Creating Instructions and Fragments Using TIMS

Tachyon provides many Instructions and Product Packs full of Instructions that can be executed out of the box from Tachyon. However, the value of Tachyon is its extendibility. Quite often, use cases will arise for different questions and actions that need to be performed on your client estate. This would require new instructions to be created. Tachyon provides a toolset to create your own instructions from scratch. These instructions can be created using either the native language used by the Tachyon client, or by deploying PS scripts. In this lab, we will create some instructions from scratch and use them in Tachyon. We will also use TIMS to create a fragment that we will import for use in Guaranteed State.

Configuring TIMS prerequisites

Tachyon Instruction Management Studio or TIMS is a utility that allows you to write your own instructions for consumption by Tachyon. In this exercise, we will configure TIMS prerequisites so we can begin writing our own instructions.

Enrolling a code signing certificate on the Tachyon server

Tachyon requires a code signing certificate to sign instructions with. This ensures that any instructions written for execution via Tachyon are signed, and no rogue instructions are introduced to the environment. The Code Signing certificate is also associated with the Tachyon license key to ensure that only those with the appropriate certificate are allowed to write instructions that can be used in Tachyon.

1. Open SkyTap Shared Drive shortcut on the desktop and navigate to 1E Tachyon - Course Content\Tachyon 5.0 Course Content\ download tims.v5.0.0.745.zip, setSCCMsite.ps1 and 1ETRN_Code_Signing_cert.pfx files to c:\temp Extract the contents of the ZIP file
2. From the start menu, type certificate, and click on Manage Computer Certificates
3. In the Certificates console, right-click on Trusted Publishers. Select All Tasks>Import
4. On the Welcome, ensure Local Machine is selected by default. Click Next
5. On the File to Import page, click Browse
6. Switch the file type to All Files (.)
7. Navigate to c:\temp and double-click 1ETRN_Code_Signing_cert.pfx. Click Next
8. On the Password page, input Passw0rd for the password and click Next
9. On the Certificate Store, ensure Trusted Publishers is populated. Click Next
10. On the final page, click Finish. Click OK
11. In the Certificates console, expand Trusted Publishers>Certificates and validate that the code signing cert issued to SCCM Admin is present
12. From a cmd prompt, run IISRESET to bounce IIS
13. Running IISRESET will ensure the web service recognizes the certificate we just added to the server

Validate the certificate

14. Double-Click the Code Signing certificate issued in the Trusted Publishers store
15. Click on the Details tab and scroll down to the Thumbprint value. Make note of the first 4 and last 4 characters of the thumbprint
16. Navigate to c:\programdata\1E\Licensing and right-click on the Tachyon.lic file and open with Notepad. Use Word Wrap to get better formatting of the file
17. Do a search for 1ETRN. Note the signersha value associated with the Instruction. Ensure it matches the thumbprint of our code signing certificate
When a license key is requested from 1E, you must specify what you want your instructions prefix to be and provide the thumbprint for the code signing certificate that will be used to create Instructions. This ensures that only those with the Code Signing certificate will be allowed to create Instructions that will be signed and allowed to be used in Tachyon. This also locks down what the Instruction can be named, in our case the prefix must be 1ETRN.
18. Close the license file, ensuring no changes were made
19. Close the certificates console

Enrolling the Code Signing certificate on a workstation

TIMS can be run on any machine in your environment. The instructions you develop will use the framework of the machine you are running TIMS on to validate the instruction. As such, we will run TIMS on one of the workstations. Wherever TIMS is run, the same Code Signing certificate must be enrolled in either the User or Computer store, generally in both.

