Contents
Supported platforms
Windows client
Category | Product | Notes |
---|---|---|
Operating System |
| The zip for 1E Client for Windows is available for download from the 1E Support Portal. Professional and Enterprise editions of Windows 10 are supported. All versions are provided with 32-bit & 64-installers, and can be installed on physical and virtual computers. This list is automatically updated to show only those OS versions in mainstream support by Microsoft, and therefore supported by 1E, and by 1E Client 8.0. Please refer to Constraints of Legacy OSregarding end of mainstream support. For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search. Please refer to https://1eportal.force.com/s/support-for-msft-rapid-release-cycle for details of which Current Branch versions are supported by 1E products, and known issues regarding specific versions. For installation guidance on Windows, please refer to Deploying 1E Client on Windows. The following 1E Client features and modules are supported on Windows OS:
|
Runtime libraries
|
| .NET Framework is required only for the following features of 1E Client:
This list is automatically updated to show only those .NET Framework versions in mainstream support by Microsoft, and therefore supported by 1E, and by 1E Client 8.0. For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search. |
Other Windows Software |
| 1E Client installer includes the redistributable package for Visual C++ 2013. 1E Client provides Tachyon client features. It also includes the Nomad client module which replaces the legacy Nomad Branch client. Tachyon client features can optionally use Nomad to download content (feature enabled by default) if the Nomad client module in 1E Client is enabled (module disabled by default) or Nomad Branch 7.0 or later is running. PowerShell is not a prerequisite for installation of the 1E Client. PowerShell is used by some Tachyon instructions (that have PowerShell commands embedded or scripts that are downloaded) and some of these require PowerShell 3.0 or later. For more details please refer to Design Considerations: Downloading Tachyon client content and Nomad integration. For useful information about PowerShell versions please refer to PowerShell on Windows OS. |
Microsoft Endpoint Configuration Manager Client |
| The following client features work with these versions of Configuration Manager on Windows computers:
Configuration Manager is not a prerequisite for installation of the 1E Client, and except for above features, the 1E Client, its features and modules, have no dependency on Configuration Manager. Tachyon, Nomad, WakeUp, and Application Migration have Configuration Manager Console extensions which are available separately. This list is automatically updated to show only those Configuration Manager versions in mainstream support by Microsoft, and therefore supported by 1E, and by 1E Client 8.0. For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search. Please refer to https://1eportal.force.com/s/support-for-msft-rapid-release-cycle for details of which Current Branch versions are supported by 1E products, and known issues regarding specific versions. (Microsoft Endpoint Manager Configuration Manager is also known as Configuration Manager, ConfigMgr, Config Man, CM and SCCM among other names. Version names include 2012 and Current Branch or CB.) |
macOS clients
Category | Product | Notes |
---|---|---|
Operating System
|
| Other versions of these non-Windows OS should work but have not been tested by 1E. 1E Client package for macOS is included in the non-Windows zip available for download from the 1E Support Portal. 1E Client supports only Tachyon features on non-Windows devices.
1E Client for macOS is written for Intel and supported on Apple devices using Intel processors. It is also supported on Apple devices using the M1 chip, provided you have installed Rosetta 2, which is included with Big Sur. 1E Client is a daemon (not an app), therefore, during installation or running it will not prompt for Rosetta 2, which does not get installed on-demand. You only need to install Rosetta 2 once, using one of the following commands, but repeating the command will safely reinstall it. The second version of the command requires root permission. Attempting to install on an Intel device will issue a harmless "unrecognized option" usage message. /usr/sbin/softwareupdate --install-rosetta /usr/sbin/softwareupdate --install-rosetta --agree-to-license |
Other Software |
| Bash and perl are required for installation of 1E Client on all non-Windows OS. Tachyon instructions support the use of Bash scripts on all supported non-Windows OS. To see if an Instruction requires a Bash script, look in its Instruction Definition XML file for Bash script resources defined under the <Resources> tag. Bash is the preferred choice when developing custom instructions for non-Windows OS. There are slight differences between OS implementations of Bash, particularly on the Mac. Therefore, 1E recommends testing custom Bash scripts on each supported OS. Rosetta 2 must be installed before installing 1E Client for macOS on an Apple device using a non-Intel processor such as M1 chip. Please see note above about installing Rosetta 2. |
Linux clients
Category | Product | Notes |
---|---|---|
Operating System
|
| Other versions of these non-Windows OS should work but have not been tested by 1E. 1E Client packages for other Linux distributions can be requested, including Raspbian for Raspberry Pi. The 1E Client for Linux supports the following architectures:
1E Client packages for Linux are included in the non-Windows zip available for download from the 1E Support Portal. 1E Client supports only Tachyon features on non-Windows devices. For installation guidance on the following OS, please refer to Deploying 1E Client on non-Windows: Red Hat Enterprise Linux installation. |
Other Software |
| Bash and perl are required for installation of 1E Client on all non-Windows OS. Tachyon instructions support the use of Bash scripts on all supported non-Windows OS. To see if an Instruction requires a Bash script, look in its Instruction Definition XML file for Bash script resources defined under the <Resources> tag. Bash is the preferred choice when developing custom instructions for non-Windows OS. There are slight differences between OS implementations of Bash, particularly on the Mac. Therefore, 1E recommends testing custom Bash scripts on each supported OS. |
Solaris clients
Category | Product | Notes |
---|---|---|
Operating System
|
| 1E Client 8.0 is not available for Solaris, please use 1E Client 5.2 instead. The 1E Client 5.2 for Solaris supports for the following architectures:
1E Client 5.2 package for Solaris is included in the non-Windows zip available for download from the 1E Support Portal. 1E Client supports only Tachyon features on non-Windows devices. For Solaris, the following specific libraries are required, but are usually installed by default:
For installation guidance, please refer to 1E Client 5.2 - Deploying 1E Client on Solaris. |
Other Software |
| Bash and perl are required for installation of 1E Client on all non-Windows OS. Tachyon instructions support the use of Bash scripts on all supported non-Windows OS. To see if an Instruction requires a Bash script, look in its Instruction Definition XML file for Bash script resources defined under the <Resources> tag. Bash is the preferred choice when developing custom instructions for non-Windows OS. There are slight differences between OS implementations of Bash, particularly on the Mac. Therefore, 1E recommends testing custom Bash scripts on each supported OS. |
Feature dependencies
Products and Features with dependencies on the 1E Client.
