We're looking at McAfee Endpoint Security for Mac 10.2.1 and it comes with four components that have to be installed in order:
I guess they still have the old timer in the corner updating the 20 year old script (item 1) that has an embedded/encoded installer. #facepalm
I'm posting to see if anyone tested this. We've got deployment covered. But looking for any gotchas. So we can test and have an idea of any known issues. Happy to shout back with anything we run into as well.
FWIW, I joined their forum and the most of the feedback seems to be cries for help on how to uninstall. :)
@donmontalvo We have been testing this version over the last month, the installer is very hit and miss via an ePO server. there is an installer that combines all the three packages into one which we have had better luck with.
others are correct, uninstalling any of the McAfee products is a nightmare.
@donmontalvo, don't know if this would help, but my colleague and I wrote a script that checks if a specific version of McAfee Agent is installed (in this case 184.108.40.2062) and is pointed at the proper ePO server (replace "epo.server.com:80" with your own).
If MA is not the proper version or pointing to the right server, it uninstalls it (either version 4.x or 5.x) and the installs proper version from install.sh, which is assumed to be staged in /tmp/epoinstall already.
#!/bin/bash target="$3" agentVer="220.127.116.112" epoSvr="epo.server.com:80" configDir="$target/etc/cma.d/EPOAGENT3700MACX/" cmaDir="$target/Library/McAfee/cma/" tmpDir="$target/tmp/epoinstall" if [ -e "$cmaDir/scripts/uninstall.sh" ]; then echo "$(date): McAfee Agent (ePO) 5.x Installation Found" if grep -q $agentVer "$configDir/config.xml"; then echo "$(date): McAfee Agent (ePO) Version $agentVer Found" if grep -q $epoSvr "$cmaDir/scratch/ServerSiteList.xml"; then echo "$(date): McAfee Agent (ePO) 5.x Points to $epoSvr" exit 0 else echo "$(date): McAfee Agent (ePO) 5.x Points to Incorrect Server" fi else echo "$(date): McAfee Agent (ePO) Version $agentVer Not Found" fi echo "$(date): Removing McAfee Agent (ePO) 5.x" if "$cmaDir/scripts/uninstall.sh"; then echo "$(date): McAfee Agent (ePO) 5.x Removed Successfully" else echo "$(date): McAfee Agent (ePO) 5.x Removal Failed" exit 1 fi else echo "$(date): McAfee Agent (ePO) 5.x Installation Not Found" if [ -e "$cmaDir/uninstall.sh" ]; then echo "$(date): McAfee Agent (ePO) 4.x Installation Found" echo "$(date): Removing McAfee Agent (ePO) 4.x" if "$cmaDir/uninstall.sh"; then echo "$(date): McAfee Agent (ePO) 4.x Removed Successfully" else echo "$(date): McAfee Agent (ePO) 4.x Removal Failed" exit 1 fi fi fi if "$tmpDir/install.sh" -i; then echo "$(date): McAfee Agent (ePO) 5.x Installed Successfully" else echo "$(date): McAfee Agent (ePO) 5.x Installation Failed" exit 1 fi exit 0
We have had varying success with pushing it from the EPO server also. Out attempts to use Jamf Pro also are not perfect. We have seen some where the old version uninstalls but the new version won't install leaving the machine out of compliance. I have setup some EA that pull McAfee info to help with scoping and dashboards to see versions and last run. Huge fan that MA 5.0.4 now comes with an Agent Status Monitor which now is a GUI for the log and sending props/events like we see on the PC side.
We have the all in 1 installer and about to try it but will also try the script above!! I did hear that ENS 10.5 is on its way out soon.
Speaking of uninstalling, does anyone have a good ENS uninstaller? We have 1 Mac where ENS is flashing between enabled and disabled. Reinstall did not fix.
On the "all in one installer" DMG can someone post an image of the mounted DMG contents
Are there three PKGs and an install.sh? Is there a single PKG? Is there a single install.sh and a combined PKG?
Wanted to check before reaching out to the team that gets the source files for us.
root# /usr/local/McAfee/uninstall EPM Uninstallation Failed.. root# /usr/local/McAfee/uninstall ThreatPrevention Uninstallation Failed...
@dmw3 How did you take that standalone .dmg package from Mcafee and package it using Composer to get deployed.