20. Logged in as 1etrn\Tachyon_Admin1, navigate to \\1etrnap\temp and copy the tims.v5.0.0.745 folder and setSCCMsite.ps1, 1ETRN_Code_Signing_cert.pfx to c:\tools
21. From the start menu, type in mmc into the search box and launch mmc.exe
22. Click File and select Add/Remove Snap-in
23. From the snap-in wizard, select Certificates and click Add
24. Select My user account and click Finish. Click OK
25. If we are running TIMS under system context, the certificate must also reside under the Computer store. In our exercises, we will be running TIMS only in user context
26. Expand Certificates (Current User) and right click on Personal
27. Click All Tasks > Import
28. On the Welcome page, click Next
29. On the File to Import page, click Browse
30. Switch the file type to All Files (.)
31. Navigate to c:\tools and double-click 1ETRN_Code_Signing_cert.pfx. Click Next
32. On the Password page, input Passw0rd for the password and click Next
33. On the Certificate Store click Next
34. On the final page, click Finish. Click OK
35. Double-click the Code Signing certificate in the personal store and validate the thumbprint in the details tab. Validate it is the same as the one on the server and in the license file

Installing TIMS

In this exercise, we will install TIMS on a workstation, and use that workstation to write instructions.

36. Navigate to c:\tools\tims.v5.0.0.745 and double-click TIMS-x86.msi
All of our workstations are 32-bit in the labs so we will use the x86 version of TIMS. If you were creating instructions on a 64-bit client, you would use the x64 version on an x64 machine.
37. On the Welcome page, click Next
38. On the License Agreement page, select I accept the terms of this license agreement and click Next
39. On the Destination Folder page, click Next
40. On the Ready to Install the Program page, click Install
41. Once installed, click Finish

Navigating TIMS

Now that we have prereqs in place and TIMS installed, we can begin working with TIMS. In this exercise, we will learn some basics about TIMS and begin exploring the native language, SCALE (Simple Cross-platform Agent Language for Extensibility), in the form of Modules and Methods used to write instructions.

42. Log in as 1ETRN\Tachyon_Admin1 if not already logged in
43. From the desktop, launch Tachyon Instruction Management Studio
44. Instructions can be written under the user context or the System context. If we wanted to write instructions under the Local System context, we can launch TIMS using PSEXEC to run under the system context. For our labs, we will only use TIMS in the user context
45. Review the different buttons in the top pane
46. Click on Code Signing and select Select signing certificate
47. TIMS will default to Code Signing certificates. We only have one enrolled, so it will default to that certificate
48. Click on the Click here to view certificate properties link
49. Note that the general tab of the certificate shows You have a private key that corresponds to this certificate
50. If you do not have a private key associated with the certificate, Instructions written using the certificate will not work in Tachyon
51. Click OK to close the certificate properties. Click OK to select the certificate
52. Click on Code Signing and check Always sign
53. This setting ensures that any instruction you attempt to save will be signed using the certificate we just selected
54. In the top query window, type in the following text

SELECT "hello"

55. Note the query window begins to autofill the text you are typing. This is due to IntelliSense being integrated with TIMS. IntelliSense features are powered by a language service. A language service provides intelligent code completions based on language semantics and an analysis of your source code. If a language service knows possible completions, the IntelliSense suggestions will pop up as you type. If you continue typing characters, the list of members (variables, methods, etc.) is filtered to include only members containing your typed characters. Pressing Tab or Enter will insert the selected member
56. Click the Run button up top
57. Note that an error box pops up and a syntax error is displayed in the results pane. This is because each line of code must be ended with a semicolon
58. Click OK on the error box
59. At the very bottom, switch from Results to Log tab
60. Note the various rows of errors. Specifically, a row displaying the following: Completely unterminated SELECT at line 1, column 9
61. Return to the Results tab. Add a semicolon to the end of the instruction and click Run again
62. Note there are no errors on the Log pane
63. Switch to Results pane
64. Note that the results show a column named hello with single quotes, and a value of hello
65. Modify the syntax of the query to the following and click Run

SELECT "hello" AS greeting;

66. Note the column name is now set to greeting. Change to Results pane at the bottom instead of log
67. Change the query to the following and rerun

SELECT "hello" greeting;

68. Note that you get the same result as before. The 'AS' is not necessary. If you are familiar with SQL language, you will get the hang of TIMS scripting very quickly
69. Input the following below the existing line and click Run

SELECT "goodbye" greeting;

