McAfee Endpoint Security PPPC

@sdagley I have the agent as a separate policy altogether. That policy excludes macs in a smart group with the latest agent installed, and if they don't have the latest, it uninstalls the agent altogether and install the latest version that I've received from my McAfee admin. So currently they're two separate policies, which may not be the best method of going about this, I just haven't had much support from my security team other than "here is the latest install for the agent and ENS". It's messy...

Right. The issue I found when testing 10.7.5 is that includes 5.6.6 hotfix 1, which means when you install it, then go to install the managed agent, the managed agent fails to install cause it won't install over itself (it WILL if the existing one is older). So you end up with this convoluted install ENS 10.7.5, uninstall agent, reinstall managed agent. I was thinking maybe with your postinstall, I could just bundle the managed agent. =) Doesn't OVERLY matter... but figured it might save a step.

The biggest pain at this point is the different ENS installs for different OS's. =/

For sure. I have a few film/video labs still on Mojave because the instructors are wary of upgrading the OS, so I have two policies now, one for 10.7.1 and one for 10.7.5 for the rest of the fleet. At this point after months of back and forth with my security team, google and this forum I'm content with what I have, at least for the holidays, maybe in the spring I'll try and streamline it haha

are you using a managed agent?

well, I can say using the post-install with the individual installer pieces, and the managed client, works perfectly. I built a 10.7.5 pkg and installs Threat Prevention, and the managed client, and assuming all the PPPC and SE config profiles are in place, it installs completely silently on macOS 10.5.7 and macOS 11. Also built 10.7.1 and 10.6.4 installers so smart groups just scope each one and a single policy fires them off. Works great! Thank you @sdagley

Glad to hear it @rstasel. I'm waiting on my McAfee team to update to the 10.7.5 compatible agent, so haven't packaged that one yet. Were there any significant changes needed for the 10.7.5 ENS installers?

Hello Guys/
Does anyone have a macfee 5.7.0 agant .sh script? If so can you please provide me the script

@Durgule You need the McAfee Agent 5.7.0 install.sh script specific to your installation

@sdagley:- Yes i need that for installation and I will add that script into the jamf policy and deploy it on Big Sur

@Durgule Let me be a little more verbose... An install.sh for the McAfee Agent will contain the specific configuration for the McAfee installation it was generated by. You can not use an install.sh generated be a different McAfee installation than your own. You will need whoever is responsible for your McAfee installation to provide the script.

Correct. You'll need to get the install.sh agent install file from your McAfee EPO admin. @Durgule

@ rstasel & @sdagley. Yes I have that file.which has been provided our security team and they have downloaded from ePO console. now I need help how I can bend that threat priventation .pkg and agent install.she in single policy

Hi I'm having real problems with the install.sh on macOS 11.1. I've tried just about everything suggested but keep receiving the following error:

Checksumming whole disk (Apple_HFS : 0)… whole disk (Apple_HFS : 0): verified CRC32 $F0E23273
verified CRC32 $2938B982
hdiutil: attach failed - no mountable file systems
expected CRC32 $2938B982
hdiutil: attach failed - no mountable file systems

I've chmodded the install.sh and run as root, I can see the hidden (no entry) folder being created in /Volumes but no matter what I've tried I always get the above error. I have all the PPPC & kext stuff in place and just about everything else recommended by McAfee and the above contributors - please help (if you can).

@Durgule You'll need to create a .pkg installer with Composer and deploy it via a policy. This post above: https://www.jamf.com/jamf-nation/discussions/36443/mcafee-endpoint-security-pppc#responseChild209589 provides a link to a postinstall script that shows how you can run the install.sh file and install the ENS module .pkg files.

@sdagley That's exactly how I have been deploying McAfee since 2018, but this does not work with macOS 11.1 for me. I only ran the install.sh script locally to to try and find out why my current deployment (which works absolutely fine on macOS 10.15.7 using using McAfee agent version 10.7.5) wasn't working on macOS 11.1. I will however give your post install solution a go though. Thanks for responding. Oh & Happy New Year to you😎

@glennt I don't know why you're getting the install failure you describe, but a 10.7.5 install .pkg I built with a slightly updated version of that postinstall script and the install.sh for McAfee Agent 5.7.0.194 with the ENS 10.7.5 components is working ok on my M1 MacBook Air with 11.1, and my Intel 11.1 test systems.

