This section of the documentation covers the daily use of WAPT.

All WAPT functionalities are explained in detail for the Administrators, the Users and the Package Deployers.

1. Managing the WAPT Agent

1.1. Deploying the WAPT Agent on Windows

Note

To install WAPT on a Windows client, the minimal requirements are:

  • 512Mo Ram;

  • 1 CPU;

  • 300Mo Drive space (without package cache).

Attention

If you install the WAPT Agent on Windows Server 2012r2, it needs these features need to be activated before installing the WAPT Agent:

Two methods are available to deploy the waptagent.exe.

  • The first method is manual and the procedure MUST be applied on each host.

  • The second one is automated and relies on a GPO.

The waptagent.exe installer is available at WAPT serveur web home page. The direct download link is for example: https://srvwapt.mydomain.lan/wapt/waptagent.exe.

Warning

If you do not sign the waptagent.exe installer with a commercial Code Signing certificate or a Code Signing certificate issued by the Certificate Authority of your Organization after having generated it, web browsers will show a warning message when downloading the installer.

To remove the warning message, you MUST sign the .exe with a Code Signing certificate that can be verified by a CA bundle stored in the host’s certificate store.

1.1.1. Manually

Manually installing the WAPT Agent requires Local Administrator rights on the computer.

Manual deployment method is efficient in these cases:

  • Testing WAPT.

  • Using WAPT in an organization with a small number of computers.

  • If you do not have a means of mass deployment.

Note

Since WAPT 2.5, a basic authentification if required to access to your WaptServer website.

The WAPT server authentication window

The WAPT server authentication window

The WAPT Server interface in a web browser

The WAPT Server interface in a web browser

  • Choose the language for the WAPT installer.

Choosing the language for deploying the WAPT installer
  • Click on OK to go on to the next step.

Accepting the WAPT license terms
  • Accept the licence terms and click on Next to go to next step.

  • Choose the installation directory for the WAPT Agent. By default, the directory is C:\Program Files (x86)\wapt.

Choosing the WAPT installation directory

Choosing the WAPT installation directory

  • Choose additional configuration tasks (leave the default if not sure).

Choosing the installer options for deploying the WAPT Agent

Choosing the installer options for deploying the WAPT Agent

Available options

Settings

Description

Default value

Install WAPT service

Adds the WAPT service on the computer.

Checked

Launch notification icon upon session opening

Launches the WAPT Agent in the System tray on startup.

Not checked

  • Choose the WAPT Agent configuration you wish to use.

Choosing the configuration for the WAPT Agent

Choosing the configuration for the WAPT Agent

The configurations are set on the WAPT Console. If there are no configuration you would deploy, you can set manually the WAPT Repository URL and the WAPT Server URL, but no certificate will be deployed.

  • Install the WAPT Agent by clicking on Install.

Dialog box showing the summary of the installation options
  • Wait for the installation of the WAPT Agent to finish, then click on Finish to exit.

Dialog box showing the WAPT installation in progress

The installation of the WAPT Agent is finished. The registration of the host with the WAPT Server is done automatically.

Installation Wizard has finished

To manage your Organization’s WAPT clients, visit the documentation on using the WAPT Console.

1.1.2. Automatically

Important

Technical pre-requisites

Advanced network and system administration knowledge is required to achieve this procedure. A properly configured network will ensure its success.

Hint

When to deploy the WAPT Agent automatically?

The following method is useful in these cases:

  • A large organization with many computers.

  • A Samba Active Directory or Microsoft Active Directory for which you have enough administration privileges.

  • The security and the traceability of actions are important to you or to your Organization.

1.1.2.1. With the WAPT Deployment utility

waptagent.exe is an InnoSetup installer, it can be executed with these silent argument:

waptagent.exe /VERYSILENT
  • Additional arguments are available for the WAPT Deployment utility.

Description of available options for deploying the WAPT Agent silently

Options

Description

/dnsdomain = mydomain.lan

Domain in wapt-get.ini filled in during installation.

/wapt_server = https://srvwapt.mydomain.lan

URL of the WAPT Server in wapt-get.ini filled in during installation.

/repo_url = https://repo1.mydomain.lan/wapt

URL of the WAPT repository in wapt-get.ini filled in during installation.

/StartPackages = basic-group

Group of WAPT packages to install by default.

:code:/verify_cert = ``True or relative path ssl\server\srvwapt.mydomain.lan.crt.

Value of verify_cert entered during installation.

/CopyServersTrustedCA = path to a bundle to copy to ssl\server

Certificate bundle for https connections (to be defined by verify_cert).