I have taken the .pkg and uploaded it to composer but when i try to deploy it, it doesn't work.
What steps did you have to take from taking that DMG to getting it into the JSS and down to a device
*Apologies for dumb questions, a newbie with JAMF.
@benbass we just got a request for 10.2.2 and source files came with two "standalone" installers...but as expected, and confirming what you posted, neither install the McAfee Agent. It has to be installed for the standalone installers to work.
Rumor has it Intel/McAfee has a long time employee (100+ years old) who has some dirt on the company, so they put him in a cage, feed him slabs of meat, and he keeps
install.sh going. Once he stops breathing, McAfee can hand that portion of their product to the capable team that provides proper flat/signed zero touch deployable packages, and the world will be a better place. ¯_(ツ)_/¯
The mcafee channel on macadmin slack seems to have some mcafee internal folks. They don't seem to be 100+ but may sit near that person. They often post some great scripts.
I am back and forth on the idea of either pushing all the software down with jamf or just get the agent onto the client and let EPO do all the work. In my case, I copy the wonderful install.sh file to the Mac and run it from a script. When it checks in with EPO, the agent sees missing software and the EPO tasks kick off to fill the computer with great wonderfulness.
Sometimes, 1 is faster than the other, other times not so much.
I've been installing the agent for years, then let it check in and ePO installs the suite. I've had some issues with the agent over the years, but generally it works well. I grab the following from Program Files (x86)McAfee ePolicy OrchestratorDBSoftwareCurrentEPOAGENT3700MACXInstall409 on the ePO server:
then I drop it into a folder, I create in /usr/local, and run a script that just runs install.sh -i to install it. Getting it from the current repository on the server, it has the keys and points to the server after installation. If you have an older version installed it just updates it. I use
/Library/McAfee/agent/bin/cmdagent -c to check into the server. and have the policy and task set up to do the install of the Endpoint suite.
I am back and forth on the idea of either pushing all the software down with jamf or just get the agent onto the client and let EPO do all the work.
Yeap, we've been suggesting this for years, but have been getting "Too much to push" pushback, which is, well, ridiculous.
I've been installing the agent for years, then let it check in and ePO installs the suite.
Yep, I'll have to point the folks who own the service to this thread. ;)
McAfee is annoying. I am working through this with nothing but headaches. I haven't had much success installing the agent with Jamf. But if I install the agent manually, ePO communicates fine. But ePO always has a hot fix or a new agent for a new macOS so soon as I need to update the agent (new file) or just put a new agent on a machine manually, I am running into an issue with file sharing on the Macs. It's not communicating properly and keeps giving me an SSH error in ePO, even though I have SMB file share turned on. I am at a loss right now. Any advice?
I have Jamf push down the files so I don't have to connect the Macs to the server or have the server see my Macs.
I have EPO build my install.sh file. On the EPO System Tree screen is a "new systems" button which is super secret code for make a new install file. In there I choose Create and download agent > non windows > pick my current mac agent. Nothing else gets filled in on that screen and I make the package then download it. (in my case, I add the agent version number to the file to keep straight for testing)
Next I package the agent (just the 1 file) with Composer and have it put the install package in /Library/buildJSS/installmcafee/. (I started using buildJSS to keep all my installers together and not get confused with apps that use Application Support/. Folder location really does not really matter as long a your script points to it )
I then have a script run the install.sh -i from that folder and the agent installs.
#!/bin/sh /Library/BuildJSS/InstallMcafee/install551.sh -i sleep 30 /Library/McAfee/agent/bin/cmdagent -p
Having EPO build it bakes in all the settings for my EPO server and relay. You may also find that if you highlight a branch in the system tree before clicking on "new systems" that when the system enrolls, it will land in that branch.
If I keep up with the agent updates in EPO > Software Manager, then as the hot fixes come out, EPO uses my agent tasks to update the agent until I get around to making a new install package.
Playing around with the Create URL choice in the list, it did appear to make a more automated installer but it expires quickly.
@swhps thank you for that workflow. Works great for me. However, one more question if I may. A lot of my Macs have an old agent on them. The workflow that I am getting from Mcafee is that the old agent must be uninstalled before the new agent is installed. Is that the same workflow you use? When you go from one agent to the next, you run an uninstall mcafee script pre install of the new agent?