Supported versions of 1E companion products with features that depend on 1E Client 8.0.
Products and features that depend on 1E Client | Supported versions of companion products | |
---|---|---|
Tachyon | Tachyon requires the 1E Client (with Tachyon client features enabled) to be installed on all client computers. This replaces the legacy Tachyon Agent. Tachyon client features:
# not supported on non-Windows, ## partially supported on non-Windows Tachyon clients can optionally use the Nomad client module of 1E Client to more efficiently download content. |
|
Nomad | Nomad requires the 1E Client (with Nomad client module enabled) to be installed on all client computers, and on Distribution Points if Configuration Manager is used. |
|
Nomad | Nomad Download Pause is an optional feature of Nomad. It requires the 1E Client (with Nomad client module enabled) to be installed on all client computers, and a Tachyon server infrastructure. |
|
PXE Everywhere | PXE Everywhere requires the 1E Client (with PXE Everywhere Agent client module enabled) to be installed on all client computers. |
|
Shopping | Shopping requires the 1E Client (with Shopping client module enabled) to be installed on all client computers. This replaces the legacy Shopping Agent. |
|
Shopping | Windows Servicing Assistant (WSA) is an optional feature of Shopping that supports OS Deployment. Please refer to Shopping 6.1 - Preparation: Windows Servicing Assistant (WSA) for WSA features in different versions of 1E Client. |
|
WakeUp | WakeUp requires the 1E Client (with WakeUp client module enabled) to be installed on all client computers, and WakeUp Servers. This replaces the WakeUp component of the 1E Agent. |
|
Supported versions of 1E companion products that 1E Client 8.0 features depend on.
Products and features that 1E Client depends on | Supported versions of companion products | |
---|---|---|
Tachyon | Tachyon real-time and other features require a full Tachyon infrastructure including a Tachyon Server and a Tachyon license. |
|
Nomad | Tachyon clients can optionally use Nomad (1E Client with Nomad client features enabled) to provide more efficient downloading of content. |
|
Firewall ports
1E does not provide a combined diagram showing all components and features. Please refer to the communications reference page for each product:
- Tachyon communication ports — A diagram and a table with a list of all the Tachyon communication ports.
- Nomad communication ports — Diagrams and tables with lists of all the Nomad communication ports.
- PXE Everywhere communication ports — A list of communication ports used by PXE Everywhere. Useful, if needed, for network and device firewalls.
- Shopping communication ports — A diagram and a table with a list of all the Shopping communication ports.
- NightWatchman Enterprise communication ports — Tables with lists of all the NightWatchman Enterprise components and their communication ports.
Anti-Virus and Malware
The following should be excluded from scans to prevent file locking and resource deletion.
- 1E log files. See Log files.
The 1E Client temporary directory. We recommend modifying the TemporaryDirectory 1E Client configuration setting to %programdata%\1E\Client\Temp and excluding that directory. See 1E Client settings.
TemporaryDirectory must be specified as an absolute path. The directory is not automatically created by 1E Client. It must be created before being set otherwise 1E Client will use its default.
Digital signing certificates
On Windows computers, the installation MSIs, executables and DLLs of the 1E software are digitally signed by 1E using the 1E Limited SHA1 and SHA256 signature certificates.
These signing certificates are issued by the Symantec Class 3 SHA256 Code Signing CA, which in turn is issued by the root CA VeriSign Class 3 Public Primary Certification Authority - G5.
The SHA1 and SHA256 signature certificates are each countersigned with the same Timestamp signature certificate Starfield Timestamp Authority - G2, itself issued by Starfield Secure Certificate Authority - G2, in turn issued by the root CA Starfield Root Certificate Authority – G2.
