McAfee Endpoint Security for Mac

donmontalvo
Esteemed Contributor III

We're looking at McAfee Endpoint Security for Mac 10.2.1 and it comes with four components that have to be installed in order:

  1. McAfee Agent (MA). The 1990's style install.sh script that you have to wrap and trigger via postinstall script in PKG.
  2. McAfee Threat Prevention for Mac (ENSM10_TP) installer PKG
  3. McAfee Threat Prevention for Mac (ENSM10_HF1159589_TP) Hot Fix
  4. McAfee Firewall for Mac (ENSM_FW) installer PKG

I guess they still have the old timer in the corner updating the 20 year old script (item 1) that has an embedded/encoded installer. #facepalm

I'm posting to see if anyone tested this. We've got deployment covered. But looking for any gotchas. So we can test and have an idea of any known issues. Happy to shout back with anything we run into as well.

FWIW, I joined their forum and the most of the feedback seems to be cries for help on how to uninstall. :)

TIA,
Don

--
https://donmontalvo.com
29 REPLIES 29

dmw3
Contributor III

@donmontalvo We have been testing this version over the last month, the installer is very hit and miss via an ePO server. there is an installer that combines all the three packages into one which we have had better luck with.

others are correct, uninstalling any of the McAfee products is a nightmare.

donmontalvo
Esteemed Contributor III

@dmw3 wrote:

there is an installer that combines all the three packages into one which we have had better luck with.

Interesting, did you have to request the combined package?

--
https://donmontalvo.com

dmw3
Contributor III

4bea6cdef80d43bab055266bfeec0218
@donmontalvo Should be available to you via your McAfee login

pcrandom
Contributor

@donmontalvo, don't know if this would help, but my colleague and I wrote a script that checks if a specific version of McAfee Agent is installed (in this case 5.0.3.272) and is pointed at the proper ePO server (replace "epo.server.com:80" with your own).

If MA is not the proper version or pointing to the right server, it uninstalls it (either version 4.x or 5.x) and the installs proper version from install.sh, which is assumed to be staged in /tmp/epoinstall already.

#!/bin/bash

target="$3"
agentVer="5.0.3.272"
epoSvr="epo.server.com:80"
configDir="$target/etc/cma.d/EPOAGENT3700MACX/"
cmaDir="$target/Library/McAfee/cma/"
tmpDir="$target/tmp/epoinstall"

if [ -e "$cmaDir/scripts/uninstall.sh" ]; then
    echo "$(date): McAfee Agent (ePO) 5.x Installation Found"
    if grep -q $agentVer "$configDir/config.xml"; then
        echo "$(date): McAfee Agent (ePO) Version $agentVer Found"
        if grep -q $epoSvr "$cmaDir/scratch/ServerSiteList.xml"; then
            echo "$(date): McAfee Agent (ePO) 5.x Points to $epoSvr"
            exit 0
        else
            echo "$(date): McAfee Agent (ePO) 5.x Points to Incorrect Server"
        fi
    else
        echo "$(date): McAfee Agent (ePO) Version $agentVer Not Found"
    fi
    echo "$(date): Removing McAfee Agent (ePO) 5.x"
    if "$cmaDir/scripts/uninstall.sh"; then
        echo "$(date): McAfee Agent (ePO) 5.x Removed Successfully" 
    else
        echo "$(date): McAfee Agent (ePO) 5.x Removal Failed"         
        exit 1
    fi
else
    echo "$(date): McAfee Agent (ePO) 5.x Installation Not Found"
    if [ -e "$cmaDir/uninstall.sh" ]; then
        echo "$(date): McAfee Agent (ePO) 4.x Installation Found"
        echo "$(date): Removing McAfee Agent (ePO) 4.x"
        if "$cmaDir/uninstall.sh"; then
            echo "$(date): McAfee Agent (ePO) 4.x Removed Successfully" 
        else
            echo "$(date): McAfee Agent (ePO) 4.x Removal Failed"         
            exit 1
        fi
    fi
fi
if "$tmpDir/install.sh" -i; then
    echo "$(date): McAfee Agent (ePO) 5.x Installed Successfully" 
else
    echo "$(date): McAfee Agent (ePO) 5.x Installation Failed"
    exit 1
fi      
exit 0

swapple
Contributor III

We have had varying success with pushing it from the EPO server also. Out attempts to use Jamf Pro also are not perfect. We have seen some where the old version uninstalls but the new version won't install leaving the machine out of compliance. I have setup some EA that pull McAfee info to help with scoping and dashboards to see versions and last run. Huge fan that MA 5.0.4 now comes with an Agent Status Monitor which now is a GUI for the log and sending props/events like we see on the PC side.