/CopypackagesTrustedCA = path to a certificate bundle to copy into ssl

Certificate bundle for verifying package signatures.

Hint

The .iss file for the InnoSetup installer is available in C:\Program Files (x86)\wapt\waptsetup\waptsetup.iss.

You may choose to adapt it to your specific needs. Once modified, you will just have to recreate a waptagent.

To learn more about the options available with InnoSetup, visit this documentation

The WAPT Deployment utility is a small binary that:

  • Checks the version of the WAPT Agent.

  • Downloads via https the waptagent.exe installer.

  • Launches the silent installer with arguments (checked options defined during the compilation of the WAPT Agent).

/VERYSILENT /MERGETASKS= ""useWaptServer""
  • Updates the WAPT Server with the WAPT Agent status (WAPT version, package status).

Warning

The WAPT Deployment utility MUST be started as Local Administrator, that is why a GPO is a good method to deploy the WAPT Agent.

Download waptdeploy.exe from your WAPT Server homepage, or on https://srvwapt.domain.lan/wapt/waptagent/waptdeploy.exe.

The WAPT Server interface in a web browser

The WAPT Server interface in a web browser

1.1.2.2. With a GPO

  • Create a new group strategy on the Active Directory server (Microsoft Active Directory or Samba-AD).

  • Add a new strategy with Computer configuration ‣ Policies ‣ Windows Settings ‣ Scripts ‣ Startup ‣ Properties ‣ Add.

Creating a group strategy to deploy the WAPT Agent

Creating a group strategy to deploy the WAPT Agent

  • Click on Browse to select the waptdeploy.exe.

Finding the WAPT Deployment utility file on your computer

Finding the WAPT Deployment utility file on your computer

  • Copy waptdeploy.exe in the destination folder.

Selecting the the WAPT Deployment utility script

Selecting the the WAPT Deployment utility script

  • Click on Open to import the waptdeploy.exe.

Selecting the the WAPT Deployment utility script

Selecting the the WAPT Deployment utility script

  • Click on Open to confirm the importation of the the WAPT Deployment utility binary.

Hint

It is necessary to provide the checksum of the waptagent.exe as an argument to the the WAPT Deployment utility GPO. This will prevent the remote host from executing an erroneous / corrupted waptagent binary.

--hash=checksum WaptAgent --minversion=2.5.2.14748 --wait=15 --waptsetupurl=http://srvwapt.mydomain.lan/api/v3/get_waptagent_exe/{{ip}}/waptagent.exe

Parameters and waptagent.exe checksum to use for the the WAPT Deployment utility GPO are available on the WAPT Server by visiting https://srvwapt.mydomain.lan. When waptdeploy.exe queries the WAPT Server to obtain the WAPT Agent URL, the download repository is chosen according to the rules defined for remote repositories. The benefit of this method is that you only need one GPO to deploy WAPT onto your entire fleet of computers!

Web console of the WAPT Server

Web console of the WAPT Server

  • Copy the required parameters into the GPO.

Adding the the WAPT Deployment utility script to the startup GPO

Adding the the WAPT Deployment utility script to the startup GPO

  • Click on OK to go on to the next step.

The WAPT Deployment utility GPO to be deployed on next startup

The WAPT Deployment utility GPO to be deployed on next startup

  • Click on OK to go on to the next step.

  • Apply resulting GPO strategy to the Organization’s Computers OU.

Note

We recommend adding waptdeploy.exe to the startup and shutdown scripts on the GPO.

Hint

More arguments are available for the WAPT Deployment utility

Description of available options for the WAPT Deployment utility

Options

Description

--force

Forces the installation of waptagent.exe even if alread installed.

--hash = <sha256hash>

Check that the downloaded waptagent.exe setup sha256 hash matches the hash.

--help

Displays the options

--minversion = <version>

Install waptagent.exe if installed version is less than minversion.

--tasks = autorunTray,installService,installredist2008,autoUpgradePolicy

If given, it passes the arguments to the /TASKS options of the waptagent installer (default installService, installredist2008, autoUpgradePolicy).

--repo_url = <repo_url>

Location of the repository to get waptagent.exe (default <repo_url>/wapt)

--setupargs = <setupargs>

Adds arguments to the command line of waptagent.exe. For logs –setupargs=”C:/windows/Temp/myfile.log”

--wait = <minutes>

Defines the delay for running and pending tasks to complete if waptservice is running before installing.

--waptsetupurl = <waptsetupurl>

Explicit location to download setup executable. It can be a local path (default <repo_url>/waptagent.exe).

1.1.2.3. With a scheduled task

You may also choose to launch the WAPT Deployment utility using a scheduled task that has been set by GPO.

Hint

This method is particularly effective for deploying WAPT on workstations when the network is neither available on starting up or shutting down.

The method consists of using a GPO to copy locally waptdeploy.exe and waptagent.exe and create a scheduled task for installing.

  • Copy waptdeploy.exe and waptagent.exe in the netlogon share of your Active Directory Server (\mydomain.lan\netlogon\waptagent.exe).

  • Create a new group strategy on the Active Directory server (Microsoft Active Directory or Samba-AD).

  • Add a new strategy with Computer configuration ‣ Preferences ‣ Windows Settings ‣ Files.

  • Create a new file and copy the WAPT Deployment utility.

Selecting a new file to include in the GPO
  • Set parameters.

Description of options for copy

Options

Value

Action dropdown menu list

Replace

Source file(s) field

\mydomain.lan\netlogon\waptdeploy.exe

Destination File field

C:\Temp\waptdeploy.exe

Suppress errors on individual file actions checkbox

not checked

Read-only checkbox

not checked

Hidden checkbox

not checked

Archive checkbox

checked

WAPT Agent installation progress

WAPT Agent installation progress

  • Create a new GPO and copy the waptagent.exe file.

Selecting a new file to include in the GPO
  • Set parameters.

Description of options for copy

Options

Value

Action dropdown menu list

Replace

Source file(s) field

\mydomain.lan\netlogon\waptagent.exe

Destination File field

C:\Temp\waptagent.exe

Suppress errors on individual file actions checkbox

not checked

Read-only checkbox

not checked

Hidden checkbox

not checked

Archive checkbox

checked

Preparing the WAPT update GPO

Preparing the WAPT update GPO

  • Then go to the Scheduled Task menu with Computer configuration ‣ Preferences ‣ Control Panel Settings ‣ Scheduled Tasks.

  • Create a new Scheduled Task with Right-click ‣ New ‣ Scheduled Task (At least Windows 7).

Create the scheduled task for the WAPT Deployment utility Properties window in RSAT

Create the scheduled task for the WAPT Deployment utility Properties window in RSAT

General tab in the Properties window in RSAT

General tab in the Properties window in RSAT

  • Set Action to Replace.

  • For When running the task, use the following user account paste S-1-5-18 (system account). You can visit for more information.

  • Check Run whether user is logged on or not.

  • Check Run with highest privileges, then go on to the Triggers tab.

Trigger tab in the Properties window in RSAT

Trigger tab in the Properties window in RSAT

  • Create a new trigger.

  • Check Daily, select today’s date.

  • Check Repeat Task every and select 1 hour and for a duration of select 1 day.

  • Check Stop task if it runs longer than and select 2 hours.

  • Check that Enabled is checked, and then go to the Actions tab.

Actions tab in the Properties window in RSAT

Actions tab in the Properties window in RSAT

  • Create a new action Start a program for waptdeploy.exe.

Actions tab in the Properties window in RSAT

Actions tab in the Properties window in RSAT

Description of options to copy

Options

Value

Action

Start a program

Program / script

C:\Temp\waptagent.exe

Add arguments (optional)

See the next point

Start in (optional)

empty

Hint

It is necessary to provide the checksum of the waptagent.exe as argument to the WAPT Deployment utility. This will prevent the remote host from executing an erroneous / corrupted waptagent binary.

--hash=checksum WaptAgent --minversion=2.5.0 --wait=15 --waptsetupurl=http://srvwapt.mydomain.lan/wapt/waptagent.exe

Parameters and the waptagent.exe checksum to use for the the WAPT Deployment utility GPO are available on the WAPT Server by visiting https://srvwapt.mydomain.lan.

Web console of the WAPT Server

Web console of the WAPT Server

  • Copy the required parameters and change waptsetupurl to C:\Temp\waptagent.exe.

    --hash=checksum WaptAgent --minversion=2.5 --wait=15 --waptsetupurl=C:\Temp\waptagent.exe
    
Description of available options for the WAPT Deployment utility

Options

Description

--force

Installs waptagent.exe even if not needed

--hash = <sha256hash>

Checks that the downloaded waptagent.exe setup sha256 hash matches the hash.

--help

Displays the options.

--minversion = 2.5.0

Installs waptagent.exe if installed version is less than minversion.

--tasks = autorunTray,installService,installredist2008,autoUpgradePolicy

If given, passes this arguments to the /TASKS options of the waptagent installer. Default = installService, installredist2008, autoUpgradePolicy

--repo_url = https://srvwapt.mydomain.lan/wapt

Defines the location of the repository to get the waptagent.exe.

--setupargs = <options>

Adds arguments to the command line of waptagent.exe.

--wait = <minutes>

Defines the maximum allowed time for running and pending tasks to complete if the WAPT service is running before installing.

--waptsetupurl = https://srvwapt.mydomain.lan/wapt/waptagent.exe

Defines an explicit location to download setup executable. This can be a local path (default=:file:<repo_url>/waptagent.exe).

  • Go on to the Settings tab.

    Settings tab in the Properties window in RSAT

    Settings tab in the Properties window in RSAT

  • In the Settings tab, only check Run task as soon as possible after a scheduled start is missed.

Hint

To verify that the GPO is working, you can run the gpupdate /force command and verify that the scheduled task is present on the computer by launching Task Scheduler as a Local Administrator.

1.2. Deploying the WAPT Agent on Linux and macOS

Note

To install WAPT on a Linux client, the minimal requirements are:

  • 512Mo Ram;

  • 1 CPU;

  • 300Mo Drive space (without package cache).

The procedure depends on your operating system:

Hint

The WAPT Agent for Debian has been tested on Debian 9, 10, 11 and 12.

The WAPT Agent for Ubuntu has only been tested on Ubuntu Bionic and Ubuntu Focal.

  • Update the underlying distribution and check that apt https transport is installed

sudo apt update && apt upgrade -y
sudo apt install apt-transport-https lsb-release gnupg -y
  • Retrieve the key .gpg, add it to the Tranquil IT repository and install the WAPT Agent.

sudo wget -qO- https://wapt.tranquil.it/$(lsb_release -is)/tiswapt-pub.gpg | tee /usr/share/keyrings/tiswapt-pub.gpg > /dev/null
sudo echo "deb [signed-by=/usr/share/keyrings/tiswapt-pub.gpg] https://wapt.tranquil.it/$(lsb_release -is)/wapt-2.5/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wapt.list

export DEBIAN_FRONTEND=noninteractive
sudo apt update
sudo apt install tis-waptagent -y
unset DEBIAN_FRONTEND

1.2.1. Installing the WAPT Agent configuration file

Before installing the WAPT Agent configuration file, you have to create a initial config for you agent in your WAPT Console.

Warning

The WAPT Agent configuration wizard is only available on WAPT Entreprise Edition. To configure Linux WAPT Agent, please refer to the manual WAPT Agent configuration method.

When done, copy the command with the Copy installation command.

Menu list showing the *Copy installation command*

Menu list showing the Copy installation command

Then use this copied command prompt on the Linux / macOS agent.

wapt-get reset-config-from-url https://srvwapt.mydomain.lan/wapt/conf.d/default_f0288df2131b8dce667b8c34b9999959bdc2d253b3934fcb3be2eabad8a50021.json f0288cf2131b9dce667b8c34b9999959bdc2d253b3934fcb3be2eabad8a50020

Finally, execute the following command to register the Linux / macOS host with the WAPT Server:

sudo wapt-get register

When you have modified the configuration of the WAPT Agent, you should restart the WAPT Agent using the following command:

sudo wapt-get restart-waptservice

1.2.1.1. Feature matrix

There are some features that are not currently available on Linux and macOS:

  • installing updates on shutdown (WAPT Exit);

  • any Windows specific feature.

1.2.1.2. Particularities with domain functionality

On Linux:

  • Testing was carried out with sssd with an Active Directory domain and kerberos authentication.

  • To integrate a host in the Active Directory domain, you can choose to follow this documentation.

  • In order for Active Directory groups to function properly, you MUST verify that the id hostname$ command returns the list of groups the host is a member of.

Attention

We have noticed that the kerberos LDAP query does not work if the reverse DNS record is not configured correctly for the domain controllers. These records MUST therefore be created if they do not exist.

1.3. Manual method to configure the WAPT Agent running on Linux / macOS

Attention

Please, see the new method to deploy configuration file instead if you are using WAPT Entreprise Edition.

1.3.1. Creating the WAPT Agent configuration file

Use the WAPT Server FQDN address for the repo_url and the wapt_server arguments.

sudo cat > /opt/wapt/wapt-get.ini <<EOF
[global]
repo_url = https://srvwapt.mydomain.lan/wapt
wapt_server = https://srvwapt.mydomain.lan
use_hostpackages = True
use_kerberos = False
verify_cert = False
EOF

1.3.2. Copying the package-signing certificate

You need to copy manually, or by script, the public certificate of your package signing Certificate Authority.

The certificate should be located on your Windows host in C:\Program Files (x86)\wapt\ssl\.

Copy your certificate(s) in /opt/wapt/ssl using WinSCP or rsync if you are deploying on Linux or macOS.

1.3.3. Copying the SSL/TLS certificate

If you already have configured your WAPT Server to use correct Nginx SSL/TLS certificates, you MUST copy the certificate in your WAPT Linux or macOS Agent.

The certificate should be located on your Windows host in C:\Program Files (x86)\wapt\ssl\server\.

  • Copy your certificate(s) in /opt/wapt/ssl/server/ using WinSCP or rsync if you are deploying on Linux or macOS.

  • Then, modify in the /opt/wapt/wapt-get.ini configuration file the path to your certificate.

  • And give the absolute path of your certificate.

verify_cert = /opt/wapt/ssl/server/YOURCERT.crt

Hint

Change the .crt file with your certificate name.

2. Updating the WAPT Agent

2.1. Updating on Windows

For each WAPT Server’s upgrade, you will have to upgrade the WAPT Agents.

To do so, you have to generate the WAPT Agent and deploy it.

After an update, when you launch WAPT Console, you must rebuild the new agent for your new version of WAPT.

Go to the url of your waptserver and download the WAPTSetup.

Or download https://srvwapt.domain.lan/wapt/waptagent/waptsetup.exe, the only way in CSPN mode.

Url of your waptserver

Url of your waptserver

Then, install the WAPTSetup of your workstation.

When is done, launch the console. You will see the new version of WAPT in the bottom of the authentification window.

Wapt console authentification

Wapt console authentification

After the console has been opened, you will see a window for create the new agent. Press Yes.

Wapt Agent version check

Wapt Agent version check

The next window must be carefully reviewed, as it defines the baseline configuration for all your WAPT agents on Windows. Ensure that the embedded certificates and desired parameters for your entire infrastructure are correctly configured before proceeding.

wapt console renew waptagent

wapt console renew waptagent

Note

It is recommended to start with a basic configuration for the agent and use configuration packages to define specific behaviors for different machines (distinguishing between workstation and server updates, etc.).

You have now updated your WAPT agent for Windows.

Ensure that the waptupgrade package is available on the machines or assigned to an Organizational Unit (OU) that includes them.

2.1.1. Manually

You can do that manually by following this documentation on installing the WAPT Agent.

2.1.2. Via waptupgrade

While you generate the WAPT Agent, package named waptupgrade is created.

This package is a standard WAPT package designed to upgrade the WAPT Agents on remote hosts.

Hint

For now, waptupgrade only works for Windows. Waptupgrade does not upgrade the WAPT Agent if the WAPT Server version and the WAPT Agent version are the same.

Upgrading the WAPT Agents using the waptupgrade package is a two step process:

  • First the package copies the waptsetup.exe file on the client computer and creates a scheduled task that will run waptsetup.exe with predefined installation flags two minutes after the creation of the scheduled task. At that point the package itself is installed and the inventory on the WAPT Server shows the package installation as OK, with the correct version installed, but the inventory will still show the old version as the WAPT Agent is not yet updated.

  • After two minutes, the scheduled task starts and runs waptsetup.exe with a predefined configuration created in the WAPT Console. This new method keeps the waptsetup.exe signed by Tranquil IT, but the WAPT Agent configuration will come from the WAPT Server. waptsetup.exe shutdowns the local WAPT service, upgrades WAPT locally, and then restarts the WAPT service. The scheduled task is then automatically removed and the WAPT Agent starts sending back its inventory to the WAPT Server. From then on, the inventory on the WAPT Server will show the new version of the WAPT Agent.

2.2. Updating on Linux and macOS

For each WAPT Server’s upgrade, you will have to upgrade the WAPT Agents.

To do so, you have to generate the WAPT Agent and deploy it.

After an update, when you launch WAPT Console, you must rebuild the new agent for your new version of WAPT.

Go to the url of your waptserver and download the WAPTSetup.

Url of your waptserver

Url of your waptserver

Then, install the WAPTSetup of your workstation.

When is done, launch the console. You will see the new version of WAPT in the bottom of the authentification window.

Wapt console authentification

Wapt console authentification

2.2.1. Manually on the workstation

You can install manually the Linux / macOS Agent by following this documentation on installing the WAPT Agent.

2.2.2. Automatically with the WAPT Console

Before proceeding, ensure that the WAPT Console has an active internet connection to perform this action.

You need to click on Tools, then Get and upload Agents installers to server.

In this window, you will see various OS types and architectures. Select the one that meets your requirements.

Update Linux and Mac Agent

Update Linux and Mac Agent

Finally click on Build upload waptupgrade

Ensure that the waptupgrade package is available on the machines or assigned to an Organizational Unit (OU) that includes them.