@sdagley Would you mind sharing/pointing me to your updated post install? Thanks.

@glennt I haven't sanitized the new version yet, but it's basically just removing the lines related to kextless install since they're no longer applicable, so the older 10.7.1 script should get you started.

@sdagley That's great thanks for all your help, I'll let you know how I get on.

@sdagley OK so I've tried again pushing the package & post install from Jamf but: a) the install.sh does not create a /Library/Mcafee folder or /Library/Application Support/McAfee folder &: b) I see the install.sh no-entry folder appear in /Volumes (which confirms the install.sh has been triggered) and then disappears, which brings me right back to the no mountable filesystems error!

Hi, we got it working with Rob from Jamf.
For this, the install.sh script was adapted (we install threat prevention and the firewall) in 3 parts.

1. The version 10.7.5 package of McAfee Endpoint Security
   

2. the script:
   

3. the configuration profile with PPPC, system extensions and content filter (see screenshots):

PPPC:
Identifier: / usr / local / McAfee / fmp / bin64 / fmpd
Identifier Type: Path
Code Requirement: identifier fmpd and anchor apple generic and certificate 1 [field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf [field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf [subject.OU] = GT8P3H7SPW

Identifier: / usr / local / McAfee / AntiMalware / VShieldScanner
Identifier Type: Path
Code Requirement: identifier VShieldScanner and anchor apple generic and certificate 1 [field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf [field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf [subject.OU] = GT8P3H7SPW

Identifier: com.mcafee.tp.endpointsecurity
Identifier Type: Bundle ID
Code Requirement: anchor apple generic and identifier "com.mcafee.tp.endpointsecurity" and (certificate leaf [field.1.2.840.113635.100.6.1.9] / exists / or certificate 1 [field.1.2.840.113635.100.6.2.6 ] / exists / and certificate leaf [field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf [subject.OU] = GT8P3H7SPW)

System extensions:
Allowed Team IDs and System Extensions
Display Name: McAfee Network Extension
System Extension Type: Allowed System Extensions
Team Identifier: GT8P3H7SPW
Allowed System Extensions: com.mcafee.CMF.networkextension
com.mcafee.CMF.endpointsecurity

I have attached the mobileconfig here ... McAfee mobileconfig

@mario.magnus Thanks for the post, all suggestions very welcome!

@sdagley @mario.magnus I'm ok with all the PPPCs etc I simply need the install.sh to run successfully as once the agent is installed and communicated with EPO the device will pull in everything required from EPO automatically (as it does currently on macOS 10.15.7 devices). I've attached the Terminal output of my most recent attempt:

