Introduction to UpSight Terminology
Organization
An organization in UpSight represents a collection of devices, policies, and users. Each instance of the UpSight client is associated with a single organization. Upon connecting to an organization, the UpSight client retrieves policies specific to that organization to ensure proper device protection.
Device
A device refers to any virtual or physical machine running a supported version of the Windows operating system.
Supported platforms
Windows 10 x64
Windows 11 x64
Windows 11 Arm64
All devices connected to your organization can be viewed in the UpSight web console.
User
A user is an individual associated with an UpSight organization. Users are assigned either an Admin or Read-Only role. Admin users can perform tasks within the UpSight web console, including downloading and installing the UpSight client.
UpSight Client
The UpSight client is software that runs on a device to protect it from potential malicious threats. Each client is tied to a single organization.
Installation Methods
UpSight offers two methods for installing the UpSight client. Choose the method that best fits your organization's needs:
Basic Install
The Basic Install is ideal for smaller organizations where users have access to the UpSight web console. This method offers a straightforward, user-friendly approach to getting UpSight installed and running quickly.
Requirements:
The user performing the installation must have an active account in the organization.
During installation, if the user is not already logged into the UpSight Web console, the user will be prompted to log in to the UpSight web console.
The UpSight Client installer will automatically use information from the web console to register the device with the organization.
Steps for Basic Installation:
Access the Install Tab:
Open the Devices view in the UpSight web console.
Select the Install tab.
Select Your Platform:
Choose the appropriate platform (e.g., Windows x64, Windows Arm64, etc.) for the device on which you are installing the client.
Download the Installer:
Click the provided link to download the installer file (upsight.exe).
Run the Installer:
Locate the downloaded file and double-click upsight.exe to launch the installer.
Log In to the Web Console:
A web browser will open, prompting the user to log in to the UpSight web console.
If the user is already logged in, this step will be skipped.
Complete the Installation:
Once logged in, the installation will proceed automatically.
After installation, the device will appear in the Devices view of the UpSight web console.
You may need to refresh the page to view the newly added device.
Note: If the user has not been added to an existing organization, the option to create a new one will be presented.
Manual Install or Bulk Deployment
This method is ideal for enterprise environments, allowing the installation of the UpSight client across multiple devices using a script. The Manual Install leverages a PowerShell script provided by UpSight, which downloads and installs the client with the necessary registration information.
Steps:
Access the Install Panel:
Navigate to the Devices view in the UpSight web console.
Select the Install tab.
Generate PowerShell Commands:
In the Manual Install or Bulk Deployment panel, UpSight will generate sample PowerShell commands tailored to your organization's settings.
Prepare the PowerShell Script:
Option 1: Create a PowerShell script by combining the generated commands.
Option 2: Copy and paste each command individually into an Elevated (Administrative) PowerShell prompt.
Execute the PowerShell Commands:
Run the commands with administrative privileges to download and install the UpSight client.
Verify Installation:
After execution, the device will automatically register with your organization and appear in the Devices view within the UpSight web console. You may need to refresh the page to see the newly added device.
Explanation of PowerShell Commands:
There are three main commands required to install the UpSight client:
Download the UpSight Installer:
Invoke-WebRequest -Uri https://content.upsightsecurity.net/clientcontent/upsight.exe -OutFile .\upsight.exe
Description: This command uses Invoke-WebRequest to connect to the UpSight content delivery site and download the latest version of the UpSight client installer.
Validate the Installer's Signature:
if ((Get-AuthenticodeSignature -FilePath .\upsight.exe).Status -ne "Valid") {
throw "Installer Authenticode Signature was not valid"
}Description: After downloading the installer, this command uses Get-AuthenticodeSignature to ensure that the downloaded file has a valid digital signature. A correctly signed upsight.exe binary will be signed with an EV Code Signing Certificate issued to UpSight Security Inc by Sectigo. If the signature is invalid, the script will throw an error.
Install the UpSight Client:
.\upsight.exe install --code ABCDEFGHIJ
Description: This command runs the UpSight client installer, passing the unique registration code (i.e., replacing ABCDEFGHIJ) for your organization. This registration code associates the device with your organization in UpSight.
Additional Notes:
Administrative Privileges: Ensure that the PowerShell session has administrative privileges when running the script.
Powershell Execution Policy: If PowerShell has not been configured with a less restrictive Execution Policy, you will need to temporarily bypass the Execution Policy. Run your script in the following manner:
powershell.exe -ExecutionPolicy Bypass -File "path_to_your_script.ps1"Registration Code: Replace
ABCDEFGHIJwith your actual organization’s registration code provided in the UpSight web console.Anyone with the registration code can register a device with your organization, so be careful not to indiscriminately share the registration code.
If you are concerned that the registration code has become compromised, you can regenerate the registration code. If this is done, devices already registered to your organization will not be affected, but you will need to use the new code in your scripts.
Enterprise Deployment Tools: If your organization uses an enterprise deployment tool (e.g., Microsoft Intune), you can incorporate each of the steps into a PowerShell script which can run in your deployment workflow to automate the installation across multiple devices.
Error Handling: The signature validation step is crucial for security. If the installer’s signature is not valid, the script will terminate, preventing the installation of potentially tampered software.
By following these steps, you can efficiently deploy the UpSight client across multiple devices within your organization, ensuring consistent protection and policy enforcement.
Advanced configuration
Proxy configuration
If your organization routes traffic from client devices through a proxy server, you may need to configure the proxy server to allow traffic from the UpSight client to the UpSight servers in the cloud. The UpSight client uses the gRPC framework, which makes use of the TLS 1.3 secured HTTP2 protocol to port 443, to deliver and receive messages. The UpSight client internally ‘pins’ the trusted root certificates used in TLS handshaking to the specific certificate issuers used by UpSight Security cloud service and does not use the locally configured certificate store.
Your proxy server will need to be configured to bypass inspection of the traffic from the UpSight client to the UpSight servers. The UpSight Client will communicate with the UpSight servers using the following URLs:
Once the proxy is configured to bypass inspection of these domains, you will be able to see your devices show up in the UpSight web console.