux 7.1
  • SUSE Linux Enterprise (SLES) 12
  • Ubuntu 14.04

Solaris

  • Solaris 11.3

1E Client supports only Tachyon features on non-Windows devices.

Other versions of these non-Windows OS should work but have not been tested by 1E.

The 1E Client for non-Windows zip is available for download from the 1E Support Portal, and includes 1E Client packages for the following architectures:

  • Linux variations on Intel 64-bit platforms
  • Solaris on Intel 64-bit and SPARC platforms

Also included in the download are 1E Client packages for the following legacy Linux distributions:

  • Fedora 21
  • openSUSE Leap 42.1

1E Client packages for other Linux distributions can be requested, including Raspbian for Raspberry Pi, and Debian.

For Solaris, the following specific libraries are required, but are usually installed by default:

  • libcurl
  • zlib

For installation guidance on the following OS, please refer to:

For installation guidance on other non-Windows OS, please contact 1E.

Mobile OS

Android

  • Android Pie 9.0
  • Android Oreo 8.1
  • Android Oreo 8.0

1E Client supports only Tachyon features on non-Windows devices.

Other versions of these mobile OS should work but have not been tested by 1E.

The 1E Client for Android zip is available for download from the 1E Support Portal, and includes 1E Client packages for the following architectures:

  • Android ARM


Other Non-Windows Software

  • Bash
  • Perl

Bash and perl are required for installation of 1E Client on all non-Windows OS, with the exception of the 1E Client for Android which is available from the Google Play Store.

Tachyon instructions support the use of Bash scripts on all supported non-Windows OS.

To see if an Instruction requires a Bash script, look in its Instruction Definition XML file for Bash script resources defined under the <Resources> tag. Bash is the preferred choice when developing custom instructions for non-Windows OS.

There are slight differences between OS implementations of Bash, particularly on the Mac. Therefore 1E recommends testing custom Bash scripts on each supported OS.

Microsoft System Center Configuration Manager Client

  • SCCM CB 2103
  • SCCM CB 2010
  • SCCM CB 2006
  • SCCM CB 2002
  • SCCM CB 1910
  • SCCM CB 1906
  • SCCM CB 1902
  • SCCM CB 1810
  • SCCM CB 1806

The following client features work with these versions of Configuration Manager on Windows computers:

  • Nomad client - all Nomad features
  • Shopping client - N/A
  • Tachyon client - instructions used by Tachyon Configuration Manager Console extensions
  • Wakeup client - 1E WakeUp Policy Refresh and REFRESHONSUBNETCHANGE

Configuration Manager is not a prerequisite for installation of the 1E Client, and except for above features, the 1E Client, its features and modules, have no dependency on Configuration Manager.

Tachyon, Nomad, WakeUp and Application Migration have Configuration Manager Console extensions which are available separately.

This list is automatically updated to show only those Configuration Manager versions in mainstream support by Microsoft, and therefore supported by 1E, and by 1E Client 5.0.

For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search.

Please refer to https://1eportal.force.com/s/support-for-msft-rapid-release-cycle for details of which Current Branch versions are supported by 1E products, and known issues regarding specific versions.

(Microsoft System Center Configuration Manager is also known as MECM, Configuration Manager, ConfigMgr, Config Man, CM, SCCM, and MEMCM, among other names. Version names include 2012 and Current Branch or CB.)

Feature dependencies

Products and Features with dependencies on the 1E Client.

Supported versions of 1E companion products with features that depend on 1E Client 5.0.

Products and features that depend on 1E ClientSupported versions of companion products
Tachyon

Tachyon requires the 1E Client (with Tachyon client features enabled) to be installed on all client computers. This replaces the legacy Tachyon Agent.

Tachyon client features:

  • Real-time response to instructions, which supports the retrieval of information using questions, and running actions
  • Device tags (freeform and coverage), Criticality and Location
  • Inventory, including process usage, to support:
    • the Tachyon Activity Record feature
    • the Inventory and other consumer applications (new in 4.2)
  • Policy feature to support the Guaranteed State application
  • Performance metric features to support the Experience application (new in 4.2)
  • Modules to support:
    • the Patch Success application
    • content distribution
    • command and script execution
    • device criticality
    • manipulation of registry, WMI, files and processes
    • security
    • software uninstallation.

Tachyon clients can optionally use the Nomad client module of 1E Client to more efficiently download content.

  • Tachyon 5.0
  • Tachyon 4.1
ShoppingShopping requires the 1E Client (with Shopping client module enabled) to be installed on all client computers. This replaces the legacy Shopping Agent.
  • Shopping 6.0
  • Shopping 5.6
  • Shopping 5.5.200
  • Shopping 5.5.100
  • Shopping 5.5
Shopping

Windows Servicing Assistant (WSA) is an optional feature of Shopping that supports OS Deployment.