We have the all in 1 installer and about to try it but will also try the script above!! I did hear that ENS 10.5 is on its way out soon.

Speaking of uninstalling, does anyone have a good ENS uninstaller? We have 1 Mac where ENS is flashing between enabled and disabled. Reinstall did not fix.

gachowski
Valued Contributor II

We are seeing the same issue as dmw3 and swaps. We gave up on pushing from the server it saw so bad, then the "EPO" team moved back.

C

donmontalvo
Esteemed Contributor III

On the "all in one installer" DMG can someone post an image of the mounted DMG contents

Are there three PKGs and an install.sh? Is there a single PKG? Is there a single install.sh and a combined PKG?

Wanted to check before reaching out to the team that gets the source files for us.

TOA,
Don

--
https://donmontalvo.com

dmw3
Contributor III

@donmontalvo unpacked with Pacifist8985640a24834a6e9068c3376bc4cbc5
9dd720e1c7694892af311c1ea9274e6a

ocla__09
Contributor

@donmontalvo and @dmw3, Has anyone had any success uninstalling McAfee endpoint Security 10.2.1? All attempts to run the uninstall script fail, even when running as root:

root# /usr/local/McAfee/uninstall EPM
Uninstallation Failed..

root# /usr/local/McAfee/uninstall ThreatPrevention
Uninstallation Failed...

ashminhas2
New Contributor

@dmw3 How did you take that standalone .dmg package from Mcafee and package it using Composer to get deployed.

I have taken the .pkg and uploaded it to composer but when i try to deploy it, it doesn't work.

What steps did you have to take from taking that DMG to getting it into the JSS and down to a device

*Apologies for dumb questions, a newbie with JAMF.

gachowski
Valued Contributor II

I think the standalone installers fail unless the agent is installed 1st. I also don't think you need to re-package the installers, just drag then straight in to Casper admin.

C

benbass
New Contributor III

@gachowski Yes the stand alone installers require the agent to be installed. I believe there is a version 10.2.2 out now as well.

donmontalvo
Esteemed Contributor III

@benbass we just got a request for 10.2.2 and source files came with two "standalone" installers...but as expected, and confirming what you posted, neither install the McAfee Agent. It has to be installed for the standalone installers to work.

  • McAfee-Threat-Prevention-for-Mac-10.2.2-standalone-111-HF1191059.pkg
  • McAfee-Application-Protection-230-standalone-RTW-1791.pkg

Rumor has it Intel/McAfee has a long time employee (100+ years old) who has some dirt on the company, so they put him in a cage, feed him slabs of meat, and he keeps install.sh going. Once he stops breathing, McAfee can hand that portion of their product to the capable team that provides proper flat/signed zero touch deployable packages, and the world will be a better place. ¯_(ツ)_/¯

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

So the 100+ year old must still be kicking...same issues with 10.5.7.

--
https://donmontalvo.com

swapple
Contributor III

The mcafee channel on macadmin slack seems to have some mcafee internal folks. They don't seem to be 100+ but may sit near that person. They often post some great scripts.
I am back and forth on the idea of either pushing all the software down with jamf or just get the agent onto the client and let EPO do all the work. In my case, I copy the wonderful install.sh file to the Mac and run it from a script. When it checks in with EPO, the agent sees missing software and the EPO tasks kick off to fill the computer with great wonderfulness.

Sometimes, 1 is faster than the other, other times not so much.

cnorrisAdmin
New Contributor III

I've been installing the agent for years, then let it check in and ePO installs the suite. I've had some issues with the agent over the years, but generally it works well. I grab the following from Program Files (x86)McAfee ePolicy OrchestratorDBSoftwareCurrentEPOAGENT3700MACXInstall�409 on the ePO server:
install.sh
SiteInfo.ini,
sr2048pubkey.bin,
SiteList.xml,
req2048seckey.bin,
srpubkey.bin,
agentfipsmode,
reqseckey.bin

then I drop it into a folder, I create in /usr/local, and run a script that just runs install.sh -i to install it. Getting it from the current repository on the server, it has the keys and points to the server after installation. If you have an older version installed it just updates it. I use
/Library/McAfee/agent/bin/cmdagent -c to check into the server. and have the policy and task set up to do the install of the Endpoint suite.

donmontalvo
Esteemed Contributor III

@swhps wrote:

I am back and forth on the idea of either pushing all the software down with jamf or just get the agent onto the client and let EPO do all the work.