70. Note only the second line displays an output. Unlike SQL, both rows will not display an output, only the last. Switch the rows around to see only 'hello' will show. This is very important to remember when you begin to write complex instructions
71. Clear the existing code from TIMS. Input the following query into the window. Type it out exactly as shown below, do not rely on IntelliSense to autofill it

Network.getconnections();

72. Note the error returned. Unsupported method 'getconnections'
73. Change the syntax to the following

Network.GetConnections();

74. Note the results that are returned. The scripting language is case sensitive, so you must input very exact syntax. IntelliSense will ensure that these syntax errors are autocorrected
75. Clear the query window and run the following queries, one line at a time, and review the results

Software.GetInstallations(); 
Device.GetSummary(); 
FileSystem.GetFilesInFolder(Folder: "c:\\program files\\1E\\client"); 
OperatingSystem.GetServiceInfo(); 
OperatingSystem.GetInstalledUpdates();

These queries give you a general sense of how the Methods and corresponding Modules operate. You can review all the Methods and Modules and use them in different ways to get data back. Subsequently, you can do more than just query machines, you can also act on machines. We will cover that later as we begin to write a complex Instruction using different Methods and Modules as well as functions.

Creating a basic Instruction

76. Clear the TIMS query window and run the following

Network.GetConnections();

77. Click on the Schema button on the top ribbon. On the popup, click Yes
78. In the Schema editor, click the different boxes. Here you can define the different parameters of the schema
79. The GetConnections method has a predefined schema. We can define that value in the schema itself manually. The render as property allows for 3 rendering schemas currently, perforated, IPAddress, or currency. This allows for the results to be shown rendered as one of these data types
80. Click on ProcessName and using the button, move it to the top
81. Click OK to save the schema
82. Click on Workflow. Note the different options available for Instruction Workflow in the dropdown. Click Cancel
The workflow is defined as a global setting, but we can override that by explicitly defining a workflow per instruction. Certain Instructions might be low risk, and thus not require approval or 2FA.
83. Click Task groups
Tasks allow us to add instructions to specific task groups so they can be executed directly from the Tasks workspace in the Tachyon explorer console.
84. Click Cancel to exit out of Task Groups
85. Click on the Aggregation button on the ribbon
Here, we can group by a specific value that is returned, as well as aggregate based on the available operations.
86. Click Cancel
87. Click Validate in the top ribbon. Note the errors displayed. Click Close
A readable payload must be defined, and a description for the Instruction provided so it can be searched against in the Tachyon explorer console. A payload is essentially what the Instruction will present to the operator via the explorer console. A task group is not required; hence it is only a warning.
88. In the Instruction Definition panel at the top right, note the different properties
89. In the Description field, input Active Network Connections and click Enter
You can click on the ellipses in the field to open up a dialog box as well.
90. For the Name field, change the value from the default to 1ETRN-ActiveNetworkConnections
91. For the ReadablePayload field, click on the ellipses at the right and input Active Network Connections. Click OK
92. Review the other properties in the Instruction Definition pane. These are all configurable parameters, but if left alone they will default to the values of the installation
93. Click Validate in the top ribbon. Note only a task groups warning is shown. Click Close
94. From the menu bar, click File>Save As. Click OK on the validation page
95. Save the Instruction under c:\tools as 1ETRN-ActiveNetworkConnections.xml
Note in the top pane a message is displayed stating that the instruction definition was signed by XXX. This is because we chose to Always Sign earlier.
96. Leave TIMS open with the instruction still defined in the top pane

Validating the Instruction

97. In windows explorer, navigate to c:\tools. Note an XML file named 1ETRN-ActiveNetworkConnections has been created here
98. Right-click the file and open with Internet Explorer
99. Note the format and content of the instruction file
We have reviewed instruction XML files earlier, this format should look familiar.

Uploading the instruction in Tachyon

In this task, we will add the newly created Instruction to Tachyon and ask the question to our clients.

