Contents

Common client requirements

Summary

Prerequisites and dependencies that are common to all client features and modules of the 1E Client.

This section is part of the design phase of implementation.

Review Design Considerations first if you need to design and plan the deployment of 1E Client and the 1E solutions it supports in your organization.

1E Client contains client features and modules for Tachyon, Nomad, Shopping/WSA and WakeUp clients. You can optionally enable and configure clients during and after installation.

Installation account for Windows

The 1E Client installer installs a service as local system, therefore the installation account for Windows clients must be capable of being elevated in order to run the installer. The simplest way of achieving this is for the account to have full local administrator rights (as a member of the localgroup administrators, either directly or indirectly).

Installation account for non-Windows

To install the 1E Client on a non-Windows client the installation account must have privileges to run the sudo command.

1E Client supports only Tachyon client features on non-Windows devices. 

On this page:



Supported platforms

Windows client

CategoryProductNotes
Operating System

  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows 10 CB 22H2
  • Windows 11 CB 22H2
  • Windows 10 CB 21H2
  • Windows 11 CB 21H2

The zip for 1E Client for Windows is available for download from the 1E Support Portal.

Professional and Enterprise editions of Windows 10 are supported.

All versions are provided with 32-bit & 64-installers, and can be installed on physical and virtual computers.

This list is automatically updated to show only those OS versions in mainstream support by Microsoft, and therefore supported by 1E, and by 1E Client 8.0.

Please refer to Constraints of Legacy OSregarding end of mainstream support.

For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search.

Please refer to https://1eportal.force.com/s/support-for-msft-rapid-release-cycle for details of which Current Branch versions are supported by 1E products, and known issues regarding specific versions.

For installation guidance on Windows, please refer to Deploying 1E Client on Windows.

The following 1E Client features and modules are supported on Windows OS:

  • Tachyon client
  • Nomad client
  • PXE Everywhere Agent
  • Shopping client
  • Shopping WSA (workstation OS only, not server OS)
  • WakeUp client

Runtime libraries

  • .NET Framework 4.8
  • .NET Framework 4.7.2
  • .NET Framework 4.7.1
  • .NET Framework 4.7
  • .NET Framework 4.6.2
  • .NET Framework 4.6.1
  • .NET Framework 4.6

.NET Framework is required only for the following features of 1E Client:

  • The 1E Client UI (User Interaction) component of the Interaction module, which supports the notification and survey features
  • Windows Servicing Assistant (WSA) feature of the Shopping client module, which supports OS deployment, upgrades and migrations

This list is automatically updated to show only those .NET Framework versions in mainstream support by Microsoft, and therefore supported by 1E, and by 1E Client 8.0.

For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search.

Other Windows Software

  • Visual C++ 2013 Redistributable
  • Nomad 7.0 (or later)
  • PowerShell 3.0 (or later)

1E Client installer includes the redistributable package for Visual C++ 2013.

1E Client provides Tachyon client features. It also includes the Nomad client module which replaces the legacy Nomad Branch client. Tachyon client features can optionally use Nomad to download content (feature enabled by default) if the Nomad client module in 1E Client is enabled (module disabled by default) or Nomad Branch 7.0 or later is running.

PowerShell is not a prerequisite for installation of the 1E Client. PowerShell is used by some Tachyon instructions (that have PowerShell commands embedded or scripts that are downloaded) and some of these require PowerShell 3.0 or later. 

For more details please refer to Design Considerations: Downloading Tachyon client content and Nomad integration.

For useful information about PowerShell versions please refer to PowerShell on Windows OS.

Microsoft Endpoint Configuration Manager Client

  • SCCM CB 2207
  • SCCM CB 2203
  • SCCM CB 2111
  • SCCM CB 2107

The following client features work with these versions of Configuration Manager on Windows computers:

  • Tachyon client - instructions used by Tachyon Configuration Manager Console extensions

  • Nomad client - all Nomad features

  • PXE Everywhere Agent - N/A
  • Shopping client - N/A

  • WakeUp client - 1E WakeUp Policy Refresh and REFRESHONSUBNETCHANGE

Configuration Manager is not a prerequisite for installation of the 1E Client, and except for above features, the 1E Client, its features and modules, have no dependency on Configuration Manager.