Please refer to Shopping 6.0 - Preparation: Windows Servicing Assistant (WSA) for WSA features in different versions of Tachyon Agent and 1E Client.

  • Nomad 7.0.100
  • Nomad 7.0
  • Nomad 6.3.201
  • Shopping 6.0
  • Shopping 5.6
  • Shopping 5.5.200
  • Shopping 5.5.100
  • Shopping 5.5
WakeUpWakeUp requires the 1E Client (with WakeUp client module enabled) to be installed on all client computers, and WakeUp Servers. This replaces the WakeUp component of the 1E Agent.
  • WakeUp 7.3
  • WakeUp 7.2.500
NomadNomad requires the 1E Client (with Nomad client module enabled) to be installed on all client computers, and on Distribution Points if Configuration Manager is used.
  • Nomad 7.0.100
  • Nomad 7.0
NomadNomad Download Pause is an optional feature of Nomad. It requires the 1E Client (with Nomad client module enabled) to be installed on all client computers, and a Tachyon server infrastructure.
  • Tachyon 5.0
  • Tachyon 4.1
  • Tachyon 4.0
  • Tachyon 3.3
  • Nomad 7.0.100
  • Nomad 7.0
  • Nomad 6.3.201
  • Nomad 6.3.100

Supported versions of 1E companion products that 1E Client 5.0 features depend on.

Products and features that 1E Client depends onSupported versions of companion products
TachyonTachyon real-time and other features require a full Tachyon infrastructure including a Tachyon Server and a Tachyon license.
  • Tachyon 5.0
  • Tachyon 4.1
Nomad

Tachyon clients can optionally use Nomad (1E Client with Nomad client features enabled) to provide more efficient downloading of content. Alternatively use Nomad Branch 6.3 client if installed.

  • 1E Client 5.0 (with Nomad client module enabled)
  • Nomad 6.3 (legacy client)

Firewall ports

1E does not provide a combined diagram showing all components and features. Please refer to the communications reference page for each product:

Anti-Virus and Malware

1E log files should be excluded from scans in order to prevent potential file locking.

See Log files.

Digital signing certificates

On Windows computers, the installation MSIs, executables and DLLs of the 1E software are digitally signed by 1E using the 1E Limited SHA1 and SHA256 signature certificates.

These signing certificates are issued by the Symantec Class 3 SHA256 Code Signing CA, which in turn is issued by the root CA VeriSign Class 3 Public Primary Certification Authority - G5.

The SHA1 and SHA256 signature certificates are each countersigned with the same Timestamp signature certificate Starfield Timestamp Authority - G2, itself issued by Starfield Secure Certificate Authority - G2, in turn issued by the root CA  Starfield Root Certificate Authority – G2.

The root CA certificates (for signing and countersigning) must exist in the Third-Party Root Certification Authorities store (which is replicated in the Trusted Root Certification Authorities store). These root CA certificates are normally automatically provided by Microsoft's Update Root Certificates feature, however for legacy OS computers in a lab environment that are not connected to the Internet, see Constraints of Legacy OS.

Constraints of Legacy OS

In this documentation, the following are referred to as legacy OS. Below are described some known issues for these OS.

1E does not provide support for 1E products on the following OS unless the OS is explicitly listed as being supported for a specific 1E product or product feature. This is because Microsoft has ended mainstream support for these OS or they are not significantly used by business organizations.

  • Windows XP *
  • Windows Vista
  • Windows 7
  • Windows 8.0
  • Windows 8.1
  • Windows Server 2003 *
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
1E Client 8.1 and later will not install on Windows XP and Windows Server 2003. Please contact 1E if you intend to continue using any of the other legacy OS. If you experience an issue, then please try replicating the issue on a supported OS.

For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search.

Microsoft legacy browsers

Support has been withdrawn for Internet Explorer 11 and legacy Microsoft Edge (non-Chromium version). 1E has taken this decision for new releases that are expected to remain in support by 1E beyond March 2021 when Microsoft Edge goes end of life and August 2021 when Internet Explorer 11 goes end of life. We recommend you use Google Chrome, Firefox or Microsoft Edge Chromium browser.

Certificate limitations - SHA2

Like most software vendors, 1E software requires the OS to support SHA2. If your organization has a PKI configured to use SHA2 256 or higher encryption, then your legacy OS may have already been updated to support it.

