McAfee Agent Managed/Unmanged Extension

Jason
Contributor II

Has anyone created an extension attribute to see if the McAfee Agent is managed or unmanaged?

Originally i had made one looking at /Library/McAfee/cma/scratch/etc/log since it usually lists if the agent is managed or unmanaged there. But that log rotates out and may not have the necessary line always. There is also a SiteList.xml which lists all of the repositories, but i'm not sure if that is the best measure to know if a client is successfully managed or not. Existence of a keystore could be a possibility also...

Any other locations to look at for the extension?

Thanks

1 ACCEPTED SOLUTION

Jason
Contributor II

I've heard back from McAfee on this and ended up creating a new EA if anyone is interested. First one will identify if McAfee Agent is running managed or unmanaged. The next two get the full version number of MA and EPM. If anyone wanted to be VERY precise with the managed/unmanaged check, then you could also look in the SiteList.xml file for SpipeSite being set to your master management server and the ./Keystore/ folder containing the 4 keys in it. Checking Registry.ini for the AgentGUID was sufficient for me however.

#!/bin/sh

#Reports if McAfee Agent is managed (1) or unmanaged (0).
#Data Type in JSS for this script should be set to: String

isManaged=`grep -c "AgentGUID=" /Library/McAfee/cma/scratch/registry.ini`

if [ $isManaged = "1" ]; then
result="Managed"
else
result="Unmanaged"
fi
echo '<result>'$result'</result>'
#!/bin/sh

#Reports the version of the McAfee EPM installed on the client computer.
#Data Type in JSS for this script should be set to: string

FMPVersion=`cat /usr/local/McAfee/fmp/config/FMPInfo.xml | egrep "<FMPVersion>.*</FMPVersion>" |sed -e "s/<FMPVersion>(.*)</FMPVersion>/1/"|tr -d " "|tr -d "	"|tr -d "
"|tr -d "
"`
BuildNumber=`cat /usr/local/McAfee/fmp/config/FMPInfo.xml | egrep "<BuildNumber>.*</BuildNumber>" |sed -e "s/<BuildNumber>(.*)</BuildNumber>/1/"|tr -d " "|tr -d "	"|tr -d "
"|tr -d "
"`

FullVersion="$FMPVersion.$BuildNumber"
echo '<result>'$FullVersion'</result>'
#!/bin/sh

#Reports the version of the McAfee epO Agent installed on the client computer.
#Data Type in JSS for this script should be set to: string

Version=`cat /etc/cma.d/EPOAGENT3700MACX/config.xml | egrep "<Version>.*</Version>" |sed -e "s/<Version>(.*)</Version>/1/"|tr -d " "`

echo '<result>'$Version'</result>'

View solution in original post

6 REPLIES 6

lindell
New Contributor

I check for a healthy ePO agent by looking for the exclusions in VirusScan. If those aren't populated I know the machine isn't checking into the ePO server properly.

#!/bin/sh

#Check McAfee On Access Scan Exclusions
if [ -e "/Library/Preferences/com.mcafee.ssm.antimalware.plist" ]; then
    exclusions=`defaults read "/Library/Preferences/com.mcafee.ssm.antimalware" OAS_Exclusion_List`
else
echo "<result>McAfee Not Installed</result>"
fi

echo "<result>$exclusions</result>"

Maybe others will chime in with how they check. This will only work if you have at least one on access exclusion, but I'm not sure how you would use McAfee without using exclusions.

Jason
Contributor II

I've heard back from McAfee on this and ended up creating a new EA if anyone is interested. First one will identify if McAfee Agent is running managed or unmanaged. The next two get the full version number of MA and EPM. If anyone wanted to be VERY precise with the managed/unmanaged check, then you could also look in the SiteList.xml file for SpipeSite being set to your master management server and the ./Keystore/ folder containing the 4 keys in it. Checking Registry.ini for the AgentGUID was sufficient for me however.