Yeap, we've been suggesting this for years, but have been getting "Too much to push" pushback, which is, well, ridiculous.

@cnorrisAdmin wrote:

I've been installing the agent for years, then let it check in and ePO installs the suite.

Yep, I'll have to point the folks who own the service to this thread. ;)

--
https://donmontalvo.com

eric_difulvio
New Contributor II

McAfee is annoying. I am working through this with nothing but headaches. I haven't had much success installing the agent with Jamf. But if I install the agent manually, ePO communicates fine. But ePO always has a hot fix or a new agent for a new macOS so soon as I need to update the agent (new file) or just put a new agent on a machine manually, I am running into an issue with file sharing on the Macs. It's not communicating properly and keeps giving me an SSH error in ePO, even though I have SMB file share turned on. I am at a loss right now. Any advice?

swapple
Contributor III

I have Jamf push down the files so I don't have to connect the Macs to the server or have the server see my Macs.

I have EPO build my install.sh file. On the EPO System Tree screen is a "new systems" button which is super secret code for make a new install file. In there I choose Create and download agent > non windows > pick my current mac agent. Nothing else gets filled in on that screen and I make the package then download it. (in my case, I add the agent version number to the file to keep straight for testing)

Next I package the agent (just the 1 file) with Composer and have it put the install package in /Library/buildJSS/installmcafee/. (I started using buildJSS to keep all my installers together and not get confused with apps that use Application Support/. Folder location really does not really matter as long a your script points to it )
I then have a script run the install.sh -i from that folder and the agent installs.

#!/bin/sh
/Library/BuildJSS/InstallMcafee/install551.sh -i
sleep 30
/Library/McAfee/agent/bin/cmdagent -p

Having EPO build it bakes in all the settings for my EPO server and relay. You may also find that if you highlight a branch in the system tree before clicking on "new systems" that when the system enrolls, it will land in that branch.

If I keep up with the agent updates in EPO > Software Manager, then as the hot fixes come out, EPO uses my agent tasks to update the agent until I get around to making a new install package.

Playing around with the Create URL choice in the list, it did appear to make a more automated installer but it expires quickly.

aspears
New Contributor III

@swhps Thank you for the step by step example. I will give this a try!

eric_difulvio
New Contributor II

@swhps thank you for that workflow. Works great for me. However, one more question if I may. A lot of my Macs have an old agent on them. The workflow that I am getting from Mcafee is that the old agent must be uninstalled before the new agent is installed. Is that the same workflow you use? When you go from one agent to the next, you run an uninstall mcafee script pre install of the new agent?

sdagley
Esteemed Contributor II

@eric.difulvio McAfee has a removal tool (which is actually a binary rather than a script despite possibly arriving with a .sh suffix), ask your McAfee contact if they haven't mentioned it already. Include that with the files you push to your Macs for installation of ENS and call it as the 1st step in your process.

hpavlic_
New Contributor III

Hi All,

We had issues with McAfee installation and agent reporting to server.
It seems when installing McAfee ENS + Threat Prevention, there is agent already present in that installation so we do the following:

Install McAfee ENS with .xml where we select what components we want to install

installer -dumplog -verbose -pkg "McAfee-Endpoint-Security-for-Mac-10.5.6-RTW-standalone-100.pkg" -allowUntrusted -target / -applyChoiceChangesXML "ProductDeploy.xml"

Uninstall the Agent, that was installed with ENS package

/Library/McAfee/agent/scripts/uninstall.sh

Install the new agent (script that we got and packaged)

install.sh -i

Report agent to server

/Library/McAfee/agent/bin/cmdagent -p

While deploying to Pilot users we check with ePO console if agent is reporting.
The key was to Install ENS, remove the agent that came with that and install agent with script.

