Hey folks,
After upgrading our Macs to 10.11 and installing McAfee Endpoint, I lose remote connection to the Macs. ARD or Screen Sharing doesn't work after the install, but oddly I can still run scripts or push packages. I just can't see their screen any longer.
Instead of walking up to the Mac in another building, I'd like to shoot a script to turn off the McAfee Firewall. After I do that, I can see the screen again.
Anybody had this issue and know a script to turn off the Firewall?
Although it's possible to disable those or turn them off, it's only temporary as long as your systems are checking in with ePO. In my experience even doing it manually in the GUI it ends up enabled again usually within about 10-15 minutes later, sometimes even sooner. The setting to have those enabled comes from ePO so it overrides any local disablement. At least that's how it is for us.
And you won't be able to ssh in either. (angry face here)
I had this with Endpoint Protection product, and it would clear once the machine checked in an enforced policy, ~20 minutes,
You can try adding a script to force the checkin with ePO:
/Library/McAfee/cma/bin/cmdagent -cWith the Endpoint Security product, you can get just the Threat Prevention installer if you don't want firewall also.
I'm running this script after install to not only turn it off, but remove the feature entirely:
#!/bin/bash
echo "Disabling WebControl"
/usr/local/McAfee/uninstall WebControl
echo "Disabling McAfee Firewall"
/usr/local/McAfee/uninstall Firewall
exit 0I get "uninstallation failed" or "permission denied." Any thoughts?
Are you running it with sudo? I run it as part of my McAfee install/upgrade, but if you're just testing locally it will require sudo.
Your best bet would be to have your ePO administrator adjust the Firewall policy to allow all the pertinent ports you need to manage the Macs. Immediately after installing McAfee on a Mac, the firewall will default to blocking everything, but after 10-15 minutes it will check in with the server and pull down the firewall policy that permits ssh and ARD and anything else you need.
I tried using the script through ARD's Unix button. Yes, I used sudo. I'm probably missing something simple.
I will contact the ePO admin. The thing is when I update to endpoint 2.3 on 10.12 Macs, I don't lose remote connection. I install the agent and I am on my way.
But going from 1.2 to 2.3 endpoint on 10.11 Macs, I lose connection and can't SSH. 10.12 Macs are just fine. So I am puzzled.
This is how I disable it on 10.5.x. You can either add this at the end of your postinstall script, or add the script as a payload to your McAfee installer policy. I have found that you need to restart the daemon to get it to start back up if a reboot is not desired.
Command to disable firewall
sudo defaults write /Library/Preferences/com.mcafee.ssm.StatefulFirewall.plist IsFirewallEnabled -bool falseCommand to enable firewall
sudo defaults write /Library/Preferences/com.mcafee.ssm.StatefulFirewall.plist IsFirewallEnabled -bool true
sudo /usr/local/McAfee/StatefulFirewall/bin/StatefullFirewallControl restartOur issue is that the ePO servers do not sort consistently, and often our Macs just sit in some Lost & found container until they are manually put in the correct managed container. With the above disable command, at least our techs can still work with the machine while it waits for ePO to figure it out. Once the ePO starts managing the client, it can do whatever it wants. Leave it disabled, enable it and manage it, etc.. This is simply a work-around while waiting for management.
@McMike would you happen to have a way to enable Threat Prevention using a script? For some reason every time I install ENS Threat Prevention is disabled, and any attempt at making a custom package for it in Composer gives me an OS incompatibility error when trying to install it.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.