#!/bin/sh

#Reports if McAfee Agent is managed (1) or unmanaged (0).
#Data Type in JSS for this script should be set to: String

isManaged=`grep -c "AgentGUID=" /Library/McAfee/cma/scratch/registry.ini`

if [ $isManaged = "1" ]; then
result="Managed"
else
result="Unmanaged"
fi
echo '<result>'$result'</result>'
#!/bin/sh

#Reports the version of the McAfee EPM installed on the client computer.
#Data Type in JSS for this script should be set to: string

FMPVersion=`cat /usr/local/McAfee/fmp/config/FMPInfo.xml | egrep "<FMPVersion>.*</FMPVersion>" |sed -e "s/<FMPVersion>(.*)</FMPVersion>/1/"|tr -d " "|tr -d "	"|tr -d "
"|tr -d "
"`
BuildNumber=`cat /usr/local/McAfee/fmp/config/FMPInfo.xml | egrep "<BuildNumber>.*</BuildNumber>" |sed -e "s/<BuildNumber>(.*)</BuildNumber>/1/"|tr -d " "|tr -d "	"|tr -d "
"|tr -d "
"`

FullVersion="$FMPVersion.$BuildNumber"
echo '<result>'$FullVersion'</result>'
#!/bin/sh

#Reports the version of the McAfee epO Agent installed on the client computer.
#Data Type in JSS for this script should be set to: string

Version=`cat /etc/cma.d/EPOAGENT3700MACX/config.xml | egrep "<Version>.*</Version>" |sed -e "s/<Version>(.*)</Version>/1/"|tr -d " "`

echo '<result>'$Version'</result>'

ssmurphy
New Contributor III

Was able to use what Jason had posted and its working.

Thanks for sharing.

Jason
Contributor II

@ssmurphy, i'm glad it's worked for you. Recently I updated to v5 and noticed they moved some of this information into database files which broke my old EA's. Here's the new stuff if you ever need it. It's still backwards compatible so it works with v4 as well.:

For ePO

#!/bin/sh

#Reports the version of the McAfee ePO Agent installed on the client computer.
#Data Type in JSS for this script should be set to: string

DBPATH="/private/var/McAfee/agent/db/ma.db"
CONFIGPATH="/etc/cma.d/EPOAGENT3700MACX/config.xml"

if [ -f $DBPATH ];then 
    # Used by MA Version > 4
    AgentVersion=`sqlite3 $DBPATH "SELECT VALUE from AGENT_CHILD where NAME = 'AgentVersion'";`
else 
    # Used by MA Version = 4
    AgentVersion=`cat $CONFIGPATH | egrep "<Version>.*</Version>" |sed -e "s/<Version>(.*)</Version>/1/"|tr -d " "`
fi

echo '<result>'$AgentVersion'</result>'

For MA:

#!/bin/sh

#Reports if McAfee Agent is managed (1) or unmanaged (0).
#Data Type in JSS for this script should be set to: String

DBPATH="/private/var/McAfee/agent/db/ma.db"
INIPATH="/Library/McAfee/cma/scratch/registry.ini"

if [ -f $DBPATH ];then
    AgentMode=`sqlite3 $DBPATH "SELECT VALUE from AGENT_CHILD where NAME = 'AgentMode'";`
else
    AgentMode=`grep -c "AgentGUID=" $INIPATH`
fi


if [ $AgentMode = "1" ]; then
    result="Managed"
else
    result="Unmanaged"
fi
echo '<result>'$result'</result>'

EPM EA still works as before

Jlocke
New Contributor

Hi There we are now on version 5.0.2.185 but registry.ini is no there and I can't use Smart groups to see if my clients are Managed or not

Any idea

noahdowd
Contributor

I know this is old, but I stumbled upon it looking for something else. For anyone who finds themself here, this is what I do:

#!/bin/sh

mcAfeeServerSiteList="/Library/McAfee/cma/scratch/ServerSiteList.xml"

result="Not configured"

if ! [ -e ${mcAfeeServerSiteList} ]; then
#if ! [ -e /Library/McAfee/cma/bin/cmdagent ]; then
    echo "<result>$result</result>"
    exit 0
fi

mcAfeeServer=$(/usr/bin/xmllint --xpath 'string(//SpipeSite/@ServerIP)' ${mcAfeeServerSiteList})
if [ "${mcAfeeServer}" == "" ]; then
    echo "<result>$result</result>"
    exit 0
fi

mcAfeeServer=$(/bin/echo ${mcAfeeServer} | /usr/bin/awk -F ':' '{print $1}')

## Note, this line alone could work for you but I found it was a lot less reliable.
#mcAfeeServer=$(/Library/McAfee/cma/bin/cmdagent -i | /usr/bin/grep "EpoServerList: " | /usr/bin/awk '{print $NF}' | /usr/bin/awk -F '|' '{print $1}')

mcAfeeServerName=$(/usr/bin/nslookup ${mcAfeeServer} | /usr/bin/grep -i 'name' | /usr/bin/awk '{print $NF}')

result="${mcAfeeServerName}"

echo "<result>$result</result>"
exit 0