Tachyon, Nomad, WakeUp, and Application Migration have Configuration Manager Console extensions which are available separately.

This list is automatically updated to show only those Configuration Manager versions in mainstream support by Microsoft, and therefore supported by 1E, and by 1E Client 8.0.

For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search.

Please refer to https://1eportal.force.com/s/support-for-msft-rapid-release-cycle for details of which Current Branch versions are supported by 1E products, and known issues regarding specific versions.

(Microsoft Endpoint Manager Configuration Manager is also known as Configuration Manager, ConfigMgr, Config Man, CM and SCCM among other names. Version names include 2012 and Current Branch or CB.)

macOS clients

CategoryProductNotes
Operating System

  • macOS Big Sur 11.0
  • macOS Catalina 10.15
  • macOS Mojave 10.14

Other versions of these non-Windows OS should work but have not been tested by 1E.

1E Client package for macOS is included in the non-Windows zip available for download from the 1E Support Portal.

1E Client supports only Tachyon features on non-Windows devices. 

1E Client for macOS is written for Intel and supported on Apple devices using Intel processors. It is also supported on Apple devices using the M1 chip, provided you have installed Rosetta 2, which is included with Big Sur. 1E Client is a daemon (not an app), therefore, during installation or running it will not prompt for Rosetta 2, which does not get installed on-demand.

You only need to install Rosetta 2 once, using one of the following commands, but repeating the command will safely reinstall it. The second version of the command requires root permission. Attempting to install on an Intel device will issue a harmless "unrecognized option" usage message.

/usr/sbin/softwareupdate --install-rosetta
/usr/sbin/softwareupdate --install-rosetta --agree-to-license

For installation guidance, please refer to Deploying 1E Client on non-Windows: Mac installation.

Other Software

  • Bash
  • Perl
  • Rosetta 2 (on non-Intel)

Bash and perl are required for installation of 1E Client on all non-Windows OS.

Tachyon instructions support the use of Bash scripts on all supported non-Windows OS.

To see if an Instruction requires a Bash script, look in its Instruction Definition XML file for Bash script resources defined under the <Resources> tag. Bash is the preferred choice when developing custom instructions for non-Windows OS.

There are slight differences between OS implementations of Bash, particularly on the Mac. Therefore, 1E recommends testing custom Bash scripts on each supported OS.

Rosetta 2 must be installed before installing 1E Client for macOS on an Apple device using a non-Intel processor such as M1 chip. Please see note above about installing Rosetta 2.

Linux clients

CategoryProductNotes
Operating System

  • CentOS 8.1
  • Debian 10.4
  • Fedora 34
  • openSUSE Leap 15.2
  • Red Hat Enterprise Linux 7.9
  • Red Hat Enterprise Linux 8.3
  • SUSE Linux Enterprise 15.2
  • Ubuntu 18.04

Other versions of these non-Windows OS should work but have not been tested by 1E.

1E Client packages for other Linux distributions can be requested, including Raspbian for Raspberry Pi.

The 1E Client for Linux supports the following architectures:

  • Linux variations on Intel 64-bit platforms

1E Client packages for Linux are included in the non-Windows zip available for download from the 1E Support Portal.

1E Client supports only Tachyon features on non-Windows devices. 

For installation guidance on the following OS, please refer to Deploying 1E Client on non-Windows: Red Hat Enterprise Linux installation.

Other Software

  • Bash
  • Perl

Bash and perl are required for installation of 1E Client on all non-Windows OS.

Tachyon instructions support the use of Bash scripts on all supported non-Windows OS.