@eric.difulvio McAfee has a removal tool (which is actually a binary rather than a script despite possibly arriving with a .sh suffix), ask your McAfee contact if they haven't mentioned it already. Include that with the files you push to your Macs for installation of ENS and call it as the 1st step in your process.
We had issues with McAfee installation and agent reporting to server.
It seems when installing McAfee ENS + Threat Prevention, there is agent already present in that installation so we do the following:
Install McAfee ENS with .xml where we select what components we want to install
installer -dumplog -verbose -pkg "McAfee-Endpoint-Security-for-Mac-10.5.6-RTW-standalone-100.pkg" -allowUntrusted -target / -applyChoiceChangesXML "ProductDeploy.xml"
Uninstall the Agent, that was installed with ENS package
Install the new agent (script that we got and packaged)
Report agent to server
While deploying to Pilot users we check with ePO console if agent is reporting.
The key was to Install ENS, remove the agent that came with that and install agent with script.
Also, while upgrading sometimes reboot was needed, depending on version.
Fellow Mac techs, I need a hand here , what are the actual files called that I need to upgrade the Mcafee agent as of this date? Can someone guide me with the whole install.sh process? My infosec team is not sure of any of it and its kind of being put on me to figure out. I also dont have access to the site to get the installers so its ultra frustrating. Any help, guidance, tips etc, would be really appreciated at this point, Im Stubakka on the Mac admins slack also if anyone want to dm me and help a fellow admin out. End of rope here.
I'm sure you found your answer already, but in case not... someone with access to the McAfee ePO web console will need to log in and generate a McAfee Agent installer for you and download it, then give it to you. It will be a zip file, that you extract, and then that will be an install.sh file. Once you have that file on a Mac, to install the agent, you run sudo sh install.sh -i. If upgrading, sudo sh install.sh -u. Normally, if you run -i, and the agent is already installed, it will detect this, and run the upgrade anyway. Obviously, if deploying via Jamf, it will run as root, so no need to use the sudo in front of the commands. Not sure how necessary the "sh" is in front of install.sh, but that is how McAfee has it documented.
Thank you @MichaelBlower Once thats done, would it just allow them to upgrade the rest of the parts via EPO or do I need to package and push those also via a Policy? Current systems Are on 10.14.6 and they want to take them to Big Sur, with the McAfee Agent and parts upgraded to Big Sur compatible versions (10.7.6 Agent)
Hey @Stubakka so, you could do it either way. You could deploy the updated products via the McAfee ePO server, or you could package and deploy via the Jamf server. In my experience in the past, deploying via ePO works really well, if the local firewall is turned off on the client. Maybe this has been fixed by now, but with the firewall on in the past, my machines would never get any of the deployments. I haven't run in to this same problem with Jamf.
As of right now, McAfee Agent is at 5.7.2, and Endpoint Security for Mac is at 10.7.6.
I deployed McAfee via Jamf by creating packages using Composer and deployed configuration Profile to allow extension and full disk access but still, I have to allow extension manually from System Preferences --> Security & Privacy --> General. Here Iattached my configuration details and scripts I used and please suggest anything missing or changes required.
#!/bin/bash sudo /Library/Application Support/mcafeeapp/McAfee_SH/install.sh -i ## Wait 20 seconds sleep 20 sudo installer -pkg /Library/Application Support/mcafeeapp/McAfee_TP/McAfee-Threat-Prevention-for-Mac-10.6.7-ePO-client-package-RTW-108.pkg -target / ## Wait 20 seconds sleep 20 sudo installer -pkg /Library/Application Support/mcafeeapp/McAfee_ATP/McAfee-Adaptive-Threat-Protection-for-Mac-10.6.7-ePO-client-package-Release114.pkg -target / ## Wait 20 seconds sleep 20 sudo installer -pkg /Library/Application Support/mcafeeapp/McAfee_DLP/DlpAgentInstaller.pkg -target / ## Wait 20 seconds sleep 20 sudo installer -pkg /Library/Application Support/mcafeeapp/McAfee_MCP/McpDistribution.pkg -target / #sleep 300 ## removing complete packages after installation. #sudo rm -r /Library/Application Support/mcafeeapp #if [ -e /Library/Application Support/mcafeeapp ];then #echo "mcafeeapp folder is exist." #else #echo "mcafeeapp folder was removed." #fi