100. Navigate to https://tachyon.1etrn.local/tachyon in Google Chrome
101. Launch the Settings Application
102. Navigate to Instructions - Instruction sets
103. Create an Instruction Set named 1ETRN
104. From the top pane, click Upload. Browse to c:\tools and select 1ETRN-ActiveNetworkConnections.xml
105. Click Open. Ensure the Instruction is uploaded successfully and there are no errors
106. Select the Instruction in the middle pane, and click on the Move button in the right pane
107. From the dropdown, select 1ETRN and click Move
108. Click on the 1ETRN Instruction Set in the left pane to validate the instruction has been moved there
We are now ready to execute this Instruction on our client machines. All instructions must reside within an Instruction Set before they can be executed via the Explorer Application.

Running the newly created Instruction

109. Navigate to the Home page of Explorer Application
110. From the top right, click the All Instructions button
111. Note a 1ETRN Instruction set is now present. Expand the Instruction Set
112. Click on the instruction and click Ask this question
The data returned will display ProcessName as the first column after the PC name, as we changed the schema to move it to the top. If we left the schema default, the results would show in the same order they are shown in TIMS.
113. Scroll down to see the results returned from the different machines
114. Click the Back to Top link at the bottom right
115. Click on the Filter Results button to expand the filter options
116. In the Device Name box, input 1ETRNW73 for the local machine. Click Search
117. Review the results for the local machine
118. Return to TIMS. With the Network.GetConnections(); query still defined, click the Run button
119. Note the connections. They should match what Tachyon returns via the Instruction

Creating a Product Pack with multiple Instructions

Now that we have navigated around the TIMS utility, we will create a Product Pack that will contain multiple instructions. In a production environment, you often will have multiple instructions that logically bind together. You can add those instructions individually to Tachyon, or you can bundle them up and add them together. In this exercise, we will create two instructions, a question and an action, and add them to Tachyon to validate their functionality.

Create a Question Instruction

In this task, we will create a query that identifies what the ConfigMgr assigned Site code is for our clients.

120. In TIMS, go to File and select New to clear the existing instruction definition
121. In the query window, type in the following query

NativeServices.RunWmiQuery(Namespace:"root\\ccm", Query:"SELECT name from sms_authority");

Ensure that the query is case sensitive as far as the Tachyon Modules and Methods go. The namespace and the WMI values can be case insensitive.
Root\CCM is the ConfigMgr client WMI namespace, and SMS_Authority is the space under which the installed site value is saved, as the value name.
122. Click the Run button
123. Note the value that returns. This is the site code for the CM site in our lab environment
124. In the Instruction Definition pane on the top right, input the following for Description and ReadablePayload

What is the SCCM Site code?

125. Name the Instruction 1ETRN-Check SCCM Site
126. Click the Schema button in the top ribbon and validate the suggested schema. Click OK
127. From the menu, click File>Save as. Click OK on the Validation page
128. Save the instruction as 1ETRN-CheckSCCMSite.XML under c:\tools

Creating an Action Instruction using a script

In this task, we will create an action Instruction that changes the CM site code on the Tachyon clients. We will accomplish this via the use of a PowerShell script. In Tachyon, we have the ability to use the native language Modules and Methods, or a PS script.

129. Browse to c:\tools\ and right click the setSCCMsite.ps1 file
130. Edit with Notepad and review the syntax of the file
The file is using a ConfigMgr client module to set the assigned site of a ConfigMgr client to whatever parameter is being passed to the script.
131. In TIMS, from the ribbon along the top, select Import resource
132. Browse to c:\tools\ and select the setSCCMsite.ps1 file
133. In the Instruction Resource popup, review the settings and click OK
134. Click Add parameter from the top ribbon and input SCCMSite into the name
135. In the Max Length box, input 3. Click OK
136. In the Middle pane, click the down arrow for the Resources next to the file name setSCCMsite and select Insert snippet to download
This step will add syntax to the instruction for where to download the file, including the hash of the file. The script will be embedded in the instruction XML, so download instructions must reside within the instruction.
137. On the line beneath the file download syntax, paste in the following

Scripting.Run( Language: "PowerShell", ExecutionPolicy : "Override", Script : @resource1, InterpretAsJson : False , "%SCCMSite%");

