thank you for the quick response, I think I'm going to clone the profile and scope one to 10.14 and one to 10.15 with system extension AND kext since most software on my 10.15 still use kext for now. I'll have to test if like you said. Thank you for the heads up, I have all my 10.14 clients with sys extensions payload configured!!!! @sdagley

How would you go about upgrading a Mojave to Big Sur with McAfee already installed and the Mac NOT being enrolled in Jamf?

For example: I have a Mojave with McAfee 10.6.8 already installed and kernel extensions manually approved. I want to enroll the Mac into Jamf in order to automatically approve everything needed for Big Sur and McAfee 10.7.5 but I'm not sure about the order of the workflow.

If the Mac is upgraded to Big Sur, without enrolling it first, I'm bound to get prompts from PPPC on first restart since this feature is not implemented in Mojave but is in Big Sur so the configuration profiles are not in place.

If I enroll Mojave into Jamf before upgrading to Big Sur I can scope the PPPC profiles to Big Sur but I am still bound to get the prompts for PPPC right after I have upgraded because the configuration profile wont be applied until the Jamf agent sends the next inventory back and Jamf Pro discovers that this Mac is now on Big Sur and hence assigns the PPPC configuration profile.

If I upgrade to Big Sur first and then enroll I'm bound to get prompts to configure PPPC as well right after the upgrade as McAfee is already installed and the user hasn't had a change to enroll the Mac into Jamf yet...

Maybe there is no pretty way to do this. Or maybe it will work if I scope the configuration profile to Mojave as well so, even though it doesn't need it itself, it would have it at the time of being upgraded. It just doesn't seem like the proper way of scoping or applying configuration profiles.

@kgam How are you running your upgrade process? If you use macOSUpgrade it will trigger a recon at startup (via a LaunchDaemon) so Jamf Pro will get the notification of the new OS as quickly as possible.

@sdagley The plan was to just use the regular update process where the end user initiates the update from Software Update. As we are yet to go live with Jamf in the organization the plan is to enroll our Macs as part of the Big Sur upgrade. But not sure if the enrollment should happen before or after the upgrade. My main concern is to get as clean an upgrade as possible without too many prompts for the end-user to have to deal with. And as you recommended in an earlier post I'm trying not to scope configuration profiles to macOS versions that don't have the targeted features implemented.

But it seems near impossible to get everything done in the right order so everything is scoped and allowed before services like McAfee and AnyConnect launch after the upgrade. Any maybe it's not possible without e.g. macOSUpgrade (thanks for that link!). I've always just preferred to keep workflows as simple as possible and use native procedures if available - especially when just starting out.

I've also thought of removing McAfee before the upgrade, then upgrade to Big Sur, scope all thats needed and then install the latest McAfee. Perhaps compiling this into an "Upgrade to Big Sur" script and make it available in Self Service. I guess this should keep the upgrade process pretty clean from prompts.

@kgam Your thought is basically what we did for the High Sierra -> Mojave upgrade. I modified macOSUpgrade with a "Last Call" option that would trigger a Jamf Pro policy immediately before calling startosinstall and used that to remove the version of McAfee installed. When the Mac checked in post-install the lack of an installed McAfee Agent triggered re-installation.

@sdagley I'm actually very glad to hear that. The thought of having to remove McAfee before the upgrade seemed "inelegant" but everything else appears to be a catch-22 situation.

In your experience: is a clean upgrade without user-prompts, using only standard Jamf Pro workflows and user-initiated upgrade through Software Update not possible? Without uninstalling McAfee first, that is.

If not I'll stop chasing this a look into either uninstalling McAfee before the upgrade or using macOSUpgrade - or a combination of both.

@kgam You could build something that runs the update process on your own, but my motto is if someone has already written most of what you need don't re-invent the wheel, and that's where macOSUpgrade comes in.

For removing McAfee you can try this script: https://gist.github.com/sdagley/77096ebd45f7479c4ba0da83d9722f08

Hey All,

Curious if anyone else is trying to do this. We're installing ENMS and then immediately uninstalling the Firewall and Web Filter. So we JUST have Threat Protection. This worked great in 10.6.8 for macOS 10.14 and 10.15, no issue. But with ENMS 10.7.5, no matter what we do we can't get the Firewall uninstall process to not prompt for admin username and pass, seemingly because of this note in McAfee's docs:

When uninstalling ENSM Firewall: When uninstalling ENSM Firewall, the user is prompted to enter the administrator credentials to uninstall the system extension. This statement applies to both ENSM Firewall standalone and ePO managed. Also, it does not matter whether the system is MDM-managed. If the user does not provide credentials or provides incorrect credentials, the ENSM Firewall uninstallation does not continue. To uninstall ENSM Firewall successfully, the user must try the uninstallation again and provide the correct credentials. Apple designed the uninstallation of system extensions this way. User intervention can't be avoided even on MDM-managed systems.

https://kc.mcafee.com/corporate/index?page=content&id=KB93600

Anyone have some way to accomplish this, or do we just give the firewall a whirl? Way back when, the ENMS firewall would break all kinds of stuff... including Jamf!

@rstasel This is a current limitation of System Extensions, not something McAfee is intentionally doing. If the full ENSM installer doesn't support a choices.xml file to choose which modules will be installed you can just package and install the components you need rather than installing everything and then ripping stuff out. I haven't updated it for 10.7.5 yet, but the postinstall script I wrote for my packaged deployment of ENS 10.7.1 should get you started: https://gist.github.com/sdagley/76e167fe32a60265dda8d761d2bc75b4

Hi @sdagley

Thanks. I guess I’m confused where you get the components. I’m just grabbing 10.7.5 off the McAfee site rather than out of our ePO.