Windows XP and Server 2003 require an update as described in KB968730.  Microsoft no longer provides this hotfix as a download. You must contact Microsoft Support if you need it.

Windows 7 and Server 2008 R2 require an update as described in KB3033929. This update is not available for Vista and Server 2008.

Windows 8, 8.1, Server 2012, Server 2012 R2 and later OS already support SHA2.

Certificate limitations - encrypted certificate requests

Windows XP and Server 2003 are unable to encrypt certificate requests, whereas later OS are able to support higher more secure RPC authentication levels. If you are using a Microsoft CA and expect these clients to request (enrol) certificates then the CA must have its IF_ENFORCEENCRYPTICERTREQUEST flag disabled. It is disabled by default on Windows 2003 and 2008 CA, but is enabled by default on Windows 2012 CA.

To determine which InterfaceFlags are set, execute the following command on the CA server:

	certutil -getreg CA\InterfaceFlags

If the following is specified then it means the flag is enabled.

	IF_ENFORCEENCRYPTICERTREQUEST -- 200 (512)

To disable the encrypt certificate requests flag, execute the following commands on the CA server:

	certutil -setreg CA\InterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST
sc stop certsvc
sc start certsvc

Certificate limitations - expired root certificates

Ensure that your Root CA Certificates are up-to-date on clients and servers. The Automatic Root Certificates Update feature is enabled by default, but its configuration may have been changed or restricted by Group Policy Turn off Automatic Root Certificates Update.

If this GPO is enabled, then you will see DisableRootAutoUpdate = 1 (dword) in HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot.

Certificate limitations - signing certificates missing

On Windows computers, the installation MSI files, and binary executable and DLL files of 1E software are digitally signed. The 1E code signing certificate uses a timestamping certificate as its countersignature. 1E occasionally changes its code signing certificate, and uses it for new releases and patches for older versions, as shown in the table(s) below. 

Root Certificate Authorities are implicitly trusted to validate certificates, and their certificates must be correctly installed to do this. Your computers should already have the necessary root CA certificates installed, however this may have been prevented by your organization's security policies, or inability to connect to the Internet, or they are legacy OS. In general this is not an issue because by default Windows allows software to be installed and run without validation, although you may see a warning or experience a delay. However, you must have relevant CA certificates installed if you are using 1E Client (which self-validates its own files), or your organization has applied more secure polices (for example UAC, AppLocker or SmartScreen).

Typical reasons for issues with signing certificate are:

  • If your organization has disabled Automatic Root Certificates Update then you must ensure the relevant root CA certificates are correctly installed on each computer
  • If computers do not have access to the Internet then you must ensure the relevant root and issuing CA certificates are correctly installed on each computer, numbered in the table(s) below. 

The signature algorithm of the 1E code signing certificate is SHA256RSA. In most cases, the file digest algorithm of an authenticode signature is SHA256, and the countersignature is a RFC3161 compliant timestamp. The exception is on legacy OS (Windows XP, Vista, Server 2003 and Server 2008) which require the file digest algorithm of an authenticode signature to be SHA1, and a legacy countersignature. 

The table below applies to software and hotfixes released in 2020.

2020

Signing certificate

Timestamping certificates

Certificate

1E Limited

TIMESTAMP-SHA256-2019-10-15 and DigiCert Timestamp Responder

Issuing CA

DigiCert EV Code Signing CA (SHA2)

Thumbprint: 60ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e3

DigiCert SHA2 Assured ID Timestamping CA

Thumbprint: 3ba63a6e4841355772debef9cdcf4d5af353a297

and  DigiCert Assured ID CA-1

Thumbprint: 19a09b5a36f4dd99727df783c17a51231a56c117

Root CA

DigiCert High Assurance EV Root CA

Thumbprint: 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25

DigiCert Assured ID Root CA

Thumbprint: 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43

The table below applies to software and hotfixes released in 2019.

2019

Signing certificate

Timestamping certificates

Certificate

1E Limited

Symantec SHA256 TimeStamping Signer - G3

Issuing CA

Symantec Class 3 SHA256 Code Signing CA

Thumbprint: 007790f6561dad89b0bcd85585762495e358f8a5

Symantec SHA256 TimeStamping CA

Thumbprint: 6fc9edb5e00ab64151c1cdfcac74ad2c7b7e3be4

Root CA

VeriSign Class 3 Public Primary Certification Authority - G5

Thumbprint: 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5

VeriSign Universal Root Certification Authority

Thumbprint: 3679ca35668772304d30a5fb873b0fa77bb70d54

This is described in Requirements: Digital Signing Certificates. To verify if you affected by this issue see Client issues: 1E Digital Signing Certificates.