EM on cloned devices

Can anyone advise on the best way to set up EM for use on devices that are deployed from an image? As a test I cloned a device that was already enrolled. I renamed the PC that I started up from the cloned image, and the device name changed in the C1 dashboard to the new PC name, but the original device could no longer be found.

I uninstalled and reinstalled EM on the original device, thinking that would make it show up as a separate instance in the C1 dashboard, but instead the new device was renamed and the entry for the new device was gone.

Are there some files left over after an uninstall that are causing the devices to enroll with Comodo with the same token that would have to be manually removed?

Thanks all!

Hello @at211
We strongly recommend reviewing the following wiki guide for deploying the EM client in a cloned environment.

Thank you! Didn’t even know that guide existed.

Reviewing that guide, the use case is different from mine so I have some additional questions. In the guide, the assumption is that the clones are VMs that are spun up as needed and erased when no longer needed, so the instructions explain how to set them up to automatically enroll and unenroll at startup/shutdown.

In my use case, we have standardized hardware used in many locations, so we use cloning (Windows Deployment Server/Clonezilla) to quickly get the hardware up and running. Would I be right in thinking that as the machine is not a disposable VM as in the guide, that they just need to be set up to automatically enroll themselves (and not to ever un-enroll)? If so, what would be the correct way to go about doing that? Enrolling on every logon seems like it would be a bad idea.

hi @at211
There is no one correct way to implement the concepts outlined in the linked wiki in my first reply (depends on the ‘cloning method’). The main takeaway there is the use of ‘enrollment_config.ini’ as mentioned in Step 5. Here is another way to do it.

  • Download enrollment_config.ini from URL: https ://mdmsupport.comodo.com/enroll/resolve/token/TOKEN_ID
    where TOKEN_ID is the alphanumeric string in the filename of the EM agent installer
    ex., em_x1y2z3a4_installer.msi (msi package name is ‘em’, TOKEN_ID is ‘x1y2z3a4’)
    so the URL will be: https ://mdmsupport.comodo.com/enroll/resolve/token/x1y2z3a4

  • Save it in the installation folder of the EM client.

  • The device will be enrolled after the next ‘ITSMService’ restart (either manually restart the service or restart the device).

Thanks Rick - I tried that suggestion and it seems to work perfectly. One less thing to do when building new hardware!

By the way, @at211, one thing I failed to mention in my previous posts is the expiration of the Token ID. All enrollment Token IDs generated has a 90-day expiration. This means you will need to update your image(s) every 90 days (or before that) with a new Token ID to avoid manual entry of the enrollment data (server, port, Token ID).

Thanks for the additional info.

If I were to adapt the method from the original wiki guide you posted and use a user token from my own account (one of which shows 720 days remaining), would that work for longer term use without having to update the image?

As long as the Token ID you utilize is a valid one, @at211, it will do.

Thanks again @Rick_C . You guys (and gals) rock.