To see if an Instruction requires a Bash script, look in its Instruction Definition XML file for Bash script resources defined under the <Resources> tag. Bash is the preferred choice when developing custom instructions for non-Windows OS.

There are slight differences between OS implementations of Bash, particularly on the Mac. Therefore, 1E recommends testing custom Bash scripts on each supported OS.

Solaris clients

CategoryProductNotes
Operating System

  • Please use 1E Client 5.2

1E Client 8.0 is not available for Solaris, please use 1E Client 5.2 instead. 

The 1E Client 5.2 for Solaris supports for the following architectures:

  • Solaris on Intel 64-bit and SPARC platforms

1E Client 5.2 package for Solaris is included in the non-Windows zip available for download from the 1E Support Portal.

1E Client supports only Tachyon features on non-Windows devices.

For Solaris, the following specific libraries are required, but are usually installed by default:

  • libcurl
  • zlib

For installation guidance, please refer to 1E Client 5.2 - Deploying 1E Client on Solaris.

Other Software

  • Bash
  • Perl

Bash and perl are required for installation of 1E Client on all non-Windows OS.

Tachyon instructions support the use of Bash scripts on all supported non-Windows OS.

To see if an Instruction requires a Bash script, look in its Instruction Definition XML file for Bash script resources defined under the <Resources> tag. Bash is the preferred choice when developing custom instructions for non-Windows OS.

There are slight differences between OS implementations of Bash, particularly on the Mac. Therefore, 1E recommends testing custom Bash scripts on each supported OS.

Feature dependencies

Products and Features with dependencies on the 1E Client.

Supported versions of 1E companion products with features that depend on 1E Client 8.0.

Products and features that depend on 1E ClientSupported versions of companion products
Tachyon

Tachyon requires the 1E Client (with Tachyon client features enabled) to be installed on all client computers. This replaces the legacy Tachyon Agent.

Tachyon client features:

  • Real-time response to instructions, which supports the retrieval of information using questions, and running actions
  • Tags (freeform and device/coverage)
  • Criticality and Location
  • 1E Client UI to support the Real-Time Control Center, Announcements, Surveys, and Sentiment features of the Experience application #
  • Inventory, including process usage, to support:
    • the Tachyon Activity Record feature
    • the Inventory and other consumer applications
  • Performance metrics features to support the Experience application #
  • Policy feature to support consumer applications: Guaranteed State ##, Experience #, and Nomad #
  • Modules to support:
    • the Patch Success application #
    • command and script execution
    • content distribution
    • device criticality
    • manipulation of files and processes
    • manipulation of registry and WMI #
    • security #
    • software uninstallation
    • user sessions, including Primary User

# not supported on non-Windows, ## partially supported on non-Windows

Tachyon clients can optionally use the Nomad client module of 1E Client to more efficiently download content.

  • Tachyon Platform 8.0
  • Tachyon Platform 5.2
  • Tachyon Platform 5.1
NomadNomad requires the 1E Client (with Nomad client module enabled) to be installed on all client computers, and on Distribution Points if Configuration Manager is used.
  • Nomad 8.0
  • Nomad 7.1
NomadNomad Download Pause is an optional feature of Nomad. It requires the 1E Client (with Nomad client module enabled) to be installed on all client computers, and a Tachyon server infrastructure.
  • Tachyon Platform 8.0
  • Tachyon Platform 5.2
  • Tachyon Platform 5.1
  • Nomad 8.0
  • Nomad 7.1
PXE EverywherePXE Everywhere requires the 1E Client (with PXE Everywhere Agent client module enabled) to be installed on all client computers.
  • PXE Everywhere 8.0
  • PXE Everywhere 4.0
ShoppingShopping requires the 1E Client (with Shopping client module enabled) to be installed on all client computers. This replaces the legacy Shopping Agent.
  • Shopping 6.1
  • Shopping 6.0
Shopping

Windows Servicing Assistant (WSA) is an optional feature of Shopping that supports OS Deployment.

