Deploy Microsoft System Center Endpoint Protection 2012 r2

johnpowell
New Contributor II

We use Microsoft System Center Endpoint Protection 2012 r2 (SCEP) as our Mac antivirus. I have not been able to successfully deploy SCEP. I create a package for SCEP using Composer on a clean Mac. I then deploy it with a policy from the JSS (I've also tried Casper Remote) to cache the package, then install all cached packages. The policy says it was successful each time and I can find SCEP in the Application folder after the policy completes. However, SCEP is not running in Activity Monitor and when I attempt to launch SCEP, I get the OS X application launch animation, but no events are logged in Console at all.

If I manually copy the package from the distribution point to the target system's desktop and manually install it, SCEP does not automatically start as it would with a standard installation. If I launch SCEP manually after the install, the GUI icon in the menu bar does not appear, but the process is running in Activity Monitor.

I'm fairly new and inexperienced with Casper, but I have successfully deployed several other packages that I have built in Composer. I believe I've followed the standard process correctly. What am I doing wrong? Has anyone else deployed SCEP 2012 r2?

14 REPLIES 14

Aziz
Valued Contributor

I'm currently in the process of installing SCEP 2012 as well and have the same issues.

There's a .pkg inside:
/Volumes/SCEP12R2ML1502/Mac/4.5.22.0/scep.i386-x86_64.en.dmg/System Center 2012 Endpoint Protection/Resources/Installer.app

The alias works, but the original .pkg doesn't. Using the original .pkg installs fine, but as @J.P. said, it doesn't open or start automatically.

Someone save us both!

mcooper
New Contributor III

Looking at the package I created with Composer I captured both a LaunchAgent and LaunchDaemon from /Library. Does your package include both of those?

tls2t
New Contributor II

I was able to simply drop the install.pkg from the app to get it working with no problems in my configuration in Casper Imaging. The problem I ran into first was that the package wouldn't properly install when no user was logged in. So, I set the priority to 19, and checked the box to install the package to be install on the drive after imaging (when the Adobe temp account is signed in). I think it needs to have a user logged on the machine to do the install properly. Never had a problem since.

Aziz
Valued Contributor

@barret55

I'll try your solution of setting the property to 19. Did you find a way to suppress the notification of updates/scans without using any third party tools?

tls2t
New Contributor II

@Abdiaziz I never tried to suppress any of the notifications, because it was FAR less obtrusive than the Symantec version. Our students, faculty and staff simply ignore the automatic update notices that pop up.

Aziz
Valued Contributor

@barret55

I might go this route, the only last for 5 or so seconds. I'll report back if the .pkg at priority 15 works. Sorry to @J.P. for taking your discussion over!

jwolf23
New Contributor

I open the DMG provided by microsoft, enable hidden files in finder from the terminal, and then deploy the .pkg that is revealed. Works like a champ.

Aziz
Valued Contributor

Thanks guys, worked like a charm. Priority had to be set to 19 for my config.

johnpowell
New Contributor II

@barret55 If it is required to have a user logged in that could be a problem. I'll have to think about it in our environment.

@Abdiaziz Glad it's working for one of us. Did you set it to 19 as part of your image deployment, or are you pushing this in a policy?

@jwolf23 I'm going to try your method. Does SCEP show the application icon in the menu bar and launch at login following your method?

Aziz
Valued Contributor

@J.P.

As part of my image deployment. Haven't tested the policy yet since we're starting over from scratch.

jwolf23
New Contributor

@J.P. . Yes SCEP starts up normally and shows up in the menu bar. We are using this in self-service and imaging with no issues.

calumhunter
Valued Contributor

Have deployed SCEP and custom settings for it both as PKG's to machines that are at the login window.

I don't recall having any issues. I generally don't repackage unless absolutely necessary.

Composer snapshots are bad for repackaging, there are reasons why you use preflight and postflight scripts in packages.

on the SCEP dmg, there is a hidden folder 'Resources', inside this folder is "Installer.pkg"

I simply deploy this Installer.pkg and it works great, no need to repackage.

On a test machine, I configure SCEP the way I want, I then grab the configuration settings which are stored in /Applications/System Center 2012 Endpoint Protection.app/Contents/etc/scep.cfg

Create a package of that file and deploy it after the scep Installer.pkg

johnpowell
New Contributor II

Thanks @Abdiaziz and @jwolf23! I need to push this as a policy, so I won't be able to rely on self service or imaging for deployment, but I'm glad it works well in those scenarios. Hopefully it will do the same as a policy.

@calumhunter : I'm a rookie with Casper, so pardon me if this is obvious or I just missed something when I RTFM. I was able to grab the "Installer.pkg" from SCEP without issue, but I'm not clear on how you did this:

Create a package of that file and deploy it after the scep Installer.pkg

What is the process to make a package of the "scep.cfg"? And once I've done that, how would I configure the policy for "scep.cfg" to run after the policy for SCEP install and replace the generic "scep.cfg" file? I haven't quite gotten a handle on cascading policies like that yet.

johnpowell
New Contributor II

I almost have this solved. I created a DMG in Composer and pushing that as a policy to FEU and FUT seems to work fine, with one minor issue. The Mac needs to restart in order for SCEP to launch. This isn't the case if I run the official installer manually. I know this isn't generally a huge issue, but I would really like to avoid a forced restart if at all possible.

Any suggestions?