Skip to main content

Last week our cyber security team provided us the newest Fireeye client for Mac OS 11.

Installing via Jamf Pro Cloud pkg is causing a dialog for the user to consent to the P2BNL68L2C.com.fireeye.helper system extension.  It's the same dialog on a standard install.

We've testing out the initial app install and get an install prompt that requires manual intervention. Even added P2BNL68L2C.com.fireeye.helper to system extensions, approved kernel extensions to see what would happen: Intervention was still required. We’ve been pretty liberal with the PPPCs and have had the prior kext which doesn’t appear to be used in Big Sur both included and not.

When reaching out to Fireeye support they initially offered assistance after a few emails gave a blanket "Silent uninstallation with MDM solutions is not currently supported on macOS 11.".  They plan on adding support in future releases.

Prior versions of the Fireeye Client for Mac OS packaged and performed silent installs without issue and we're hoping someone here has seen and figured a work around.

thanks in advance.

Bill

 

Hi @pueo,

Thanks for the suggestions. And, you are right, the best test is to try it locally, which I've already done that...I've got the .dmg copied locally and tried to go through the normal installation, but it failed at the end. So, I'm not sure if I'm doing something wrong or if this package received from FireEye has some problems with it.

Thanks,

CC


If the agent does not install just from double clicking the package on a local Mac, then you may have a damaged agent.

If the agent does not install just from double clicking the package on a local Mac, then you may have a damaged agent.


Actually, the .dmg has the package and JSON files, when I double-clicked it. I ran the pkg and got the Failed message right at the end.

Actually, the .dmg has the package and JSON files, when I double-clicked it. I ran the pkg and got the Failed message right at the end.


Sounds like a damaged pkg file. Maybe try on one more machine.  I drag both the json and the pkg file to the /private/tmp/FireEyeAgent folder (I created the FireEyeAgent folder). Then package it up with the post install script.

Sounds like a damaged pkg file. Maybe try on one more machine.  I drag both the json and the pkg file to the /private/tmp/FireEyeAgent folder (I created the FireEyeAgent folder). Then package it up with the post install script.


Yeah, I've tried that too initially...directly from the /private/tmp/FireEyeAgent folder...No dice either! 😞

Questions about the configuration profile. Kext whitelisting will fail on Apple Silicon. Should I have two configurations profiles one with Kext for Intel and another without Kext for AS? Or just the one and just let the Kext fail?

@mlitton Kernel Extensions are a thing of the past now, so I guess you are running a macOS less than Catalina?  Create two Profiles, one for System Extension and one for Kernel Extension and scope to the appropriate macOS.  It does not hurt having both profiles on each machine but can add confusion.

@mlitton Kernel Extensions are a thing of the past now, so I guess you are running a macOS less than Catalina?  Create two Profiles, one for System Extension and one for Kernel Extension and scope to the appropriate macOS.  It does not hurt having both profiles on each machine but can add confusion.


Thanks @pueo for sharing your findings on this FireEye HX/xagt release and config screens (just love those vendors hiding important info behind their support portals).

Adding to your reply to @mlitton question... agree w/ creating two profiles for Kext (Intel) and SysExt (ARM), but probably best to exclude each config profile scopes via smart groups for "Architecture type" is/not "arm" or is/not "x86_64"? Otherwise, you're potentially generating extra log chatter and performance overhead for failed installs.

Hello @cc_rider

I can't see the contents of your package or any scripts. So I have posted what I did and I works for us.

For new/reimaged Macs we deploy the FE Agent as part of our DEP Notify script.  This is not important.

My post install script for FE is posted below:

--

#!/bin/sh
## postinstall

sudo installer -pkg /private/tmp/FireEyeAgent/xagtSetup_33.51.0.pkg -target /
sudo rm -r /private/tmp/FireEyeAgent

--

I packaged this small script using Composer. It took many attempts to get it working.

Does you script work locally?  You should be able to run it locally after moving the pkg into whatever directory it loads from.

Remove spaces from you pkg file or use _ or - to join words.  This will help simplify things and help trouble shooting. maybe use one name like FEAgent.pkg, test then build up from there.

check jamf.log and install.log.

Test locally..then jamf..

Good luck!

Cheers,

a.


Hi @pueo ,

Sorry for the long wait before my reply, but our peeps in charged to manage the FireEye appliance had to upgrade it to a newer version, therefore that's why I had to put on hold the testing...Anyways, I just received the v.34.28.1 to test with, but I need to make sure now that I'm following the correct path. 🙂

Could you please tell me how are you doing with upgrading from a lower version to v.34.28.1? Previously, we have been using a script to remove ALL the necessary files/folders/entries before you install the new version...From FireEye tech, I've got this instruction:

"please make sure that the customer correctly removed the system extension and rebooted the mac. The correct command to remove everything is to add the remove helper switch: sudo /Library/FireEye/xagt/uninstall.tool --remove-helper
After running this command and rebooting, the customer should install version 34.28.1 and allow the FireEye and Bitdefender kernel extensions."

Is it going to be enough that "uninstall.tool" with the switch like that?

 

Thanks,

 

CC

Terms & ConditionsCookie settingsAccessibility statement