Please refer to Shopping 6.1 - Preparation: Windows Servicing Assistant (WSA) for WSA features in different versions of 1E Client.

  • Nomad 8.0
  • Nomad 7.1
  • Shopping 6.1
  • Shopping 6.0
WakeUpWakeUp requires the 1E Client (with WakeUp client module enabled) to be installed on all client computers, and WakeUp Servers. This replaces the WakeUp component of the 1E Agent.
  • WakeUp 7.3

Supported versions of 1E companion products that 1E Client 8.0 features depend on.

Products and features that 1E Client depends onSupported versions of companion products
TachyonTachyon real-time and other features require a full Tachyon infrastructure including a Tachyon Server and a Tachyon license.
  • Tachyon Platform 8.0
  • Tachyon Platform 5.2
  • Tachyon Platform 5.1
Nomad

Tachyon clients can optionally use Nomad (1E Client with Nomad client features enabled) to provide more efficient downloading of content.

  • 1E Client 8.0 (with Nomad client module enabled)
  • 1E Client 5.2 (with Nomad client module enabled)
  • 1E Client 5.1 (with Nomad client module enabled)

Firewall ports

1E does not provide a combined diagram showing all components and features. Please refer to the communications reference page for each product:

Anti-Virus and Malware

The following should be excluded from scans to prevent file locking and resource deletion.

  • 1E log files. See Log files.

  • The 1E Client temporary directory. We recommend modifying the TemporaryDirectory 1E Client configuration setting to %programdata%\1E\Client\Temp and excluding that directory. See 1E Client settings

    TemporaryDirectory must be specified as an absolute path. The directory is not automatically created by 1E Client. It must be created before being set otherwise 1E Client will use its default.

Digital signing certificates

On Windows computers, the installation MSIs, executables and DLLs of the 1E software are digitally signed by 1E using the 1E Limited SHA1 and SHA256 signature certificates.

These signing certificates are issued by the Symantec Class 3 SHA256 Code Signing CA, which in turn is issued by the root CA VeriSign Class 3 Public Primary Certification Authority - G5.

The SHA1 and SHA256 signature certificates are each countersigned with the same Timestamp signature certificate Starfield Timestamp Authority - G2, itself issued by Starfield Secure Certificate Authority - G2, in turn issued by the root CA  Starfield Root Certificate Authority – G2.

The root CA certificates (for signing and countersigning) must exist in the Third-Party Root Certification Authorities store (which is replicated in the Trusted Root Certification Authorities store). These root CA certificates are normally automatically provided by Microsoft's Update Root Certificates feature, however for legacy OS computers in a lab environment that are not connected to the Internet, see Constraints of Legacy OS.

Constraints of Legacy OS

In this documentation, the following are referred to as legacy OS. Below are described some known issues for these OS.

1E does not provide support for 1E products on the following OS unless the OS is explicitly listed as being supported for a specific 1E product or product feature. This is because Microsoft has ended mainstream support for these OS or they are not significantly used by business organizations.

  • Windows XP *
  • Windows Vista
  • Windows 7
  • Windows 8.0
  • Windows 8.1
  • Windows Server 2003 *
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
1E Client 8.1 and later will not install on Windows XP and Windows Server 2003. Please contact 1E if you intend to continue using any of the other legacy OS. If you experience an issue, then please try replicating the issue on a supported OS.

For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search.

PowerShell limitations

PowerShell version 3.0 (required by some Tachyon instructions) is not supported on Windows XP, Vista and Server 2003. However, PowerShell 2.0 is supported on the following OS versions:

  • Windows XP SP3
  • Vista SP1 & SP2
  • Windows Server 2003 R2 & SP2

Certificate limitations - SHA2

Like most software vendors, 1E software requires the OS to support SHA2. If your organization has a PKI configured to use SHA2 256 or higher encryption, then your legacy OS may have already been updated to support it.