The root CA certificates (for signing and countersigning) must exist in the Third-Party Root Certification Authorities store (which is replicated in the Trusted Root Certification Authorities store). These root CA certificates are normally automatically provided by Microsoft's Update Root Certificates feature, however for legacy OS computers in a lab environment that are not connected to the Internet, see Constraints of Legacy OS.
Constraints of Legacy OS
In this documentation, the following are referred to as legacy OS. Below are described some known issues for these OS.
1E does not provide support for 1E products on the following OS unless the OS is explicitly listed as being supported for a specific 1E product or product feature. This is because Microsoft has ended mainstream support for these OS or they are not significantly used by business organizations.
|
|
For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search.
PowerShell limitations
PowerShell version 3.0 (required by some Tachyon instructions) is not supported on Windows XP, Vista and Server 2003. However, PowerShell 2.0 is supported on the following OS versions:
- Windows XP SP3
- Vista SP1 & SP2
- Windows Server 2003 R2 & SP2
Certificate limitations - SHA2
Like most software vendors, 1E software requires the OS to support SHA2. If your organization has a PKI configured to use SHA2 256 or higher encryption, then your legacy OS may have already been updated to support it.
Windows XP and Server 2003 require an update as described in KB968730. Microsoft no longer provides this hotfix as a download. You must contact Microsoft Support if you need it.
Windows 7 and Server 2008 R2 require an update as described in KB3033929. This update is not available for Vista and Server 2008.
Windows 8, 8.1, Server 2012, Server 2012 R2 and later OS already support SHA2.
Certificate limitations - encrypted certificate requests
Windows XP and Server 2003 are unable to encrypt certificate requests, whereas later OS are able to support higher more secure RPC authentication levels. If you are using a Microsoft CA and expect these clients to request (enrol) certificates then the CA must have its IF_ENFORCEENCRYPTICERTREQUEST flag disabled. It is disabled by default on Windows 2003 and 2008 CA, but is enabled by default on Windows 2012 CA.
To determine which InterfaceFlags are set, execute the following command on the CA server:
certutil -getreg CA\InterfaceFlags
If the following is specified then it means the flag is enabled.
IF_ENFORCEENCRYPTICERTREQUEST -- 200 (512)
To disable the encrypt certificate requests flag, execute the following commands on the CA server:
certutil -setreg CA\InterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST
sc stop certsvc
sc start certsvc
Certificate limitations - signing certificates missing
On Windows computers, the installation MSI files, and binary executable and DLL files of 1E software are digitally signed. The 1E code signing certificate uses a timestamping certificate as its countersignature. 1E occasionally changes its code signing certificate, and uses it for new releases and patches for older versions, as shown in the table(s) below.
Root Certificate Authorities are implicitly trusted to validate certificates, and their certificates must be correctly installed to do this. Your computers should already have the necessary root CA certificates installed, however this may have been prevented by your organization's security policies, or inability to connect to the Internet, or they are legacy OS. In general this is not an issue because by default Windows allows software to be installed and run without validation, although you may see a warning or experience a delay. However, you must have relevant CA certificates installed if you are using 1E Client (which self-validates its own files), or your organization has applied more secure polices (for example UAC, AppLocker or SmartScreen).
Typical reasons for issues with signing certificate are:
- If your organization has disabled Automatic Root Certificates Update then you must ensure the relevant root CA certificates are correctly installed on each computer
- If computers do not have access to the Internet then you must ensure the relevant root and issuing CA certificates are correctly installed on each computer, numbered in the table(s) below.
The signature algorithm of the 1E code signing certificate is SHA256RSA. In most cases, the file digest algorithm of an authenticode signature is SHA256, and the countersignature is a RFC3161 compliant timestamp. The exception is on legacy OS (Windows XP, Vista, Server 2003 and Server 2008) which require the file digest algorithm of an authenticode signature to be SHA1, and a legacy countersignature.
The table below applies to software and hotfixes released in 2020.
2020 | Signing certificate | Timestamping certificates |
---|---|---|
Certificate | 1E Limited | TIMESTAMP-SHA256-2019-10-15 and DigiCert Timestamp Responder |
Issuing CA | DigiCert EV Code Signing CA (SHA2) Thumbprint: 60ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e3 | DigiCert SHA2 Assured ID Timestamping CA Thumbprint: 3ba63a6e4841355772debef9cdcf4d5af353a297 and DigiCert Assured ID CA-1 Thumbprint: 19a09b5a36f4dd99727df783c17a51231a56c117 |
Root CA | DigiCert High Assurance EV Root CA Thumbprint: 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25 | DigiCert Assured ID Root CA Thumbprint: 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43 |
Certificate limitations - expired root certificates
Ensure that your Root CA Certificates are up-to-date on clients and servers. The Automatic Root Certificates Update feature is enabled by default, but its configuration may have been changed or restricted by Group Policy Turn off Automatic Root Certificates Update.
If this GPO is enabled, then you will see DisableRootAutoUpdate = 1 (dword)
in HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot.