Skip to main content

Hi folks,



I am pretty familiar with deploying ePO and the McAfee suite of apps (AntiMalware/VirusScan and DLP), as well as the KB article:



https://jamfnation.jamfsoftware.com/article.html?id=182



What I've done:



a) At imaging time, deploying the exported ePO 4.8 install.sh, the VSM970-RTW-1298.pkg, and DlpAgentInstaller.pkg into a temporary directory that persists across reboots
b) have a script in the imaging config, that runs at reboot (i.e. when the machine reboots to the black screen to run installers), which runs the install.sh (as described in the KB) above, then installs VSM and DLP via the installer command. script then deletes the temporary directory
c) The software does get installed HOWEVER the list of update servers, exclusions, and DLP policy are blank and never update. The machine shows up in ePO but as unmanaged.
d) If I don't run the script to install as part of imaging, but set up a policy to run it at recurring check-in, everything works fine.



This would seem to point to a network/connectivity issue at imaging time (mostly 15" rMBP's and 13" MBAir's with Thunderbolt-to-Ethernet adapters). I have an aaa_networkcheck script that also runs at reboot (before the installation) that does a networksetup -detectnewhardware. From my testing (pinging the machine) it does appear to be up on the network.



I'll add that, before we upgraded VSM and Dlp for Mavericks, and before we upgraded Casper Imaging to 9.63, this worked fine. This might be another one of the things that I'm seeing are broken with Casper Imaging 9.63, and we have reverted to 9.62 in our imaging configuration.



Just wondering if anyone else has seen anything like this. We did talk to McAfee who basically pointed the finger at "the imaging tool", since the exact same script/commands work fine if run post-imaging.

We do it a bit different. We create a package which installs everything into tmp and then executes the install.sh script and other installers using a postinstall script. McAfee is installed during the FirstRun phase of imaging. This seems to be the most consistent/effective way of doing so. I hope that helps!

That's what I am basically trying to do (install.sh and the 2 pkg files copied into a temporary location that can survive a restart, script that runs at first run to do the install) and, at least w/Casper Imaging 9.63 and the latest AntiMalware/DLP, it apparently doesn't register correctly with ePO.



Same install script invoked as a post-imaging policy works fine. Not sure if it is Imaging 9.63 or something in the new installers that is broken...

I'm still using DeployStudio Server, not Casper Imaging and doing the following post imaging.



I take the .sh script I get from my ePO Admin and put it in a .pkg with a postinstall script that does the following:



The .pkg runs the .sh script with the -i flag to install the McAfee Agent.
When that is done it runs /Library/McAfee/cma/bin/cmdagent -P to communicate with the ePO Server.



Part of the workflow on the ePO server pushes the latest McAfee Endpoint Protection GUI app to the client over the network which usually takes less than 10 minutes.



I have this .pkg as a Policy that gets runs once after the initial checkin to the JSS.

Yeah, the ePO server in question isn't configured to allow to push software to clients, so we have to use Casper to at least get the software on the client machines.

Our ePO server doesn't push the software either, and the stock EPM installer has some issues with installing at enrollment (for us, that's during the DeployStudio finalize script). I created an enrollment-time policy that installs the ePO agent (using a .pkg similar to @mistacabbage), and then a login policy that installs EPM and manages it (cmdagent -P).



We almost always log into a newly-imaged computer at least once before handing it to the user, so the software still gets installed in a timely manner. I would love to ditch the whole thing, though. :)

I also have those same issues when trying to install EPM as a package in a DeployStudio workflow. It would always fail and be some sort of corrupted install.

Reply


Terms & ConditionsCookie settings