JumpCloud Deployment Guide

This document outlines the standard operating procedure for silently deploying the TensorGuard Forensic Collector to a batch of Windows endpoints (e.g., 50, 1000, or more devices) managed via the JumpCloud Directory Platform.

To maintain cryptographic integrity and strict chain-of-custody over forensic artifacts, TensorGuard requires a unique, single-use Enrollment Key for every device. To deploy across multiple devices without creating dozens of separate JumpCloud commands, this guide utilizes a dynamic host-mapping script. The script will automatically match the endpoint’s localized hostname to its assigned TensorGuard key during execution.

Prerequisites

JumpCloud Administrative Access: Role-Based Access Control (RBAC) privileges to create Commands and assign them to Device Groups.
TensorGuard Console Access: User or Administrative access to the target ‘Case’ within the TensorGuard Chronicle.
Target Hostnames: You must know the exact Windows Hostnames (e.g., LAPTOP-P2E4KU7P, LAPTOP-SJENKINS) of the devices you intend to enroll.
Firewall Configuration: Outbound internet access to reach both https://files.tensorguard.com over 443/tcp and the primary cloud or on-premises configuration endpoint over 443/tcp and 443/udp. These are outbound ports and protocols, no inbound firewall rules are necessary for stateful firewalls.

Phase 1: Provision the Enrollment Tokens

First, we must generate the required number of single-use keys within the TensorGuard platform.

Log in to the TensorGuard Chronicle web console and navigate to your target Case (e.g., Main > ACME Corporation > Human Resources).
Under the Devices view, locate the Enrolled Devices table and click the (+) New Enrollment button.
Copy the generated Enrollment Key.
Repeat this process for every device you intend to deploy to (e.g., 10 times for a 10-device cohort).
Paste these keys into a secure text document or spreadsheet, mapping each one directly to a specific target Windows hostname.

Phase 2: Formulate the JumpCloud Command Payload

We will use a unified PowerShell script that contains your hostname-to-token mapping. When JumpCloud pushes this script to the Device Group, each endpoint will check its own hostname against the map, grab its unique token, and silently install the agent.

Log in to the JumpCloud Admin Portal.
Navigate to Device Management > Commands and click (+) Add Command.
Configure the details:
- Name: Deploy TensorGuard Collector - [Target Cohort Name]
- Type: Windows
- Run As: Windows System (Critical for accessing system-level forensic artifacts without UAC prompts).
- Timeout: 600 seconds.
Paste the following PowerShell script into the editor.
- ACTION REQUIRED: You must update the $TokenMap block on Line 8 with your specific Hostnames and their corresponding TensorGuard Enrollment Keys gathered in Phase 1.

# ==============================================================================
# TensorGuard Forensic Collector - Multi-Device Deployment via JumpCloud
# ==============================================================================

# 1. Configuration Parameters & Token Mapping
# ACTION REQUIRED: Map your specific Windows Hostnames to their unique TensorGuard tokens.
# Add or remove lines as needed to match your batch size.
$TokenMap = @{
    "LAPTOP-PHE4KU7P" = "<INSERT_TOKEN_1_HERE>"
    "LAPTOP-SJENKINS" = "<INSERT_TOKEN_2_HERE>"
    "DESKTOP-FIN01"   = "<INSERT_TOKEN_3_HERE>"
    "DESKTOP-HR02"    = "<INSERT_TOKEN_4_HERE>"
    # Continue adding mappings up to your total cohort size...
}

$CurrentHostname = $env:COMPUTERNAME
$DownloadUrl = "https://files.tensorguard.com/collector/TensorGuardForensicCollector.exe"
$StagingDirectory = "$env:TEMP\TensorGuard"
$ExecutablePath = Join-Path -Path $StagingDirectory -ChildPath "TensorGuardForensicCollector.exe"

# 2. Hostname Validation
Write-Output "[$(Get-Date -Format 'u')] System Hostname identified as: $CurrentHostname"

if (-not $TokenMap.ContainsKey($CurrentHostname)) {
    Write-Warning "Execution Aborted: Hostname '$CurrentHostname' is not mapped to a TensorGuard token in this deployment batch."
    exit 0 # Exiting cleanly ensures JumpCloud doesn't throw a false error for untargeted machines in a broader group
}

$EnrollmentToken = $TokenMap[$CurrentHostname]
Write-Output "[$(Get-Date -Format 'u')] Unique deployment token successfully matched for $CurrentHostname."

# 3. Environmental Pre-requisites
$ErrorActionPreference = "Stop"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

if (-not (Test-Path -Path $StagingDirectory)) {
    New-Item -ItemType Directory -Path $StagingDirectory -Force | Out-Null
}

# 4. Payload Acquisition
Write-Output "[$(Get-Date -Format 'u')] Initiating download of the TensorGuard Forensic Collector from CDN..."
try {
    Invoke-WebRequest -Uri $DownloadUrl -OutFile $ExecutablePath -UseBasicParsing
    Write-Output "[$(Get-Date -Format 'u')] Payload successfully staged."
} catch {
    Write-Error "Fatal Error: Payload acquisition failed. $_"
    exit 1
}

# 5. Installation & Service Registration
Write-Output "[$(Get-Date -Format 'u')] Executing installer and binding to TensorGuard Chronicle..."
try {
    $InstallArgs = @("install", "--token", $EnrollmentToken)
    $Process = Start-Process -FilePath $ExecutablePath -ArgumentList $InstallArgs -Wait -NoNewWindow -PassThru

    if ($Process.ExitCode -eq 0) {
        Write-Output "[$(Get-Date -Format 'u')] SUCCESS: TensorGuard Forensic Collector installed and persistent service registered."
    } else {
        Write-Error "Fatal Error: The installer process terminated with unexpected exit code: $($Process.ExitCode)"
        exit 1
    }
} catch {
    Write-Error "Fatal Error: Failed to execute the installation payload. $_"
    exit 1
} finally {
    # 6. Cryptographic & File System Hygiene
    if (Test-Path -Path $ExecutablePath) {
        Remove-Item -Path $ExecutablePath -Force -ErrorAction SilentlyContinue
        Write-Output "[$(Get-Date -Format 'u')] Cleanup complete: Temporary staging binary purged."
    }
}

Phase 3: Target the Device Group and Execute

Because the script self-validates the hostname, it is incredibly safe to deploy to an entire JumpCloud Device Group. Devices not explicitly listed in the script’s mapping table will simply bypass the installation and exit cleanly.

Within the JumpCloud Command configuration interface, navigate to the Device Groups tab.
Select the specific group you wish to target (e.g., “HR Laptops” or “POV Workstations”).
Click Save.
Locate your newly saved command in the Commands list and click Run Now.

Phase 4: Validation and Next Steps

Verify in JumpCloud: Check the Results tab of the command. You will see detailed logs for the devices that successfully mapped their hostname and installed the agent, alongside safe “Execution Aborted” messages for any devices in the group that were not explicitly mapped.
Verify in TensorGuard: Return to the TensorGuard Chronicle. In your Case view, under Enrolled Devices, you will now see your entire batch of hostnames populate with a green Online status indicator.

Removal & Cleanup

Whether you are off-boarding a decommissioned endpoint or concluding a fixed-scope Compromise Assessment, the TensorGuard agent can be seamlessly removed. Because the uninstallation process does not rely on cryptographic tokens, a single command can be safely broadcast to your entire JumpCloud fleet.

This script is designed to be idempotent. It will check for the presence of the local TensorGuard binary before executing; if the agent is not installed, it will exit cleanly with a success status, preventing false-positive error alerts across your JumpCloud dashboard.

In the JumpCloud Admin Portal, navigate to Device Management > Commands and click (+) Add Command.
Configure the details:
- Name: Remove TensorGuard Collector
- Type: Windows
- Run As: Windows System (Required to successfully deregister the system service).
- Timeout: 120 seconds.
Paste the following PowerShell script into the editor:

# ==============================================================================
# TensorGuard Forensic Collector - Fleet Uninstallation via JumpCloud
# ==============================================================================

$ExecutablePath = "C:\Program Files\TensorGuard\TensorGuardForensicCollector.exe"

Write-Output "[$(Get-Date -Format 'u')] Initiating TensorGuard uninstallation check..."

# 1. Idempotency Check
if (-not (Test-Path -Path $ExecutablePath)) {
    Write-Output "[$(Get-Date -Format 'u')] SUCCESS: TensorGuard Forensic Collector is not present at $ExecutablePath. The system is already clean."
    exit 0
}

# 2. Execution of Uninstallation Routine
Write-Output "[$(Get-Date -Format 'u')] Local binary found. Executing uninstallation..."
try {
    # Start-Process waits for the uninstaller to finish and captures the exit code
    $Process = Start-Process -FilePath $ExecutablePath -ArgumentList "uninstall" -Wait -NoNewWindow -PassThru

    if ($Process.ExitCode -eq 0) {
        Write-Output "[$(Get-Date -Format 'u')] SUCCESS: TensorGuard Forensic Collector has been successfully uninstalled and the service deregistered."
    } else {
        Write-Error "Fatal Error: Uninstallation failed with an unexpected exit code: $($Process.ExitCode)"
        exit 1
    }
} catch {
    Write-Error "Fatal Error: Failed to execute the uninstallation payload. $_"
    exit 1
}

Within the Command configuration, target the desired Device Groups or specific Devices.
Click Save and then Run Now.
Validation: Review the JumpCloud Command Results to verify all targeted endpoints report a successful cleanup. You can cross-reference this in the TensorGuard Console; the devices will no longer report as Online and can be subsequently archived.

TensorGuard™ is a trademark of TensorGuard Inc. All other trademarks are the property of their respective owners.