Also, while upgrading sometimes reboot was needed, depending on version.

donmontalvo
Esteemed Contributor III

/Library/McAfee/cma/bin/cmdagent -p is basically like running sudo jamf recon.
/Library/McAfee/cma/bin/cmdagent -c is basically like running sudo jamf policy.

Ya kind of have to run both.

--
https://donmontalvo.com

Stubakka
Contributor II

Fellow Mac techs, I need a hand here , what are the actual files called that I need to upgrade the Mcafee agent as of this date? Can someone guide me with the whole install.sh process? My infosec team is not sure of any of it and its kind of being put on me to figure out. I also dont have access to the site to get the installers so its ultra frustrating. Any help, guidance, tips etc, would be really appreciated at this point, Im Stubakka on the Mac admins slack also if anyone want to dm me and help a fellow admin out. End of rope here.

MichaelBlower
New Contributor II

I'm sure you found your answer already, but in case not... someone with access to the McAfee ePO web console will need to log in and generate a McAfee Agent installer for you and download it, then give it to you. It will be a zip file, that you extract, and then that will be an install.sh file. Once you have that file on a Mac, to install the agent, you run sudo sh install.sh -i. If upgrading, sudo sh install.sh -u. Normally, if you run -i, and the agent is already installed, it will detect this, and run the upgrade anyway. Obviously, if deploying via Jamf, it will run as root, so no need to use the sudo in front of the commands. Not sure how necessary the "sh" is in front of install.sh, but that is how McAfee has it documented.

Stubakka
Contributor II

Thank you @MichaelBlower Once thats done, would it just allow them to upgrade the rest of the parts via EPO or do I need to package and push those also via a Policy? Current systems Are on 10.14.6 and they want to take them to Big Sur, with the McAfee Agent and parts upgraded to Big Sur compatible versions (10.7.6 Agent)

MichaelBlower
New Contributor II

Hey @Stubakka so, you could do it either way. You could deploy the updated products via the McAfee ePO server, or you could package and deploy via the Jamf server. In my experience in the past, deploying via ePO works really well, if the local firewall is turned off on the client. Maybe this has been fixed by now, but with the firewall on in the past, my machines would never get any of the deployments. I haven't run in to this same problem with Jamf.

As of right now, McAfee Agent is at 5.7.2, and Endpoint Security for Mac is at 10.7.6.

Jamftechelp
New Contributor II

I deployed McAfee via Jamf by creating packages using Composer and deployed configuration Profile to allow extension and full disk access but still, I have to allow extension manually from System Preferences --> Security & Privacy --> General. Here Iattached my configuration details and scripts I used and please suggest anything missing or changes required.

#!/bin/bash

sudo /Library/Application Support/mcafeeapp/McAfee_SH/install.sh -i

## Wait 20 seconds
sleep 20

sudo installer -pkg /Library/Application Support/mcafeeapp/McAfee_TP/McAfee-Threat-Prevention-for-Mac-10.6.7-ePO-client-package-RTW-108.pkg -target /

## Wait 20 seconds
sleep 20

sudo installer -pkg /Library/Application Support/mcafeeapp/McAfee_ATP/McAfee-Adaptive-Threat-Protection-for-Mac-10.6.7-ePO-client-package-Release114.pkg -target /

## Wait 20 seconds
sleep 20

sudo installer -pkg /Library/Application Support/mcafeeapp/McAfee_DLP/DlpAgentInstaller.pkg -target /

## Wait 20 seconds
sleep 20

sudo installer -pkg /Library/Application Support/mcafeeapp/McAfee_MCP/McpDistribution.pkg -target /

#sleep 300

## removing complete packages after installation.
#sudo rm -r /Library/Application Support/mcafeeapp

#if [ -e /Library/Application Support/mcafeeapp ];then
#echo "mcafeeapp folder is exist."
#else
#echo "mcafeeapp folder was removed."
#fi

7488dd037af7463abc3a02cae1e74fc8

a978601b15e04196b9c83b85ce42f699

ae0b18b302144fa692313533fe01c713

30e91afa2cd24daeb0fff83643798bb4

4abc50b532764beead4fe9e0c0945e3b

ba7c70a8d3b34fcc823d0270ac2bba88

8cfdfc06229f4c1a9d5ac68154d0ad4d

1fcf401342fc4d55b0b04bc17da1c49c

16fa406be83d4695830f81630e0775cb