But this is super interesting. Would mean we could skip installing managed agent over the top of unmanaged (after ENMS install).

Do you have some documentation somewhere on this? Will admit, not a mcafee expert. And our ePO admin isn’t very familiar with the Mac side.

You also say kext-less. Which I assume is how 10.7.5 is by default, or is it something different? Last documentation I saw said kextless only applied to unmanaged.

Thank you!

@rstasel I have tested McAfee ENSM 10.7.5 and it does support the choices.xml so I'll definitely recommend trying this out.

You basically create an XML file specifying which modules you would like to install (e.g. only Threat Prevention) and then call the install package from McAfee's site with the XML file as a parameter similar to this:

installer -applyChoiceChangesXML mcafeeChoices.xml -pkg McAfee.pkg -target /

All this can be put inside your postinstall script.

More information can be found here:
https://sneakypockets.wordpress.com/2017/07/26/using-installer-choices-xml-to-modify-anyconnect-and-mcafee-deployments/

@rstasel Sorry, the script is basically all the documentation for itself. It is fully home grown except for the removal code (which is based on a post in the #mcafeee channel on the MacAdmins Slack) and is the result of my packaging all of the individual McAfee ENS installers into a single .pkg for the past couple of years to simplify deployment. The individual module .pkg files were extracted from what the ePO spits out.

I believe you are correct that 10.7.5 is fully kextless on Catalina and Big Sur since it will use a System Extension on those OSes. For ENS 10.7.1 and earlier (or at least going back to 10.6.something) it was an option, except for the firewall module. If you're installing on a Mojave system the kextless flag is still needed since a System Extension support didn't arrive until Catalina.

Some helpful lnks for new people coming into the thread:

McAfee Support YouTube Channel Mac Videos
How to install ENS Threat Prevention 10.6 in kext-less mode on macOS
How to deploy ENSM to a Mac running High Sierra with ePO

Supported platforms for Endpoint Security for Mac
McAfee compatibility with Privacy Policy Preference Control
End-user experience when installing Endpoint Security for Mac on macOS High Sierra 10.13 and later
Kernel extensions are not loaded without user consent
Switch between modes of operation after installation
McAfee Endpoint Security 10.7.5 - Installation Guide - macOS

@sdagley Perfect. So just ripping apart the mcafee installer, cool!

so drop the installers we want into /tmp, then postinstall. Seems logical.

The choices file is also appealing, but I can't say I've done it before. Anyone know if TalkingMoose's Choices Packager still works ?

@rstasel I keep a macOS VM around for @talkingmoose's Choices-Packager and have never tried it on something newer than Mojave.

@sdagley So I'm looking at the postinstall script more, and ripping apart "McAfee-Endpoint-Security-for-Mac-10.7.5-RTW-standalone-266.pkg" (or 10.7.1) just with pkgutil --expand, and I get stuff like "AntiMalware.pkg", "cma_raw.pkg", "FMP.pkg". I know cma_raw.pkg is the agent, and some of the other stuff makes sense, but none of it matches what you've got in your script which includes version numbers, etc.

So how are you getting those pkgs? I must be missing something... I also don't see a way to grab them directly from my ePO, but that may be permission based. I can grab the agent, but that's about it.

Thanks!

Correction... just looked at McAfee site again, and found the individual installers.

I'm dumb...

Testing out 10.7.5, Threat Prevention is disabled upon installation (this is something I have not found a fix for even in past ENS installs, I was hoping this new version would be different) however, this time when turning on TP manually, I'm met with this error:

I have a whole whitelist for PPPC in Jamf, here are the three that this popup refers to:

Any thoughts?

@mikedesmarais Looks like you haven't granted SystemPolicyAllFiles to /usr/local/McAfee/AntiMalware/VShieldScanManager.app

See https://kc.mcafee.com/corporate/index?page=content&id=KB91109 for the current PPPC requirements

@sdagley I did, my screenshot is bad I meant to include that! I'm trying to get it going with McAfee's PPPC profile from their site now, maybe I'll have better luck there.

@rstasel It's just a matter of digging until you find the files needed :-) I'm glad you found them as I don't know their exact origin. I just get occasional drops from our McAfee team with the message "New ENS bits from ePO..."

@sdagley I ended up using the McAfee profile instead of manually entering them in Jamf and it worked like a charm. I followed the choicesXML method to forego installing Firewall and that also worked. Thanks everyone!

@mikedesmarais How did you end up wrapping the choicesxml file with installer?

I'm still torn on using choicesxml or packaging up using @sdagley's postinstall.

And yeah, I used the mcafee profiles. Had to sign the one since prior to 10.26 you couldn't do web extension profiles.

the piece that makes me want to do post-install method is being able to included a managed agent rather than having to install ENMS, then uninstall agent (since you can't install same version of agent over the top of itself, it'll fail), then reinstall managed version of agent.

@rstasel I used Composer, dropped the McAfee 10.7.5 installer and the choices.xml file in tmp, and added a post install script within Composer "installer -applyChoiceChangesXML path to xml file -pkg path to McAfee package -target /"

@mikedesmarais I have the same question as @rstasel, when you're using the McAfee installer how do you get the agent for your ePO instance installed?