This syntax is referencing the script which we have imported into this Instruction, along with the parameter SCCMSite which we have defined. That parameter is what will get passed to the script from what is inputted by the administrator in the Explorer Application console.
138. In the Instruction Definition pane on the top right, input something into Description
139. Name the Instruction 1ETRN-Set SCCM Site Code
140. Change the InstructionType to Action via the dropdown menu
141. In the ReadablePayload field, input the following: Change the SCCM Site code to %SCCMSite%
142. From the ribbon click on Schema
143. In the Edit Schema page, click the green+button. In the Column Name input ExitCode and change Data Type to int32
144. Click the green+button again and in the Column Name input NewSCCMSite and leave the Data Type as String. Click OK
145. Click the Run button from the top ribbon. Validate the results
There are two columns outputted from the Instruction, an ExitCode and NewSCCMSite column. The schema definition will define the actual output the Explorer Application will display.
146. From the menu, click File>Save as. Click OK on the Validation page
147. Save the instruction as 1ETRN-SETSCCMSite.XML under c:\tools

Creating and Uploading the Product Pack

Now that we have two instructions, a question and an action, we are ready to upload them to Tachyon as a Product Pack.

148. Browse to c:\tools and multiselect the 1ETRN-CheckSCCMSIte.XML and 1ETRN-SETSCCMSIte.XML files
149. Right click on the selected files and select Send to> Compressed (zipped) folder
150. Name the zip file 1ETRN-SCCMSite.zip
151. In the browser, if the Settings Application is not already running, navigate to https:\\tachyon.1etrn.local\tachyon and choose Switch app or Settings
152. Navigate to Instructions - Instruction sets
153. Click the Upload button at the top right and browse out to c:\tools
154. Select the 1ETRN-SCCMSite.zip file and click Open
155. Validate that the file was uploaded without errors
156. Click on the Unassigned Instruction Set and click the two instructions uploaded via the Product Pack named What is the SCCM Site code? and Change the SCCM Site code to <SCCMSite> and move them to the 1ETRN Instruction Set

Validating the Instructions

Now that we've created Instructions and added them to Tachyon, we are ready to validate that the instructions execute exactly what we defined within them and output the appropriate information when run.

157. Navigate to the home page of the Explorer Application
158. In the I want to know box, type in What is the SCCM Site code
159. Click Ask this question
160. Wait for all clients to respond. Note the Results return in the form of Device Name and Name for the SCCM Site code, and the value is in the form of SMS:xxx
The Site code for the SCCM site in our lab environment is PS1. Keep note of this as we change the site code.
161. Once all results are in, click on the Actions tab
162. Type in Change the SCCM Site code
163. Input AAA into the site code parameter box and click Perform this action
164. Execute the 2FA and Approval process to process the action
165. Note the results. There will be 3 columns, Device Name, ExitCode and NewSCCMSite
The ExitCode and NewSCCMSite are columns we defined in the schema when creating the Instruction, the Device Name is always returned as part of the results.

Creating a Fragment for Guaranteed State

Now that we have learned how to create an instruction and a product pack using TIMS. We will now use TIMS to create a simple test fragment for use in Guaranteed State. The fragments that we create and import into Tachyon contain the items that we can use in our rules to evaluate device state and remediate. Fragments must have a specific schema defined. They must have at least 1 column Passed (case sensitive) and can have an optional column named Data to display some data from the device. In this scenario, we need to determine if certain files are present on our devices. Many times, a malware outbreak can be identified by looking for specific files. First, we will create a fragment that will check to see if a file is on the device. We will add a parameter that will allow our rule to supply the name of the file to search for, so that our Rule will test for any files that our Admin chooses. We will then modify the schema of our fragment so that it contains what is required for Guaranteed State to use the fragment. Once we have the fragment written we will import it into Guaranteed State and create a policy that will check our devices and view our results.

Creating the Fragment

166. Logged into 1ETRNW72 as 1ETRN\Manager1
167. Navigate to \\1etrnap\temp and copy the tims.v5.0.0.745 folder and the 1ETRN_Code_Signing_cert.pfx to c:\tools
168. Install TIMS and the code signing certificate on this device using the settings detailed earlier
169. Launch TIMS
170. Open File Explorer and create a text file called MyFile.txt
We will use this for testing our fragment as we create it.
171. In the code block pane type in

@a = FileSystem.FindFileByName(FileName:"myfile.txt", Fast:true);

172. Click Run
This SCALE command searches the drive for the existence of myfile.txt and dumps the location into a variable called a. Remember that @a is a different variable than @A in SCALE.
173. In the code block pane type in the following on the line 2

IF (@a)

This starts our If statement to do something based on our results for our first line that we dumped into our A temp table. This line basically says if @a contains data (so is true) do the next line that we will create now. We could also do the opposite and use IF NOT (@a) which in this case would be true if our variable did not contain any values. Without the NOT our If statement is true if our variable has value.
174. On line 3 type in the following:

SELECT 0 as Passed, "MyFile.txt exists" as Data;

175. On line 4 type in ELSE
176. On line 5 type in

SELECT 1 as Passed, "MyFile.txt does not exist" as Data;

177. On line 6 type in ENDIF;
178. Click Run
In our results pane we see a table with 1 row and 2 columns that contain the details about our file. Full path name, hash and size. Guaranteed State only needs the Passed value to be a 0 for failed (Non Compliant) or a 1 for passed (Compliant). The Data column is optional but allows us to expose some information in our View Details screen. We will add our specific file name using our parameter which we will create after we test our code block.

179. Open File Explorer and navigate to the location of your MyFile.txt – rename it to myfile.old
180. Open TIMS and Click Run
181. You should now see MyFile.txt does not exist in our Data column. Passed should contain 1
Now we will add a parameter that will allow us to substitute any file name for our "myfile.txt". This will make our fragment more versatile.
182. Click on Add Parameter in the ribbon
183. In the Instruction Parameter box Name field type in FileName. Notice that the pattern field is populated for us
184. In the Hint Text Field type in Unauthorized File Name
185. In the Control Section – Type field. Click the drop-down to see the available options
We are using Free Text which requires our Administrator to type in something without any help. We could also use a Value Picker and then create a list of Values that will populate the drop-down. Using a Value Picker makes it easier and quicker for the Administrator, if you know the values that should be selected for this parameter. We could also use Custom Properties and Values that we have added into Tachyon (remember how we set up Coverage Tags). We want our Admin to be able to use this one for any file so we will leave it as Free Text.
186. Click OK to close the box

187. In our code block pane change our "myfile.txt" to "%FileName%"
Adding the parameter will prompt for the value – if this was a regular instruction it would be filled in at the time of the Asking of the Question – since this is a fragment the value will be supplied by the Rule that we create in Guaranteed State.
188. In lines 3 and 5 change the myfile.txt to %FileName%
The quotation marks should be around the entire data that we are passing – i.e. "%FileName% exists"
189. Click Run. In the Parameters box type in MyFile.txt in the FileName field. Click Ok
190. Notice that our results did not change – now we will test our fragment.
191. Click Run again and this time enter Notepad.exe in the popup. Notice the results
192. Click Run again this time enter your name .yourname – we know this file will not exist
Now we need to format our fragment for use by Guaranteed State.
193. Click the Schema button in the ribbon. Choose Yes to create the schema
Clicking yes here will allow TIMS to create the schema based on what your instruction is bringing back for the responses. You can modify if you need to on the next screen.
194. Look at our Schema – see that we are passing 2 columns
You should note that a fragment can only have 1 row returned
195. In the Data row leave Data Type as String, Change the Length to 1024
The columns are case sensitive and must be exactly Passed and Data (although Data is optional). Maximum allowed length is 1024 characters but less can be configured depending on your data.

196. Click ok to close the Schema window
197. In the Instruction Definition pane Comments field type in Checks to see if the unauthorized file is on the drive
198. In the Description field type in Does this machine have an unauthorized file?
199. Leave Instruction Type as Question
200. Change the name to 1E-GuaranteedState-General-Check-SpecificFile
201. In the Readable Payload field type in Check for %FileName%
The readable payload is what will show in the Guaranteed State application selection list so name them something that will allow you to determine which one you will need to select. Since we have a Parameter defined in our instruction or fragment we need to reference it in our readable payload.
202. Click File – Save As – click Ok on the Validation window. Navigate to c:\tools and save it there as 1E-GuaranteedState-General-Check-SpecificFile.xml
203. Click Save

Viewing the Contents of an Integrated Product Pack

Before we make our own Integrated Product Pack to import into Guaranteed State, we will look at the format and contents of one of the default Integrated Product Packs

204. Still logged into 1ETRNW72 as 1ETRN\Manager1
205. Navigate to \\1ETRNAP\temp and copy the tachyonplatform.v5.0.0.592\ProductPacks to c:\tools
206. Navigate to c:\tools\tachyonplatform.v5.0.0.592\ProductPacks\Integrated and copy NomadClientHealth.zip to the root of c:\tools
207. Right click on c:\tools\NomadClientHealth.zip and select extract all
208. Navigate to c:\tools\NomadClientHealth and look at the contents of the folder
209. The fragments folder contains a check folder, a fix folder, and a precondition folder. Open each one of these and look at the .xml files in each one
Notice the naming convention of each of the .xml files each type of object to be imported into Guaranteed State should have a specific naming convention related to the specific object type.
210. Open each of the folders and look at the contents
Note the InstructionSets folder. Any fragments that refer to an embedded resource must have the instruction embedded in the Product Pack. The embedded resource must be available in the Tachyon Background Channel in order to be downloadable. Uploading a fragment does not populate the background channel the way that uploading an instruction set does. We include them in the Product Pack and the Deployment Tool creates the instruction set. Once this is done, both the fragment and the instruction will be able to retrieve the resource.

Creating the Product Pack

In order to import our Fragment into Tachyon we need to create a Product Pack. The product pack contains the objects needed for use by Tachyon and a manifest file. We will then import our Product Pack into Guaranteed State.

211. Still Logged into 1ETRNW72 as 1ETRN\Manager1
212. From Start – Run navigate to \\1etrnap\temp\AdditionalProductPacks\ and copy the Product_Pack_Templates folder to c:\tools
213. Open the folder to view the contents
Note the folders for Fragments, InstructionSets, Policies, Rules and TriggerTemplates this is where you place all those objects prior to import. In this exercise we are only going to import a Fragment that will be used as a check. We will then go into Guaranteed State and create our Rule, Policies, and Trigger (reusing ones we have imported previously). Notice we have a custom icon file. We are using the Folder.ico so it appears to be another folder. The Extending Tachyon v4 Course will cover creating the .xml to auto create the Rules, Policies and Trigger templates.
214. Navigate to C:\Tools\Product_Pack_Templates\Unauthorized File Product Pack\
215. Right click on the Manifest.xml and select Edit to open in Notepad
216. In the Name section replace Name of Product Pack with Unauthorized File
217. In the Description section replace Description of Product Pack with Checks for specified file
218. Notice we have already specified folder.ico in the Icon section
219. Save the file and close Notepad
220. In File Explorer Navigate back to c:\tools and copy 1E-GuaranteedState-General-Check-SpecificFile.xml to c:\tools\Product_Pack_Templates\Unauthorized File Product Pack\Fragments\Check (you will need to create the folder structure)
221. Multi-Select all the files and folders in c:\tools\Product_Pack_Templates\Unauthorized File Product Pack folder and Right click then choose Send To – Compressed (zipped) Folder
222. Click Ok on the warning. The empty folders are not needed for the .zip they were there to show the structure
Make sure that your folders are all in the root of the zip file. If the tool does not see the subfolders in the root it will fail to upload.
223. Rename the zip file to Unauthorized File Product Pack.zip

Importing into Guaranteed State

Now that we have created our Product Pack, we will import that into Guaranteed State using the Product Pack Deployment Tool

224. Still logged into 1ETRNW72 as 1ETRN\Manager1
225. Copy Unauthorized File Product Pack.zip to c:\Tools\tachyonplatform.v5.0.0.592\ProductPacks\Integrated
226. Double Click c:\Tools\tachyonplatform.v5.0.0.592\ProductPacks\Tachyon.ProductPackDeploymentTool.exe
We could also run Tachyon.ProductPackDeploymentTool.exe from a command prompt and add -log TRACE to increase the logging level for troubleshooting. The Tachyon.ProductPackDeploymentTool.log gets created in the same folder as the executable.
227. In the Server field change the URL to https://tachyon.1etrn.local/consumer
228. Click Test Connection
229. The results pane should show Connected to Tachyon version 5.0.0.592
230. Uncheck Select all
231. Select our Unauthorized File Product Pack and click Upload selected
In this version of the Product Pack Deployment Tool re-uploading a Product Pack will only re-upload any Instruction Sets whose versions have changed. If the version is not higher it will be skipped. Naming conventions for Instruction Sets is important and you want to keep each with unique names. Fragments are not versioned so make sure they are correct prior to uploading since the re-upload is skipped and the Cleanup button deletes everything.

Creating the Rule

Now that we have our Product Pack imported, we will create our rule that will use that fragment

232. Still logged into 1ETRNW72 as 1ETRN\Manager1
233. Open Google Chrome and Launch the Guaranteed State application if it is not already open
234. Navigate to Administration – Rules. Click New
235. In the Name field type in Unauthorized File Check
236. In the Description field type in Checks to see if a specific file is present
237. In the Type field select Check
238. In the Triggers box Choose Periodic (minutes) and type in 5 in the Interval Minutes field
In production you do not want to use the time interval trigger, as this processes the rules even if nothing has changed on the device. Instead, you want to use the specific trigger of that item state changing – the Tachyon client has built in intelligence so that we do not need to run things to ensure nothing has changed.
239. Leave Precondition empty
240. Click on Check. Choose our Check for <Unauthorized File Name>
241. In the FileName field type in Myfile.txt Click Save
The title of our fragment for the check field comes from our Readable Payload. If we have a Parameter hint configured (which we did) that will show in the <> to your Guaranteed State Admin. If you do not have a hint configured the letters of your variable will show without the %. In our example, it will appear as Check for <FileName>
242. Open File Explorer and navigate to your myfile.txt (before we renamed it) and name it back so that this machine will have the file we are looking for

Creating the Policy

Now that we have our Rule created, we need to create a policy that we will assign and deploy that will contain the rule we just created.

243. Navigate to Administration – Policies
244. Click New
245. In the Name field type in Unauthorized File Check – Myfile.txt
246. In the Description field type in Checks for MyFile.txt – if found device is non-compliant
247. In the All Rules pane select Unauthorized File Check and move it to Assigned Rules
248. Click Save

Assign and Deploy the Policy

249. Still logged into 1ETRNW72 as 1ETRN\Manager1 with Google Chrome still open
250. Select Unauthorized File Check – Myfile.txt Policy and click Assign
251. Choose All Devices Management Group. Click Save
252. Click Deploy. Click Ok

View the Results

253. Navigate to Overview. Click Refresh
254. Select Unauthorized File Check – Myfile.txt in the drop down. It may take a few moments until they all report in
255. Click on the Green slice in the Device State tile
256. Click on View History
257. Navigate back to Overview
258. Click on the Orange slice in the Device State tile
259. Click View History on any of the devices

Lab Summary

In this lab, we learned how to create instructions using TIMS. We started with a simple example, using the native language to query for active network connections. Then we created a question Instruction to query for the SCCM Site code of the client machines. Lastly, we created an action Instruction which allowed us to change the site code of the SCCM client to a value inputted by the operator. In doing so, we used a script rather than native language to execute the action. We also created a simple fragment in TIMS to extend Guaranteed State. We created a Product Pack and imported this into Guaranteed State. We then manually created a rule using this fragment and a policy to assign and deploy to our devices to determine the state of our environment. If you want to learn more about how to use TIMS to create even more complex Instructions and Fragments take our Extending Tachyon course.

Next Page
Ex 11 - TCN Opr v5.0 - Working with Experience