Exercise Overview:

Creating Instructions and Fragments Using TIMS

Tachyon provides many Instructions and Product Packs full of Instructions that can be executed out of the box from Tachyon. However, the value of Tachyon is its extendibility. Quite often, use cases will arise for different questions and actions that need to be performed on your client estate. This would require new instructions to be created. Tachyon provides a toolset to create your own instructions from scratch. These instructions can be created using either the native language used by the Tachyon client, or by deploying PS scripts. In this lab, we will create some instructions from scratch and use them in Tachyon. We will also use TIMS to create a fragment that we will import for use in Guaranteed State.

Configuring TIMS prerequisites

Tachyon Instruction Management Studio or TIMS is a utility that allows you to write your own instructions for consumption by Tachyon. In this exercise, we will configure TIMS prerequisites so we can begin writing our own instructions.

Enrolling a code signing certificate on the Tachyon server

Tachyon requires a code signing certificate to sign instructions with. This ensures that any instructions written for execution via Tachyon are signed, and no rogue instructions are introduced to the environment. The Code Signing certificate is also associated with the Tachyon license key to ensure that only those with the appropriate certificate are allowed to write instructions that can be used in Tachyon.

1ETRNAP
  1. Open SkyTap Shared Drive shortcut on the desktop and navigate to 1E Tachyon - Course Content\Tachyon 5.1 Course Content\ download tims.v5.1.0.922.zip, setSCCMsite.ps1 and 1ETRN_Code_Signing_cert.pfx files to c:\temp Extract the contents of the ZIP file
  2. From the start menu, type certificate, and click on Manage Computer Certificates
  3. In the Certificates console, right-click on Trusted Publishers. Select All Tasks>Import
  4. On the Welcome, ensure Local Machine is selected by default. Click Next
  5. On the File to Import page, click Browse
  6. Switch the file type to All Files (.)
  7. Navigate to c:\temp and double-click 1ETRN_Code_Signing_cert.pfx. Click Next
  8. On the Password page, input Passw0rd for the password and click Next
  9. On the Certificate Store, ensure Trusted Publishers is populated. Click Next
  10. On the final page, click Finish. Click OK
  11. In the Certificates console, expand Trusted Publishers>Certificates and validate that the code signing cert issued to SCCM Admin is present
  12. From a cmd prompt, run IISRESET to bounce IIS
  13. Running IISRESET will ensure the web service recognizes the certificate we just added to the server

Validate the certificate

  1. Double-Click the Code Signing certificate issued in the Trusted Publishers store
  2. Click on the Details tab and scroll down to the Thumbprint value. Make note of the first 4 and last 4 characters of the thumbprint
  3. Navigate to c:\programdata\1E\Licensing and right-click on the Tachyon.lic file and open with Notepad. Use Word Wrap to get better formatting of the file
  4. Do a search for 1ETRN. Note the signersha value associated with the Instruction. Ensure it matches the thumbprint of our code signing certificate
  5. When a license key is requested from 1E, you must specify what you want your instructions prefix to be and provide the thumbprint for the code signing certificate that will be used to create Instructions. This ensures that only those with the Code Signing certificate will be allowed to create Instructions that will be signed and allowed to be used in Tachyon. This also locks down what the Instruction can be named, in our case the prefix must be 1ETRN.
  6. Close the license file, ensuring no changes were made
  7. Close the certificates console

Enrolling the Code Signing certificate on a workstation

TIMS can be run on any machine in your environment. The instructions you develop will use the framework of the machine you are running TIMS on to validate the instruction. As such, we will run TIMS on one of the workstations. Wherever TIMS is run, the same Code Signing certificate must be enrolled in either the User or Computer store, generally in both.

1ETRNW71
  1. Logged in as 1etrn\Tachyon_Admin1, navigate to \\1etrnap\temp and copy the tims.v5.1.0.922 folder and setSCCMsite.ps1, 1ETRN_Code_Signing_cert.pfx to c:\tools
  2. From the start menu, type in mmc into the search box and launch mmc.exe
  3. Click File and select Add/Remove Snap-in
  4. From the snap-in wizard, select Certificates and click Add
  5. Select My user account and click Finish. Click OK
  6. If we are running TIMS under system context, the certificate must also reside under the Computer store. In our exercises, we will be running TIMS only in user context
  7. Expand Certificates (Current User) and right click on Personal
  8. Click All Tasks > Import
  9. On the Welcome page, click Next
  10. On the File to Import page, click Browse
  11. Switch the file type to All Files (.)
  12. Navigate to c:\tools and double-click 1ETRN_Code_Signing_cert.pfx. Click Next
  13. On the Password page, input Passw0rd for the password and click Next
  14. On the Certificate Store click Next
  15. On the final page, click Finish. Click OK
  16. Double-click the Code Signing certificate in the personal store and validate the thumbprint in the details tab. Validate it is the same as the one on the server and in the license file

Installing TIMS

In this exercise, we will install TIMS on a workstation, and use that workstation to write instructions.

1ETRNW71
  1. Navigate to c:\tools\tims.v5.1.0.922 and double-click TIMS-x86.msi
  2. All of our workstations are 32-bit in the labs so we will use the x86 version of TIMS. If you were creating instructions on a 64-bit client, you would use the x64 version on an x64 machine.
  3. On the Welcome page, click Next
  4. On the License Agreement page, select I accept the terms of this license agreement and click Next
  5. On the Destination Folder page, click Next
  6. On the Ready to Install the Program page, click Install
  7. Once installed, click Finish

Navigating TIMS

Now that we have prereqs in place and TIMS installed, we can begin working with TIMS. In this exercise, we will learn some basics about TIMS and begin exploring the native language, SCALE (Simple Cross-platform Agent Language for Extensibility), in the form of Modules and Methods used to write instructions.

1ETRNW71
  1. Log in as 1ETRN\Tachyon_Admin1 if not already logged in
  2. From the desktop, launch Tachyon Instruction Management Studio
  3. Instructions can be written under the user context or the System context. If we wanted to write instructions under the Local System context, we can launch TIMS using PSEXEC to run under the system context. For our labs, we will only use TIMS in the user context
  4. Review the different buttons in the top pane
  5. Click on Code Signing and select Select signing certificate
  6. TIMS will default to Code Signing certificates. We only have one enrolled, so it will default to that certificate
  7. Click on the Click here to view certificate properties link
  8. Note that the general tab of the certificate shows You have a private key that corresponds to this certificate
  9. If you do not have a private key associated with the certificate, Instructions written using the certificate will not work in Tachyon
  10. Click OK to close the certificate properties. Click OK to select the certificate
  11. Click on Code Signing and check Always sign
  12. This setting ensures that any instruction you attempt to save will be signed using the certificate we just selected
  13. In the top query window, type in the following text
  14. SELECT "hello"
  15. Note the query window begins to autofill the text you are typing. This is due to IntelliSense being integrated with TIMS. IntelliSense features are powered by a language service. A language service provides intelligent code completions based on language semantics and an analysis of your source code. If a language service knows possible completions, the IntelliSense suggestions will pop up as you type. If you continue typing characters, the list of members (variables, methods, etc.) is filtered to include only members containing your typed characters. Pressing Tab or Enter will insert the selected member
  16. Click the Run button up top
  17. Note that an error box pops up and a syntax error is displayed in the results pane. This is because each line of code must be ended with a semicolon
  18. Click OK on the error box
  19. At the very bottom, switch from Results to Log tab
  20. Note the various rows of errors. Specifically, a row displaying the following: Completely unterminated SELECT at line 1, column 9
  21. Return to the Results tab. Add a semicolon to the end of the instruction and click Run again
  22. Note there are no errors on the Log pane
  23. Switch to Results pane
  24. Note that the results show a column named hello with single quotes, and a value of hello
  25. Modify the syntax of the query to the following and click Run
  26. SELECT "hello" AS greeting;
  27. Note the column name is now set to greeting. Change to Results pane at the bottom instead of log
  28. Change the query to the following and rerun
  29. SELECT "hello" greeting;
  30. Note that you get the same result as before. The 'AS' is not necessary. If you are familiar with SQL language, you will get the hang of TIMS scripting very quickly
  31. Input the following below the existing line and click Run
  32. SELECT "goodbye" greeting;
  33. Note only the second line displays an output. Unlike SQL, both rows will not display an output, only the last. Switch the rows around to see only 'hello' will show. This is very important to remember when you begin to write complex instructions
  34. Clear the existing code from TIMS. Input the following query into the window. Type it out exactly as shown below, do not rely on IntelliSense to autofill it
  35. Network.getconnections();
  36. Note the error returned. Unsupported method 'getconnections'
  37. Change the syntax to the following
  38. Network.GetConnections();
  39. Note the results that are returned. The scripting language is case sensitive, so you must input very exact syntax. IntelliSense will ensure that these syntax errors are autocorrected
  40. Clear the query window and run the following queries, one line at a time, and review the results
  41. Software.GetInstallations(); 
    Device.GetSummary(); 
    FileSystem.GetFilesInFolder(Folder: "c:\\program files\\1E\\client"); 
    OperatingSystem.GetServiceInfo(); 
    OperatingSystem.GetInstalledUpdates();
    These queries give you a general sense of how the Methods and corresponding Modules operate. You can review all the Methods and Modules and use them in different ways to get data back. Subsequently, you can do more than just query machines, you can also act on machines. We will cover that later as we begin to write a complex Instruction using different Methods and Modules as well as functions.

Creating a basic Instruction

1ETRNW71
  1. Clear the TIMS query window and run the following
  2. Network.GetConnections();
  3. Click on the Schema button on the top ribbon. On the popup, click Yes
  4. In the Schema editor, click the different boxes. Here you can define the different parameters of the schema
  5. The GetConnections method has a predefined schema. We can define that value in the schema itself manually. The render as property allows for 3 rendering schemas currently, perforated, IPAddress, or currency. This allows for the results to be shown rendered as one of these data types
  6. Click on ProcessName and using the button, move it to the top
  7. Click OK to save the schema
  8. Click on Workflow. Note the different options available for Instruction Workflow in the dropdown. Click Cancel
  9. The workflow is defined as a global setting, but we can override that by explicitly defining a workflow per instruction. Certain Instructions might be low risk, and thus not require approval or 2FA.
  10. Click Task groups
  11. Tasks allow us to add instructions to specific task groups so they can be executed directly from the Tasks workspace in the Tachyon explorer console.
  12. Click Cancel to exit out of Task Groups
  13. Click on the Aggregation button on the ribbon
  14. Here, we can group by a specific value that is returned, as well as aggregate based on the available operations.
  15. Click Cancel
  16. Click Validate in the top ribbon. Note the errors displayed. Click Close
  17. A readable payload must be defined, and a description for the Instruction provided so it can be searched against in the Tachyon explorer console. A payload is essentially what the Instruction will present to the operator via the explorer console. A task group is not required; hence it is only a warning.
  18. In the Instruction Definition panel at the top right, note the different properties
  19. In the Description field, input Active Network Connections and click Enter
  20. You can click on the ellipses in the field to open up a dialog box as well.
  21. For the Name field, change the value from the default to 1ETRN-ActiveNetworkConnections
  22. For the ReadablePayload field, click on the ellipses at the right and input Active Network Connections. Click OK
  23. Review the other properties in the Instruction Definition pane. These are all configurable parameters, but if left alone they will default to the values of the installation
  24. Click Validate in the top ribbon. Note only a task groups warning is shown. Click Close
  25. From the menu bar, click File>Save As. Click OK on the validation page
  26. Save the Instruction under c:\tools as 1ETRN-ActiveNetworkConnections.xml
  27. Note in the top pane a message is displayed stating that the instruction definition was signed by XXX. This is because we chose to Always Sign earlier.
  28. Leave TIMS open with the instruction still defined in the top pane

Validating the Instruction

  1. In windows explorer, navigate to c:\tools. Note an XML file named 1ETRN-ActiveNetworkConnections has been created here
  2. Right-click the file and open with Internet Explorer
  3. Note the format and content of the instruction file
  4. If you have taken the Tachyon v5.1 - Install and Configure course we reviewed the instruction XML files in Ex 4 - Tachyon v5.1 - Install and Configure - Upload Instruction Sets and Create Management Groups and this format should look familiar. If not please read step 121 onwards

Uploading the instruction in Tachyon

In this task, we will add the newly created Instruction to Tachyon and ask the question to our clients.

  1. Navigate to https://tachyon.1etrn.local/tachyon in Google Chrome
  2. Launch the Settings Application
  3. Navigate to Instructions - Instruction sets
  4. Create an Instruction Set named 1ETRN
  5. From the top pane, click Upload. Browse to c:\tools and select 1ETRN-ActiveNetworkConnections.xml
  6. Click Open. Ensure the Instruction is uploaded successfully and there are no errors
  7. Select the Instruction in the middle pane, and click on the Move button in the right pane
  8. From the dropdown, select 1ETRN and click Move
  9. Click on the 1ETRN Instruction Set in the left pane to validate the instruction has been moved there
  10. We are now ready to execute this Instruction on our client machines. All instructions must reside within an Instruction Set before they can be executed via the Explorer Application.

Running the newly created Instruction

  1. Navigate to the Home page of Explorer Application
  2. From the top right, click the All Instructions button
  3. Note a 1ETRN Instruction set is now present. Expand the Instruction Set
  4. Click on the instruction and click Ask this question
  5. The data returned will display ProcessName as the first column after the PC name, as we changed the schema to move it to the top. If we left the schema default, the results would show in the same order they are shown in TIMS.
  6. Scroll down to see the results returned from the different machines
  7. Click the Back to Top link at the bottom right
  8. Click on the Filter Results button to expand the filter options
  9. In the Device Name box, input 1ETRNW73 for the local machine. Click Search
  10. Review the results for the local machine
  11. Return to TIMS. With the Network.GetConnections(); query still defined, click the Run button
  12. Note the connections. They should match what Tachyon returns via the Instruction

Creating a Product Pack with multiple Instructions

Now that we have navigated around the TIMS utility, we will create a Product Pack that will contain multiple instructions. In a production environment, you often will have multiple instructions that logically bind together. You can add those instructions individually to Tachyon, or you can bundle them up and add them together. In this exercise, we will create two instructions, a question and an action, and add them to Tachyon to validate their functionality.

Create a Question Instruction

In this task, we will create a query that identifies what the ConfigMgr assigned Site code is for our clients.

1ERTNW71
  1. In TIMS, go to File and select New to clear the existing instruction definition
  2. In the query window, type in the following query
  3. NativeServices.RunWmiQuery(Namespace:"root\\ccm", Query:"SELECT name from sms_authority");
    Ensure that the query is case sensitive as far as the Tachyon Modules and Methods go. The namespace and the WMI values can be case insensitive.
    Root\CCM is the ConfigMgr client WMI namespace, and SMS_Authority is the space under which the installed site value is saved, as the value name.
  4. Click the Run button
  5. Note the value that returns. This is the site code for the CM site in our lab environment
  6. In the Instruction Definition pane on the top right, input the following for Description and ReadablePayload
  7. What is the SCCM Site code?
  8. Name the Instruction 1ETRN-Check SCCM Site
  9. Click the Schema button in the top ribbon and validate the suggested schema. Click OK
  10. From the menu, click File>Save as. Click OK on the Validation page
  11. Save the instruction as 1ETRN-CheckSCCMSite.XML under c:\tools

Creating an Action Instruction using a script

In this task, we will create an action Instruction that changes the CM site code on the Tachyon clients. We will accomplish this via the use of a PowerShell script. In Tachyon, we have the ability to use the native language Modules and Methods, or a PS script.

1ETRNW71
  1. Browse to c:\tools\ and right click the setSCCMsite.ps1 file
  2. Edit with Notepad and review the syntax of the file
  3. The file is using a ConfigMgr client module to set the assigned site of a ConfigMgr client to whatever parameter is being passed to the script.
  4. In TIMS, from the ribbon along the top, select Import resource
  5. Browse to c:\tools\ and select the setSCCMsite.ps1 file
  6. In the Instruction Resource popup, review the settings and click OK
  7. Click Add parameter from the top ribbon and input SCCMSite into the name
  8. In the Max Length box, input 3. Click OK
  9. In the Middle pane, click the down arrow for the Resources next to the file name setSCCMsite and select Insert snippet to download
  10. This step will add syntax to the instruction for where to download the file, including the hash of the file. The script will be embedded in the instruction XML, so download instructions must reside within the instruction.
  11. On the line beneath the file download syntax, paste in the following
  12. Scripting.Run( Language: "PowerShell", ExecutionPolicy : "Override", Script : @resource1, InterpretAsJson : False , "%SCCMSite%");
    This syntax is referencing the script which we have imported into this Instruction, along with the parameter SCCMSite which we have defined. That parameter is what will get passed to the script from what is inputted by the administrator in the Explorer Application console.
  13. In the Instruction Definition pane on the top right, input something into Description
  14. Name the Instruction 1ETRN-Set SCCM Site Code
  15. Change the InstructionType to Action via the dropdown menu
  16. In the ReadablePayload field, input the following: Change the SCCM Site code to %SCCMSite%
  17. From the ribbon click on Schema
  18. In the Edit Schema page, Select the Name in the Column Name Column and click the red x button to delete the row
  19. Click the green+button. In the Column Name input ExitCode and change Data Type to int32
  20. Click the green+button again and in the Column Name input NewSCCMSite and leave the Data Type as String. Click OK
  21. Click the Run button from the top ribbon. Validate the results
  22. There are two columns outputted from the Instruction, an ExitCode and NewSCCMSite column. The schema definition will define the actual output the Explorer Application will display.
  23. From the menu, click File>Save as. Click OK on the Validation page
  24. Save the instruction as 1ETRN-SETSCCMSite.XML under c:\tools

Creating and Uploading the Product Pack

Now that we have two instructions, a question and an action, we are ready to upload them to Tachyon as a Product Pack.

1ETRNW71
  1. Browse to c:\tools and multiselect the 1ETRN-CheckSCCMSIte.XML and 1ETRN-SETSCCMSIte.XML files
  2. Right click on the selected files and select Send to> Compressed (zipped) folder
  3. Name the zip file 1ETRN-SCCMSite.zip
  4. In the browser, if the Settings Application is not already running, navigate to https:\\tachyon.1etrn.local\tachyon and choose Switch app or Settings
  5. Navigate to Instructions - Instruction sets
  6. Click the Upload button at the top right and browse out to c:\tools
  7. Select the 1ETRN-SCCMSite.zip file and click Open
  8. Validate that the file was uploaded without errors
  9. Click on the Unassigned Instruction Set and click the two instructions uploaded via the Product Pack named What is the SCCM Site code? and Change the SCCM Site code to <SCCMSite> and move them to the 1ETRN Instruction Set

Validating the Instructions

Now that we've created Instructions and added them to Tachyon, we are ready to validate that the instructions execute exactly what we defined within them and output the appropriate information when run.

1ETRNW71
  1. Navigate to the home page of the Explorer Application
  2. In the I want to know box, type in What is the SCCM Site code
  3. Click Ask this question
  4. Wait for all clients to respond. Note the Results return in the form of Device Name and Name for the SCCM Site code, and the value is in the form of SMS:xxx
  5. The Site code for the SCCM site in our lab environment is PS1. Keep note of this as we change the site code.
  6. Once all results are in, click on the Actions tab
  7. Type in Change the SCCM Site code
  8. Input AAA into the site code parameter box and click Perform this action
  9. Execute the 2FA and Approval process to process the action
  10. Note the results. There will be 3 columns, Device Name, ExitCode and NewSCCMSite
  11. The ExitCode and NewSCCMSite are columns we defined in the schema when creating the Instruction, the Device Name is always returned as part of the results.
  12. To confirm the Site Code has changed you can re run the What is the SCCM Site code question

Creating a Fragment for Guaranteed State

Now that we have learned how to create an instruction and a product pack using TIMS. We will now use TIMS to create a simple test fragment for use in Guaranteed State. The fragments that we create and import into Tachyon contain the items that we can use in our rules to evaluate device state and remediate. Fragments must have a specific schema defined. They must have at least 1 column Passed (case sensitive) and can have an optional column named Data to display some data from the device. In this scenario, we need to determine if certain files are present on our devices. Many times, a malware outbreak can be identified by looking for specific files. First, we will create a fragment that will check to see if a file is on the device. We will add a parameter that will allow our rule to supply the name of the file to search for, so that our Rule will test for any files that our Admin chooses. We will then modify the schema of our fragment so that it contains what is required for Guaranteed State to use the fragment. Once we have the fragment written we will import it into Guaranteed State and create a policy that will check our devices and view our results.

Creating the Fragment

1ETRNW72
  1. Logged into 1ETRNW72 as 1ETRN\Manager1
  2. Navigate to \\1etrnap\temp and copy the tims.v5.1.0.922 folder and the 1ETRN_Code_Signing_cert.pfx to c:\tools
  3. Install TIMS and the code signing certificate on this device using the settings detailed earlier
  4. Launch TIMS
  5. Open File Explorer and create a text file called MyFile.txt
  6. We will use this for testing our fragment as we create it.
  7. In the code block pane type in
  8. @a = FileSystem.FindFileByName(FileName:"myfile.txt", Fast:true);
  9. Click Run
  10. This SCALE command searches the drive for the existence of myfile.txt and dumps the location into a variable called a. Remember that @a is a different variable than @A in SCALE.
  11. In the code block pane type in the following on line 2
  12. IF (@a)
    This starts our If statement to do something based on our results for our first line that we dumped into our A temp table. This line basically says if @a contains data (so is true) do the next line that we will create now. We could also do the opposite and use IF NOT (@a) which in this case would be true if our variable did not contain any values. Without the NOT our If statement is true if our variable has value.
  13. On line 3 type in the following:
  14. SELECT 0 as Passed, "MyFile.txt exists" as Data;
  15. On line 4 type in ELSE
  16. On line 5 type in
  17. SELECT 1 as Passed, "MyFile.txt does not exist" as Data;
  18. On line 6 type in ENDIF;
  19. Click Run
  20. In our results pane we see a table with 1 row and 2 columns that contain the Data and Passed, which we defined in the code. Guaranteed State only needs the Passed value to be a 0 for failed (Non Compliant) or a 1 for passed (Compliant). The Data column is optional but allows us to expose some information in our View Details screen. We will add our specific file name using our parameter which we will create after we test our code block.

Your code block should look like this (you may not have indented)

  1. Open File Explorer and navigate to the location of your MyFile.txt – rename it to myfile.old
  2. Open TIMS and Click Run
  3. You should now see MyFile.txt does not exist in our Data column. Passed should contain 1
  4. Now we will add a parameter that will allow us to substitute any file name for our "myfile.txt". This will make our fragment more versatile.
  5. Click on Add Parameter in the ribbon
  6. In the Instruction Parameter box Name field type in FileName. Notice that the pattern field is populated for us
  7. In the Hint Text Field type in Unauthorized File Name
  8. In the Control Section – Type field. Click the drop-down to see the available options
  9. We are using Free Text which requires our Administrator to type in something without any help. We could also use a Value Picker and then create a list of Values that will populate the drop-down. Using a Value Picker makes it easier and quicker for the Administrator, if you know the values that should be selected for this parameter. We could also use Custom Properties and Values that we have added into Tachyon (remember how we set up Coverage Tags). We want our Admin to be able to use this one for any file so we will leave it as Free Text.
  10. Click OK to close the box

Your parameter should look like this

  1. In our code block pane change our "myfile.txt" to "%FileName%"
  2. Adding the parameter will prompt for the value – if this was a regular instruction it would be filled in at the time of the Asking of the Question – since this is a fragment the value will be supplied by the Rule that we create in Guaranteed State.
  3. In lines 3 and 5 change the myfile.txt to %FileName%
  4. The quotation marks should be around the entire data that we are passing – i.e. "%FileName% exists"
  5. Click Run. In the Parameters box type in MyFile.txt in the FileName field. Click Ok
  6. Notice that our results did not change – now we will test our fragment.
  7. Click Run again and this time enter Notepad.exe in the popup. Notice the results
  8. Click Run again this time enter your name .yourname – we know this file will not exist
  9. Now we need to format our fragment for use by Guaranteed State.
  10. Click the Schema button in the ribbon. Choose Yes to create the schema
  11. Clicking yes here will allow TIMS to create the schema based on what your instruction is bringing back for the responses. You can modify if you need to on the next screen.
  12. Look at our Schema – see that we are passing 2 columns
  13. You should note that a fragment can only have 1 row returned
  14. In the Data row leave Data Type as String, Change the Length to 1024
  15. The columns are case sensitive and must be exactly Passed and Data (although Data is optional). Maximum allowed length is 1024 characters but less can be configured depending on your data.

Your Schema should look like this

  1. Click ok to close the Schema window
  2. In the Instruction Definition pane Comments field type in Checks to see if the unauthorized file is on the drive
  3. In the Description field type in Does this machine have an unauthorized file?
  4. Change Instruction Type to Check
  5. Guaranteed State Fragments can only have one of three Instruction Types Check, Fix or Precondition
  6. Change the name to 1E-GuaranteedState-Check-CheckSpecificFile
  7. In the lab our naming convention has to be of the format: 1E-GuaranteedState-Check-*,  1E-GuaranteedState-Fix-* or 1E-GuaranteedState-Precondition-* this is how the pattern is set in the license file, along with the thumbprint of the code signing certificate, not meeting the naming or the code signing makes the fragment unlicensed and not useable.
  8. In the Readable Payload field type in Check for %FileName%
  9. The readable payload is what will show in the Guaranteed State application selection list so name them something that will allow you to determine which one you will need to select. Since we have a Parameter defined in our instruction or fragment we need to reference it in our readable payload.
  10. Click File – Save As – click Ok on the Validation window. Navigate to c:\tools and save it there as 1E-GuaranteedState-Check-CheckSpecificFile.xml
  11. Click Save

Viewing the Contents of an Integrated Product Pack

Before we make our own Integrated Product Pack to import into Guaranteed State, we will look at the format and contents of one of the default Integrated Product Packs


1ETRNW72
  1. Still logged into 1ETRNW72 as 1ETRN\Manager1
  2. Navigate to \\1ETRNAP\temp and copy the TachyonPlatform.v5.1.0.663\ProductPacks to c:\tools
  3. Navigate to c:\tools\TachyonPlatform.v5.1.0.663\ProductPacks\Integrated and copy NomadClientHealth.zip to the root of c:\tools
  4. Right click on c:\tools\NomadClientHealth.zip and select extract all
  5. Navigate to c:\tools\NomadClientHealth and look at the contents of the folder
  6. The fragments folder contains a check folder, a fix folder, and a precondition folder. Open each one of these and look at the .xml files in each one
  7. Notice the naming convention of each of the .xml files each type of object to be imported into Guaranteed State should have a specific naming convention related to the specific object type.
  8. Open each of the folders and look at the contents
  9. Note the InstructionSets folder. Any fragments that refer to an embedded resource must have the instruction embedded in the Product Pack. The embedded resource must be available in the Tachyon Background Channel in order to be downloadable. Uploading a fragment does not populate the background channel the way that uploading an instruction set does. We include them in the Product Pack and the Deployment Tool creates the instruction set. Once this is done, both the fragment and the instruction will be able to retrieve the resource.

Creating the Product Pack

In order to import our Fragment into Tachyon we need to create a Product Pack. The product pack contains the objects needed for use by Tachyon and a manifest file. We will then import our Product Pack into Guaranteed State.

1ETRNW72
  1. Still Logged into 1ETRNW72 as 1ETRN\Manager1
  2. From Start – Run navigate to \\1etrnap\temp\AdditionalProductPacks\ and copy the Product_Pack_Templates folder to c:\tools
  3. Open the folder to view the contents
  4. Note the folders for Fragments, InstructionSets, Policies, Rules and TriggerTemplates this is where you place all those objects prior to import. In this exercise we are only going to import a Fragment that will be used as a check. We will then go into Guaranteed State and create our Rule, Policies, and Trigger (reusing ones we have imported previously). Notice we have a custom icon file. We are using the Folder.ico so it appears to be another folder. The Extending Tachyon v4 Course will cover creating the .xml to auto create the Rules, Policies and Trigger templates.
  5. Navigate to C:\Tools\Product_Pack_Templates\Unauthorized File Product Pack\
  6. Right click on the Manifest.xml and select Edit to open in Notepad
  7. In the Name section replace Name of Product Pack with Unauthorized File
  8. In the Description section replace Description of Product Pack with Checks for specified file
  9. Notice we have already specified folder.ico in the Icon section
  10. Save the file and close Notepad
  11. In File Explorer Navigate back to c:\tools and copy 1E-GuaranteedState-Check-CheckSpecificFile.xml to c:\tools\Product_Pack_Templates\Unauthorized File Product Pack\Fragments\Check (you will need to create the folder structure)
  12. Multi-Select all the files and folders in c:\tools\Product_Pack_Templates\Unauthorized File Product Pack folder and Right click then choose Send To – Compressed (zipped) Folder
  13. Click Ok on the warning. (if one is seen) The empty folders are not needed for the .zip they were there to show the structure
  14. Make sure that your folders are all in the root of the zip file. If the tool does not see the subfolders in the root it will fail to upload.
  15. Rename the zip file to Unauthorized File Product Pack.zip

Importing into Guaranteed State

Now that we have created our Product Pack, we will import that into Guaranteed State using the Product Pack Deployment Tool

1ETRNW72
  1. Still logged into 1ETRNW72 as 1ETRN\Manager1
  2. Copy Unauthorized File Product Pack.zip to c:\Tools\TachyonPlatform.v5.1.0.663\ProductPacks\Integrated
  3. Double Click c:\Tools\TachyonPlatform.v5.1.0.663\ProductPacks\Tachyon.ProductPackDeploymentTool.exe
  4. We could also run Tachyon.ProductPackDeploymentTool.exe from a command prompt and add -log TRACE to increase the logging level for troubleshooting. The Tachyon.ProductPackDeploymentTool.log gets created in the same folder as the executable.
  5. In the Server field change the URL to https://tachyon.1etrn.local/consumer
  6. Click Test Connection
  7. The results pane should show Connected to Tachyon version 5.1.0.663
  8. Uncheck Select all
  9. Select our Unauthorized File Product Pack and click Upload selected
  10. In this version of the Product Pack Deployment Tool re-uploading a Product Pack will only re-upload any Instruction Sets whose versions have changed. If the version is not higher it will be skipped. Naming conventions for Instruction Sets is important and you want to keep each with unique names. Fragments are not versioned so make sure they are correct prior to uploading since the re-upload is skipped and the Cleanup button deletes everything.

Creating the Rule

Now that we have our Product Pack imported, we will create our rule that will use that fragment

1ETRNW72
  1. Still logged into 1ETRNW72 as 1ETRN\Manager1
  2. Open Google Chrome and Launch the Guaranteed State application if it is not already open
  3. Navigate to Administration – Rules. Click New
  4. In the Name field type in Unauthorized File Check
  5. In the Description field type in Checks to see if a specific file is present
  6. Leave Precondition empty
  7. In the Triggers field start typing Periodic and select Periodic (minutes) and type in 5 in the Interval Minutes field
  8. In production you do not want to use the time interval trigger, as this processes the rules even if nothing has changed on the device. Instead, you want to use the specific trigger of that item state changing – the Tachyon client has built in intelligence so that we do not need to run things to ensure nothing has changed.
  9. Scroll to the Check section
  10. Start typing Check for in the Check field. Choose our Check for File Name fragment
  11. In the FileName field type in MyFile.txt Click Save
  12. The title of our fragment for the check field comes from our Readable Payload. If we have a Parameter hint configured (which we did) that will show in the <> to your Guaranteed State Admin. If you do not have a hint configured the letters of your variable will show without the %. In our example, it will appear as Check for <FileName>
  13. Open File Explorer and navigate to your MyFile.txt (before we renamed it) and name it back so that this machine will have the file we are looking for

Creating the Policy

Now that we have our Rule created, we need to create a policy that we will assign and deploy that will contain the rule we just created.

1ETRNW72
  1. Navigate to Administration – Policies
  2. Click New
  3. In the Name field type in Unauthorized File Check – MyFile.txt
  4. In the Description field type in Checks for MyFile.txt – if found device is non-compliant
  5. In the All Rules pane select Unauthorized File Check and move it to Assigned Rules
  6. Click Save

Assign and Deploy the Policy

1ETRNW72
  1. Still logged into 1ETRNW72 as 1ETRN\Manager1 with Google Chrome still open
  2. Select Unauthorized File Check – MyFile.txt Policy and click Assign
  3. Choose All Devices Management Group. Click Save
  4. Click Deploy. Click Ok

View the Results

  1. Navigate to Overview. Click Refresh
  2. Select Unauthorized File Check – MyFile.txt in the drop down. It may take a few moments until they all report in
  3. Click on the Green slice in the Device State tile
  4. Click on View History
  5. Navigate back to Overview
  6. Click on the Orange slice in the Device State tile
  7. Click View History on any of the devices

Lab Summary

In this lab, we learned how to create instructions using TIMS. We started with a simple example, using the native language to query for active network connections. Then we created a question Instruction to query for the SCCM Site code of the client machines. Lastly, we created an action Instruction which allowed us to change the site code of the SCCM client to a value inputted by the operator. In doing so, we used a script rather than native language to execute the action. We also created a simple fragment in TIMS to extend Guaranteed State. We created a Product Pack and imported this into Guaranteed State. We then manually created a rule using this fragment and a policy to assign and deploy to our devices to determine the state of our environment. If you want to learn more about how to use TIMS to create even more complex Instructions and Fragments take our Extending Tachyon course.