Windows XP and Server 2003 require an update as described in KB968730.  Microsoft no longer provides this hotfix as a download. You must contact Microsoft Support if you need it.

Windows 7 and Server 2008 R2 require an update as described in KB3033929. This update is not available for Vista and Server 2008.

Windows 8, 8.1, Server 2012, Server 2012 R2 and later OS already support SHA2.

Certificate limitations - encrypted certificate requests

Windows XP and Server 2003 are unable to encrypt certificate requests, whereas later OS are able to support higher more secure RPC authentication levels. If you are using a Microsoft CA and expect these clients to request (enrol) certificates then the CA must have its IF_ENFORCEENCRYPTICERTREQUEST flag disabled. It is disabled by default on Windows 2003 and 2008 CA, but is enabled by default on Windows 2012 CA.

To determine which InterfaceFlags are set, execute the following command on the CA server:

	certutil -getreg CA\InterfaceFlags

If the following is specified then it means the flag is enabled.

	IF_ENFORCEENCRYPTICERTREQUEST -- 200 (512)

To disable the encrypt certificate requests flag, execute the following commands on the CA server:

	certutil -setreg CA\InterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST
	sc stop certsvc
	sc start certsvc

Certificate limitations - signing certificates missing

On Windows computers, the installation MSI files, and binary executable and DLL files of 1E software are digitally signed. The 1E code signing certificate uses a timestamping certificate as its countersignature. 1E occasionally changes its code signing certificate, and uses it for new releases and patches for older versions, as shown in the table(s) below. 

Root Certificate Authorities are implicitly trusted to validate certificates, and their certificates must be correctly installed to do this. Your computers should already have the necessary root CA certificates installed, however this may have been prevented by your organization's security policies, or inability to connect to the Internet, or they are legacy OS. In general this is not an issue because by default Windows allows software to be installed and run without validation, although you may see a warning or experience a delay. However, you must have relevant CA certificates installed if you are using 1E Client (which self-validates its own files), or your organization has applied more secure polices (for example UAC, AppLocker or SmartScreen).

Typical reasons for issues with signing certificate are:

  • If your organization has disabled Automatic Root Certificates Update then you must ensure the relevant root CA certificates are correctly installed on each computer
  • If computers do not have access to the Internet then you must ensure the relevant root and issuing CA certificates are correctly installed on each computer, numbered in the table(s) below. 

The signature algorithm of the 1E code signing certificate is SHA256RSA. In most cases, the file digest algorithm of an authenticode signature is SHA256, and the countersignature is a RFC3161 compliant timestamp. The exception is on legacy OS (Windows XP, Vista, Server 2003 and Server 2008) which require the file digest algorithm of an authenticode signature to be SHA1, and a legacy countersignature. 

The table below applies to software and hotfixes released in 2020.

2020

Signing certificate

Timestamping certificates

Certificate

1E Limited

TIMESTAMP-SHA256-2019-10-15 and DigiCert Timestamp Responder

Issuing CA

DigiCert EV Code Signing CA (SHA2)

Thumbprint: 60ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e3

DigiCert SHA2 Assured ID Timestamping CA

Thumbprint: 3ba63a6e4841355772debef9cdcf4d5af353a297

and  DigiCert Assured ID CA-1

Thumbprint: 19a09b5a36f4dd99727df783c17a51231a56c117

Root CA

DigiCert High Assurance EV Root CA

Thumbprint: 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25

DigiCert Assured ID Root CA

Thumbprint: 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43

This is described in Common client requirements: Digital signing certificates. To verify if you affected by this issue see Client issues: 1E Digital Signing Certificates.

Certificate limitations - expired root certificates

Ensure that your Root CA Certificates are up-to-date on clients and servers. The Automatic Root Certificates Update feature is enabled by default, but its configuration may have been changed or restricted by Group Policy Turn off Automatic Root Certificates Update.

If this GPO is enabled, then you will see DisableRootAutoUpdate = 1 (dword) in HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot.