Creating Instructions and Fragments Using TIMS

Tachyon provides many Instructions and Product Packs full of Instructions that can be executed out of the box from Tachyon. However, the value of Tachyon is its extendibility. Quite often, use cases will arise for different questions and actions that need to be performed on your client estate. This would require new instructions to be created. Tachyon provides a toolset to create your own instructions from scratch. These instructions can be created using either the native language used by the Tachyon client, or by deploying PS scripts. In this lab, we will create some instructions from scratch and use them in Tachyon. We will also use TIMS to create a fragment that we will import for use in Guaranteed State.

Configuring TIMS prerequisites

Tachyon Instruction Management Studio or TIMS is a utility that allows you to write your own instructions for consumption by Tachyon. In this exercise, we will configure TIMS prerequisites so we can begin writing our own instructions.

Enrolling a code signing certificate on the Tachyon server

Tachyon requires a code signing certificate to sign instructions with. This ensures that any instructions written for execution via Tachyon are signed, and no rogue instructions are introduced to the environment. The Code Signing certificate is also associated with the Tachyon license key to ensure that only those with the appropriate certificate are allowed to write instructions that can be used in Tachyon.

1ETRNAP



Open SkyTap Shared Drive shortcut on the desktop and navigate to 1E Tachyon - Course Content\Tachyon v5.2 - Course Content\ download tims.v5.2.5.523.zip, setSCCMsite.ps1 and 1ETRN_Code_Signing_cert.pfx files to c:\temp Extract the contents of the ZIP file


From the start menu, type certificate, and click on Manage Computer Certificates


In the Certificates console, right-click on Trusted Publishers. Select All Tasks>Import


On the Welcome, ensure Local Machine is selected by default. Click Next


On the File to Import page, click Browse


Switch the file type to All Files (.)


Navigate to c:\temp and double-click 1ETRN_Code_Signing_cert.pfx. Click Next


On the Password page, input Passw0rd for the password and click Next


On the Certificate Store, ensure Trusted Publishers is populated. Click Next


On the final page, click Finish. Click OK


In the Certificates console, expand Trusted Publishers>Certificates and validate that the code signing cert issued to SCCM Admin is present


From a cmd prompt, run IISRESET to bounce IIS


Running IISRESET will ensure the web service recognizes the certificate we just added to the server


Validate the certificate


Double-Click the Code Signing certificate issued in the Trusted Publishers store


Click on the Details tab and scroll down to the Thumbprint value. Make note of the first 4 and last 4 characters of the thumbprint


Navigate to c:\programdata\1E\Licensing and right-click on the Tachyon.lic file and open with Notepad. Use Word Wrap to get better formatting of the file


Do a search for 1ETRN. Note the signersha value associated with the Instruction. Ensure it matches the thumbprint of our code signing certificate


When a license key is requested from 1E, you must specify what you want your instructions prefix to be and provide the thumbprint for the code signing certificate that will be used to create Instructions. This ensures that only those with the Code Signing certificate will be allowed to create Instructions that will be signed and allowed to be used in Tachyon. This also locks down what the Instruction can be named, in our case the prefix must be 1ETRN.


Close the license file, ensuring no changes were made


Close the certificates console


Enrolling the Code Signing certificate on a workstation

TIMS can be run on any machine in your environment. The instructions you develop will use the framework of the machine you are running TIMS on to validate the instruction. As such, we will run TIMS on one of the workstations. Wherever TIMS is run, the same Code Signing certificate must be enrolled in either the User or Computer store, generally in both.

1ETRNW71



Logged in as 1etrn\Tachyon_Admin1, navigate to \\1etrnap\temp and copy the tims.v5.2.5.523 folder and setSCCMsite.ps1, 1ETRN_Code_Signing_cert.pfx to c:\tools


From the start menu, type in mmc into the search box and launch mmc.exe


Click File and select Add/Remove Snap-in


From the snap-in wizard, select Certificates and click Add


Select My user account and click Finish. Click OK


If we are running TIMS under system context, the certificate must also reside under the Computer store. In our exercises, we will be running TIMS only in user context


Expand Certificates (Current User) and right click on Personal


Click All Tasks > Import


On the Welcome page, click Next


On the File to Import page, click Browse


Switch the file type to All Files (.)


Navigate to c:\tools and double-click 1ETRN_Code_Signing_cert.pfx. Click Next


On the Password page, input Passw0rd for the password and click Next


On the Certificate Store click Next


On the final page, click Finish. Click OK


Double-click the Code Signing certificate in the personal store and validate the thumbprint in the details tab. Validate it is the same as the one on the server and in the license file


Installing TIMS

In this exercise, we will install TIMS on a workstation, and use that workstation to write instructions.

1ETRNW71



Navigate to c:\tools\tims.v5.2.5.523 and double-click TIMS-x86.msi


All of our workstations are 32-bit in the labs so we will use the x86 version of TIMS. If you were creating instructions on a 64-bit client, you would use the x64 version on an x64 machine.


On the Welcome page, click Next


On the License Agreement page, select I accept the terms of this license agreement and click Next


On the Destination Folder page, click Next


On the Ready to Install the Program page, click Install


Once installed, click Finish


Navigating TIMS

Now that we have prereqs in place and TIMS installed, we can begin working with TIMS. In this exercise, we will learn some basics about TIMS and begin exploring the native language, SCALE (Simple Cross-platform Agent Language for Extensibility), in the form of Modules and Methods used to write instructions.

1ETRNW71



Log in as 1ETRN\Tachyon_Admin1 if not already logged in


From the desktop, launch Tachyon Instruction Management Studio


Instructions can be written under the user context or the System context. If we wanted to write instructions under the Local System context, we can launch TIMS using PSEXEC to run under the system context. For our labs, we will only use TIMS in the user context


Review the different buttons in the top pane


Click on Code Signing and select Select signing certificate


TIMS will default to Code Signing certificates. We only have one enrolled, so it will default to that certificate


Click on the Click here to view certificate properties link


Note that the general tab of the certificate shows You have a private key that corresponds to this certificate


If you do not have a private key associated with the certificate, Instructions written using the certificate will not work in Tachyon


Click OK to close the certificate properties. Click OK to select the certificate


Click on Code Signing and check Always sign


This setting ensures that any instruction you attempt to save will be signed using the certificate we just selected


In the top query window, type in the following text


SELECT "hello"


Note the query window begins to autofill the text you are typing. This is due to IntelliSense being integrated with TIMS. IntelliSense features are powered by a language service. A language service provides intelligent code completions based on language semantics and an analysis of your source code. If a language service knows possible completions, the IntelliSense suggestions will pop up as you type. If you continue typing characters, the list of members (variables, methods, etc.) is filtered to include only members containing your typed characters. Pressing Tab or Enter will insert the selected member


Click the Run button up top


Note that an error box pops up and a syntax error is displayed in the results pane. This is because each line of code must be ended with a semicolon


Click OK on the error box


At the very bottom, switch from Results to Log tab


Note the various rows of errors. Specifically, a row displaying the following: Completely unterminated SELECT at line 1, column 9


Return to the Results tab. Add a semicolon to the end of the instruction and click Run again


Note there are no errors on the Log pane


Switch to Results pane


Note that the results show a column named hello with single quotes, and a value of hello


Modify the syntax of the query to the following and click Run


SELECT "hello" AS greeting;


Note the column name is now set to greeting. Change to Results pane at the bottom instead of log


Change the query to the following and rerun


SELECT "hello" greeting;


Note that you get the same result as before. The 'AS' is not necessary. If you are familiar with SQL language, you will get the hang of TIMS scripting very quickly


Input the following below the existing line and click Run


SELECT "goodbye" greeting;


Note only the second line displays an output. Unlike SQL, both rows will not display an output, only the last. Switch the rows around to see only 'hello' will show. This is very important to remember when you begin to write complex instructions


Clear the existing code from TIMS. Input the following query into the window. Type it out exactly as shown below, do not rely on IntelliSense to autofill it


Network.getconnections();


Note the error returned. Unsupported method 'getconnections'


Change the syntax to the following


Network.GetConnections();


Note the results that are returned. The scripting language is case sensitive, so you must input very exact syntax. IntelliSense will ensure that these syntax errors are autocorrected


Clear the query window and run the following queries, one line at a time, and review the results


Software.GetInstallations(); 
Device.GetSummary(); 
FileSystem.GetFilesInFolder(Folder: "c:\\program files\\1E\\client"); 
OperatingSystem.GetServiceInfo(); 
OperatingSystem.GetInstalledUpdates();


These queries give you a general sense of how the Methods and corresponding Modules operate. You can review all the Methods and Modules and use them in different ways to get data back. Subsequently, you can do more than just query machines, you can also act on machines. We will cover that later as we begin to write a complex Instruction using different Methods and Modules as well as functions.


Creating a basic Instruction

1ETRNW71



Clear the TIMS query window and run the following


Network.GetConnections();


Click on the Schema button on the top ribbon. On the popup, click Yes


In the Schema editor, click the different boxes. Here you can define the different parameters of the schema


The GetConnections method has a predefined schema. We can define that value in the schema itself manually. The render as property allows for 3 rendering schemas currently, perforated, IPAddress, or currency. This allows for the results to be shown rendered as one of these data types


Click on ProcessName and using the  button, move it to the top


Click OK to save the schema


Click on Workflow. Note the different options available for Instruction Workflow in the dropdown. Click Cancel


The workflow is defined as a global setting, but we can override that by explicitly defining a workflow per instruction. Certain Instructions might be low risk, and thus not require approval or 2FA.


Click Task groups


Tasks allow us to add instructions to specific task groups so they can be executed directly from the Tasks workspace in the Tachyon explorer console.


Click Cancel to exit out of Task Groups


Click on the Aggregation button on the ribbon


Here, we can group by a specific value that is returned, as well as aggregate based on the available operations.


Click Cancel


Click Validate in the top ribbon. Note the errors displayed. Click Close


A readable payload must be defined, and a description for the Instruction provided so it can be searched against in the Tachyon explorer console. A payload is essentially what the Instruction will present to the operator via the explorer console. A task group is not required; hence it is only a warning.


In the Instruction Definition panel at the top right, note the different properties


In the Description field, input Active Network Connections and click Enter


You can click on the ellipses in the field to open up a dialog box as well.


For the Name field, change the value from the default to 1ETRN-ActiveNetworkConnections


For the ReadablePayload field, click on the ellipses at the right and input Active Network Connections. Click OK


Review the other properties in the Instruction Definition pane. These are all configurable parameters, but if left alone they will default to the values of the installation


Click Validate in the top ribbon. Note only a task groups warning is shown. Click Close


From the menu bar, click File>Save As. Click OK on the validation page


Save the Instruction under c:\tools as 1ETRN-ActiveNetworkConnections.xml


Note in the top pane a message is displayed stating that the instruction definition was signed by XXX. This is because we chose to Always Sign earlier.


Leave TIMS open with the instruction still defined in the top pane


Validating the Instruction


In windows explorer, navigate to c:\tools. Note an XML file named 1ETRN-ActiveNetworkConnections has been created here


Right-click the file and open with Internet Explorer


Note the format and content of the instruction file


If you have taken the Tachyon v5.2 - Install and Configure course we reviewed the instruction XML files in Ex 4 - Tachyon v5.2 - Install and Configure - Upload Instruction Sets and Create Management Groups and this format should look familiar. If not please read step 121 onwards


Uploading the instruction in Tachyon

In this task, we will add the newly created Instruction to Tachyon and ask the question to our clients.


Navigate to https://tachyon.1etrn.local/tachyon in Google Chrome


Launch the Settings Application


Navigate to Instructions - Instruction sets


Create an Instruction Set named 1ETRN


From the top pane, click Upload. Browse to c:\tools and select 1ETRN-ActiveNetworkConnections.xml


Click Open. Ensure the Instruction is uploaded successfully and there are no errors


Select the Instruction in the middle pane, and click on the Move button in the right pane


From the dropdown, select 1ETRN and click Move


Click on the 1ETRN Instruction Set in the left pane to validate the instruction has been moved there


We are now ready to execute this Instruction on our client machines. All instructions must reside within an Instruction Set before they can be executed via the Explorer Application.


Running the newly created Instruction


Navigate to the Home page of Explorer Application


From the top right, click the All Instructions button


Note a 1ETRN Instruction set is now present. Expand the Instruction Set


Click on the instruction and click Ask this question


The data returned will display ProcessName as the first column after the PC name, as we changed the schema to move it to the top. If we left the schema default, the results would show in the same order they are shown in TIMS.


Scroll down to see the results returned from the different machines


Click the Back to Top link at the bottom right


Click on the Filter Results button to expand the filter options


In the Device Name box, input 1ETRNW73 for the local machine. Click Search


Review the results for the local machine


Return to TIMS. With the Network.GetConnections(); query still defined, click the Run button


Note the connections. They should match what Tachyon returns via the Instruction


Creating a Product Pack with multiple Instructions

Now that we have navigated around the TIMS utility, we will create a Product Pack that will contain multiple instructions. In a production environment, you often will have multiple instructions that logically bind together. You can add those instructions individually to Tachyon, or you can bundle them up and add them together. In this exercise, we will create two instructions, a question and an action, and add them to Tachyon to validate their functionality.

Create a Question Instruction

In this task, we will create a query that identifies what the ConfigMgr assigned Site code is for our clients.

1ERTNW71



In TIMS, go to File and select New to clear the existing instruction definition


In the query window, type in the following query


NativeServices.RunWmiQuery(Namespace:"root\\ccm", Query:"SELECT name from sms_authority");


Ensure that the query is case sensitive as far as the Tachyon Modules and Methods go. The namespace and the WMI values can be case insensitive.


Root\CCM is the ConfigMgr client WMI namespace, and SMS_Authority is the space under which the installed site value is saved, as the value name.


Click the Run button


Note the value that returns. This is the site code for the CM site in our lab environment


In the Instruction Definition pane on the top right, input the following for Description and ReadablePayload


What is the SCCM Site code?


Name the Instruction 1ETRN-Check SCCM Site


Click the Schema button in the top ribbon and validate the suggested schema. Click OK


From the menu, click File>Save as. Click OK on the Validation page


Save the instruction as 1ETRN-CheckSCCMSite.XML under c:\tools


Creating an Action Instruction using a script

In this task, we will create an action Instruction that changes the CM site code on the Tachyon clients. We will accomplish this via the use of a PowerShell script. In Tachyon, we have the ability to use the native language Modules and Methods, or a PS script.

1ETRNW71



Browse to c:\tools\ and right click the setSCCMsite.ps1 file


Edit with Notepad and review the syntax of the file


The file is using a ConfigMgr client module to set the assigned site of a ConfigMgr client to whatever parameter is being passed to the script.


In TIMS, from the ribbon along the top, select Import resource


Browse to c:\tools\ and select the setSCCMsite.ps1 file


In the Instruction Resource popup, review the settings and click OK


Click Add parameter from the top ribbon and input SCCMSite into the name


In the Max Length box, input 3. Click OK


In the Middle pane, click the down arrow for the Resources next to the file name setSCCMsite and select Insert snippet to download


This step will add syntax to the instruction for where to download the file, including the hash of the file. The script will be embedded in the instruction XML, so download instructions must reside within the instruction.


On the line beneath the file download syntax, paste in the following


Scripting.Run( Language: "PowerShell", ExecutionPolicy : "Override", Script : @resource1, InterpretAsJson : False , "%SCCMSite%");


This syntax is referencing the script which we have imported into this Instruction, along with the parameter SCCMSite which we have defined. That parameter is what will get passed to the script from what is inputted by the administrator in the Explorer Application console.


In the Instruction Definition pane on the top right, input something into Description


Name the Instruction 1ETRN-Set SCCM Site Code


Change the InstructionType to Action via the dropdown menu


In the ReadablePayload field, input the following: Change the SCCM Site code to %SCCMSite%


From the ribbon click on Schema


In the Edit Schema page, Select the Name in the Column Name Column and click the red x button to delete the row


Click the green+button. In the Column Name input ExitCode and change Data Type to int32


Click the green+button again and in the Column Name input NewSCCMSite and leave the Data Type as String. Click OK


Click the Run button from the top ribbon. Validate the results


There are two columns outputted from the Instruction, an ExitCode and NewSCCMSite column. The schema definition will define the actual output the Explorer Application will display.


From the menu, click File>Save as. Click OK on the Validation page


Save the instruction as 1ETRN-SETSCCMSite.XML under c:\tools


Creating and Uploading the Product Pack

Now that we have two instructions, a question and an action, we are ready to upload them to Tachyon as a Product Pack.

1ETRNW71



Browse to c:\tools and multiselect the 1ETRN-CheckSCCMSIte.XML and 1ETRN-SETSCCMSIte.XML files


Right click on the selected files and select Send to> Compressed (zipped) folder


Name the zip file 1ETRN-SCCMSite.zip


In the browser, if the Settings Application is not already running, navigate to https:\\tachyon.1etrn.local\tachyon and choose Switch app or Settings


Navigate to Instructions - Instruction sets


Click the Upload button at the top right and browse out to c:\tools


Select the 1ETRN-SCCMSite.zip file and click Open


Validate that the file was uploaded without errors


Click on the Unassigned Instruction Set and click the two instructions uploaded via the Product Pack named What is the SCCM Site code? and Change the SCCM Site code to <SCCMSite> and move them to the 1ETRN Instruction Set


Validating the Instructions

Now that we've created Instructions and added them to Tachyon, we are ready to validate that the instructions execute exactly what we defined within them and output the appropriate information when run.

1ETRNW71



Navigate to the home page of the Explorer Application


In the I want to know box, type in What is the SCCM Site code


Click Ask this question


Wait for all clients to respond. Note the Results return in the form of Device Name and Name for the SCCM Site code, and the value is in the form of SMS:xxx


The Site code for the SCCM site in our lab environment is PS1. Keep note of this as we change the site code.


Once all results are in, click on the Actions tab


Type in Change the SCCM Site code


Input AAA into the site code parameter box and click Perform this action


Execute the 2FA and Approval process to process the action


Note the results. There will be 3 columns, Device Name, ExitCode and NewSCCMSite


The ExitCode and NewSCCMSite are columns we defined in the schema when creating the Instruction, the Device Name is always returned as part of the results.


To confirm the Site Code has changed you can re run the What is the SCCM Site code question


Creating a Fragment for Guaranteed State

Now that we have learned how to create an instruction and a product pack using TIMS. We will now use TIMS to create a simple test fragment for use in Guaranteed State. The fragments that we create and import into Tachyon contain the items that we can use in our rules to evaluate device state and remediate. Fragments must have a specific schema defined. They must have at least 1 column Passed (case sensitive) and can have an optional column named Data to display some data from the device. In this scenario, we need to determine if certain files are present on our devices. Many times, a malware outbreak can be identified by looking for specific files. First, we will create a fragment that will check to see if a file is on the device. We will add a parameter that will allow our rule to supply the name of the file to search for, so that our Rule will test for any files that our Admin chooses. We will then modify the schema of our fragment so that it contains what is required for Guaranteed State to use the fragment. Once we have the fragment written we will import it into Guaranteed State and create a policy that will check our devices and view our results.

Creating the Fragment

1ETRNW72



Logged into 1ETRNW72 as 1ETRN\Manager1


Navigate to \\1etrnap\temp and copy the tims.v5.2.5.523 folder and the 1ETRN_Code_Signing_cert.pfx to c:\tools


Install TIMS and the code signing certificate on this device using the settings detailed earlier


Launch TIMS


Open File Explorer and create a text file called MyFile.txt


We will use this for testing our fragment as we create it.


In the code block pane type in


@a = FileSystem.FindFileByName(FileName:"myfile.txt", Fast:true);


Click Run


This SCALE command searches the drive for the existence of myfile.txt and dumps the location into a variable called a. Remember that @a is a different variable than @A in SCALE.


In the code block pane type in the following on line 2


IF (@a)


This starts our If statement to do something based on our results for our first line that we dumped into our A temp table. This line basically says if @a contains data (so is true) do the next line that we will create now. We could also do the opposite and use IF NOT (@a) which in this case would be true if our variable did not contain any values. Without the NOT our If statement is true if our variable has value.


On line 3 type in the following:


SELECT 0 as Passed, "MyFile.txt exists" as Data;


On line 4 type in ELSE


On line 5 type in


SELECT 1 as Passed, "MyFile.txt does not exist" as Data;


On line 6 type in ENDIF;


Click Run


In our results pane we see a table with 1 row and 2 columns that contain the Data and Passed, which we defined in the code. Guaranteed State only needs the Passed value to be a 0 for failed (Non Compliant) or a 1 for passed (Compliant). The Data column is optional but allows us to expose some information in our View Details screen. We will add our specific file name using our parameter which we will create after we test our code block.




Your code block should look like this (you may not have indented)




Open File Explorer and navigate to the location of your MyFile.txt – rename it to myfile.old


Open TIMS and Click Run


You should now see MyFile.txt does not exist in our Data column. Passed should contain 1


Now we will add a parameter that will allow us to substitute any file name for our "myfile.txt". This will make our fragment more versatile.


Click on Add Parameter in the ribbon


In the Instruction Parameter box Name field type in FileName. Notice that the pattern field is populated for us


In the Hint Text Field type in Unauthorized File Name


In the Control Section – Type field. Click the drop-down to see the available options


We are using Free Text which requires our Administrator to type in something without any help. We could also use a Value Picker and then create a list of Values that will populate the drop-down. Using a Value Picker makes it easier and quicker for the Administrator, if you know the values that should be selected for this parameter. We could also use Custom Properties and Values that we have added into Tachyon (remember how we set up Coverage Tags). We want our Admin to be able to use this one for any file so we will leave it as Free Text.


Click OK to close the box




Your parameter should look like this




In our code block pane change our "myfile.txt" to "%FileName%"


Adding the parameter will prompt for the value – if this was a regular instruction it would be filled in at the time of the Asking of the Question – since this is a fragment the value will be supplied by the Rule that we create in Guaranteed State.


In lines 3 and 5 change the myfile.txt to %FileName%


The quotation marks should be around the entire data that we are passing – i.e. "%FileName% exists"


Click Run. In the Parameters box type in MyFile.txt in the FileName field. Click Ok


Notice that our results did not change – now we will test our fragment.


Click Run again and this time enter Notepad.exe in the popup. Notice the results


Click Run again this time enter your name .yourname – we know this file will not exist


Now we need to format our fragment for use by Guaranteed State.


Click the Schema button in the ribbon. Choose Yes to create the schema


Clicking yes here will allow TIMS to create the schema based on what your instruction is bringing back for the responses. You can modify if you need to on the next screen.


Look at our Schema – see that we are passing 2 columns


You should note that a fragment can only have 1 row returned


In the Data row leave Data Type as String, Change the Length to 1024


The columns are case sensitive and must be exactly Passed and Data (although Data is optional). Maximum allowed length is 1024 characters but less can be configured depending on your data.




Your Schema should look like this




Click ok to close the Schema window


In the Instruction Definition pane Comments field type in Checks to see if the unauthorized file is on the drive


In the Description field type in Does this machine have an unauthorized file?


Change Instruction Type to Check


Guaranteed State Fragments can only have one of three Instruction Types Check, Fix or Precondition


Change the name to 1E-GuaranteedState-Check-CheckSpecificFile


In the lab our naming convention has to be of the format: 1E-GuaranteedState-Check-*,  1E-GuaranteedState-Fix-* or 1E-GuaranteedState-Precondition-* this is how the pattern is set in the license file, along with the thumbprint of the code signing certificate, not meeting the naming or the code signing makes the fragment unlicensed and not useable.


In the Readable Payload field type in Check for %FileName%


The readable payload is what will show in the Guaranteed State application selection list so name them something that will allow you to determine which one you will need to select. Since we have a Parameter defined in our instruction or fragment we need to reference it in our readable payload.


Click File – Save As – click Ok on the Validation window. Navigate to c:\tools and save it there as 1E-GuaranteedState-Check-CheckSpecificFile.xml


Click Save


Viewing the Contents of an Integrated Product Pack

Before we make our own Integrated Product Pack to import into Guaranteed State, we will look at the format and contents of one of the default Integrated Product Packs


1ETRNW72



Still logged into 1ETRNW72 as 1ETRN\Manager1


Navigate to \\1ETRNAP\temp and copy the TachyonPlatform.v5.2.5.165\ProductPacks to c:\tools


Navigate to c:\tools\TachyonPlatform.v5.2.5.165\ProductPacks\Integrated and copy NomadClientHealth.zip to the root of c:\tools


Right click on c:\tools\NomadClientHealth.zip and select extract all


Navigate to c:\tools\NomadClientHealth and look at the contents of the folder


The fragments folder contains a check folder, a fix folder, and a precondition folder. Open each one of these and look at the .xml files in each one


Notice the naming convention of each of the .xml files each type of object to be imported into Guaranteed State should have a specific naming convention related to the specific object type.


Open each of the folders and look at the contents


Note the InstructionSets folder. Any fragments that refer to an embedded resource must have the instruction embedded in the Product Pack. The embedded resource must be available in the Tachyon Background Channel in order to be downloadable. Uploading a fragment does not populate the background channel the way that uploading an instruction set does. We include them in the Product Pack and the Deployment Tool creates the instruction set. Once this is done, both the fragment and the instruction will be able to retrieve the resource.


Creating the Product Pack

In order to import our Fragment into Tachyon we need to create a Product Pack. The product pack contains the objects needed for use by Tachyon and a manifest file. We will then import our Product Pack into Guaranteed State.

1ETRNW72



Still Logged into 1ETRNW72 as 1ETRN\Manager1


From Start – Run navigate to \\1etrnap\temp\AdditionalProductPacks\ and copy the Product_Pack_Templates folder to c:\tools


Open the folder to view the contents


Note the folders for Fragments, InstructionSets, Policies, Rules and TriggerTemplates this is where you place all those objects prior to import. In this exercise we are only going to import a Fragment that will be used as a check. We will then go into Guaranteed State and create our Rule, Policies, and Trigger (reusing ones we have imported previously). Notice we have a custom icon file. We are using the Folder.ico so it appears to be another folder. The Extending Tachyon v4 Course will cover creating the .xml to auto create the Rules, Policies and Trigger templates.


Navigate to C:\Tools\Product_Pack_Templates\Unauthorized File Product Pack\


Right click on the Manifest.xml and select Edit to open in Notepad


In the Name section replace Name of Product Pack with Unauthorized File


In the Description section replace Description of Product Pack with Checks for specified file


Notice we have already specified folder.ico in the Icon section


Save the file and close Notepad


In File Explorer Navigate back to c:\tools and copy 1E-GuaranteedState-Check-CheckSpecificFile.xml to c:\tools\Product_Pack_Templates\Unauthorized File Product Pack\Fragments\Check (you will need to create the folder structure)


Multi-Select all the files and folders in c:\tools\Product_Pack_Templates\Unauthorized File Product Pack folder and Right click then choose Send To – Compressed (zipped) Folder


Click Ok on the warning. (if one is seen) The empty folders are not needed for the .zip they were there to show the structure


Make sure that your folders are all in the root of the zip file. If the tool does not see the subfolders in the root it will fail to upload.


Rename the zip file to Unauthorized File Product Pack.zip


Importing into Guaranteed State

Now that we have created our Product Pack, we will import that into Guaranteed State using the Product Pack Deployment Tool

1ETRNW72



Still logged into 1ETRNW72 as 1ETRN\Manager1


Copy Unauthorized File Product Pack.zip to c:\Tools\TachyonPlatform.v5.2.5.165\ProductPacks\Integrated


Double Click c:\Tools\TachyonPlatform.v5.2.5.165\ProductPacks\Tachyon.ProductPackDeploymentTool.exe


We could also run Tachyon.ProductPackDeploymentTool.exe from a command prompt and add -log TRACE to increase the logging level for troubleshooting. The Tachyon.ProductPackDeploymentTool.log gets created in the same folder as the executable.


In the Server field change the URL to https://tachyon.1etrn.local/consumer


Click Test Connection


The results pane should show Connected to Tachyon version 5.2.5.165


Uncheck Select all


Select our Unauthorized File Product Pack and click Upload selected


In this version of the Product Pack Deployment Tool re-uploading a Product Pack will only re-upload any Instruction Sets whose versions have changed. If the version is not higher it will be skipped. Naming conventions for Instruction Sets is important and you want to keep each with unique names. Fragments are not versioned so make sure they are correct prior to uploading since the re-upload is skipped and the Cleanup button deletes everything.


Creating the Rule

Now that we have our Product Pack imported, we will create our rule that will use that fragment

1ETRNW72



Still logged into 1ETRNW72 as 1ETRN\Manager1


Open Google Chrome and Launch the Guaranteed State application if it is not already open


Navigate to Administration – Rules. Click New


In the Name field type in Unauthorized File Check


In the Description field type in Checks to see if a specific file is present


Leave Precondition empty


In the Triggers field start typing Periodic and select Periodic (minutes) and type in 5 in the Interval Minutes field


In production you do not want to use the time interval trigger, as this processes the rules even if nothing has changed on the device. Instead, you want to use the specific trigger of that item state changing – the Tachyon client has built in intelligence so that we do not need to run things to ensure nothing has changed.


Scroll to the Check section


Start typing Check for in the Check field. Choose our Check for File Name fragment


In the FileName field type in MyFile.txt Click Save


The title of our fragment for the check field comes from our Readable Payload. If we have a Parameter hint configured (which we did) that will show in the <> to your Guaranteed State Admin. If you do not have a hint configured the letters of your variable will show without the %. In our example, it will appear as Check for <FileName>


Open File Explorer and navigate to your MyFile.txt (before we renamed it) and name it back so that this machine will have the file we are looking for


Creating the Policy

Now that we have our Rule created, we need to create a policy that we will assign and deploy that will contain the rule we just created.

1ETRNW72



Navigate to Administration – Policies


Click New


In the Name field type in Unauthorized File Check – MyFile.txt


In the Description field type in Checks for MyFile.txt – if found device is non-compliant


In the All Rules pane select Unauthorized File Check and move it to Assigned Rules


Click Save


Assign and Deploy the Policy

1ETRNW72



Still logged into 1ETRNW72 as 1ETRN\Manager1 with Google Chrome still open


Select Unauthorized File Check – MyFile.txt Policy and click Assign


Choose All Devices Management Group. Click Save


Click Deploy. Click Ok


View the Results


Navigate to Overview. Click Refresh


Select Unauthorized File Check – MyFile.txt in the drop down. It may take a few moments until they all report in


Click on the Green slice in the Device State tile


Click on View History


Navigate back to Overview


Click on the Orange slice in the Device State tile


Click View History on any of the devices


Lab Summary

In this lab, we learned how to create instructions using TIMS. We started with a simple example, using the native language to query for active network connections. Then we created a question Instruction to query for the SCCM Site code of the client machines. Lastly, we created an action Instruction which allowed us to change the site code of the SCCM client to a value inputted by the operator. In doing so, we used a script rather than native language to execute the action. We also created a simple fragment in TIMS to extend Guaranteed State. We created a Product Pack and imported this into Guaranteed State. We then manually created a rule using this fragment and a policy to assign and deploy to our devices to determine the state of our environment. If you want to learn more about how to use TIMS to create even more complex Instructions and Fragments take our Extending Tachyon course.