tomg2@JAMFDEVB-01 ~ % sudo bash -x /Users/tomg2/Desktop/install.sh -i
dest=/tmp/RelayServer.ini
PATH=/usr/bin:/bin:/usr/sbin/
umask 022
NATIVE_INSTALLER_FILE=MFEma.x86_64.dmg
command=/Users/tomg2/Desktop/install.sh
install=
upgrade=
extract=
directory=
unzip_exe_size=161168
cloud=
min_epo_version=5.1.1
+ id
cut -d= -f2
cut '-d(' -f1
user=0
'[' 0 -ne 0 ']'
'[' 1 -eq 0 ']'
getopts e:irc:ubh:g:t:o:R:f opt
case "$opt" in
install=yes
expr 2 - 1
value=1
getopts e:irc:ubh:g:t:o:R:f opt
shift 1
'[' '!' -z '' ']'
updateserverinfo=yes
returncode=0
keydata_dir=/Library/McAfee/agent/keydata
'[' '!' -z '' ']'
'[' '!' -z '' ']'
'[' '!' -z '' ']'
'[' '!' -z '' ']'
'[' '!' -z '' ']'
'[' '!' -z yes ']'
'[' '!' -z '' ']'
'[' -z yes ']'
+ uname -m
arch=x86_64
arch_bit=32
'[' x86_64 == x86_64 ']'
'[' '' '!=' 32 ']'
arch_bit=64
+ /usr/bin/sw_vers -productVersion
platform_ver=11.1
+ echo 11.1
cut -d. -f1
major_version=11
+ echo 11.1
cut -d. -f2
minor_version=1
+ echo 11.1
cut -d. -f3
micro_version=
'[' -z '' ']'
micro_version=0
PLATFORM_VERSION=721152
MIN_PLATFORM_VERSION=658688
'[' 721152 -lt 658688 ']'
echo bit-64
bit-64
'[' 64 == 32 ']'
'[' -e /Volumes/MFEMA ']'
+ /usr/sbin/pkgutil --pkgs=comp.nai.cmamac
cma=
'[' '' = comp.nai.cmamac ']'
'[' '!' -z '' ']'
+ mktemp -d mfeXXXXXX
temp_directory=mfeT5FKdG
'[' -f /etc/cma.d/bootstrap.xml ']'
'[' -z '' ']'
directory=mfeT5FKdG
'[' -f mfeT5FKdG ']'
'[' '!' -e mfeT5FKdG ']'
'[' '!' -z '' ']'
'[' '!' -z '' ']'
'[' -e mfeT5FKdG ']'
'[' -z '' ']'
stat -f %z /Users/tomg2/Desktop/install.sh
required_space=10139870
+ expr 10139870 '' 2
required_space=20279740
echo space required to copy archive is 20279740 bytes
space required to copy archive is 20279740 bytes
df -k mfeT5FKdG
tail -n -1
awk '{if ( $4 ~ /%/) { print $3 } else { print $4 } }'
available_space=215138268
+ expr 215138268 '' 1024
available_space=220301586432
echo space available at mfeT5FKdG is 220301586432 bytes
space available at mfeT5FKdG is 220301586432 bytes
'[' 20279740 -gt 220301586432 ']'
echo 'extracting archive to mfeT5FKdG... please wait'
extracting archive to mfeT5FKdG... please wait
awk '/^ARCHIVE_FOLLOWS/ { print NR 1; exit 0; }' /Users/tomg2/Desktop/install.sh
SKIP=537
tail 537 /Users/tomg2/Desktop/install.sh
block_size=512
+ expr 161168 / 512
nblocks=314
+ expr 161168 % 512
remainder=400
'[' 0 '!=' 400 ']'
expr 314 1
nblocks=315
dd if=mfeT5FKdG/payload of=mfeT5FKdG/unz bs=512 count=315
315+0 records in
315+0 records out
161280 bytes transferred in 0.002270 secs (71048981 bytes/sec)
dd if=mfeT5FKdG/payload of=mfeT5FKdG/package.zip bs=512 skip=315
19460+1 records in
19460+1 records out
9963872 bytes transferred in 0.085961 secs (115911402 bytes/sec)
chmod x mfeT5FKdG/unz
unzip -j -o mfeT5FKdG/package.zip -d mfeT5FKdG
Archive: mfeT5FKdG/package.zip inflating: mfeT5FKdG/MFEma.x86_64.dmg inflating: mfeT5FKdG/DXL.zip inflating: mfeT5FKdG/reqseckey.bin inflating: mfeT5FKdG/srpubkey.bin inflating: mfeT5FKdG/sitelist.xml inflating: mfeT5FKdG/req2048seckey.bin inflating: mfeT5FKdG/sr2048pubkey.bin inflating: mfeT5FKdG/agentfipsmode inflating: mfeT5FKdG/agent.ini inflating: mfeT5FKdG/RepoKeys.ini inflating: mfeT5FKdG/contrib.ini rm -rf mfeT5FKdG/package.zip
rm -rf mfeT5FKdG/unz
keydata_dir=/var/McAfee/agent/keydata
'[' -z '' ']'
export MA_SITEINFO_PATH=/var/McAfee/agent/keydata
MA_SITEINFO_PATH=/var/McAfee/agent/keydata
'[' -n yes ']'
'[' yes = yes ']'
mkdir -p /var/McAfee/agent/keydata
returncode=0
'[' 0 -ne 0 ']'
sed -n '/SpipeSite./s/. Version="([^"])"./1/p' mfeT5FKdG/sitelist.xml
epo_version=5.10.0
'[' -f /Library/McAfee/cma/scratch/etc/SiteList.xml ']'
'[' '!' -z 5.10.0 ']'
+ check_epo_version_support 5.1.1 5.10.0
+ echo 5.1.1
+ cut -d. -f1
min_v1=5
+ echo 5.1.1
+ cut -d. -f2
min_v2=1
+ echo 5.1.1
+ cut -d. -f3
min_v3=1
+ echo 5.10.0
+ cut -d. -f1
v1=5
+ echo 5.10.0
+ cut -d. -f2
v2=10
+ echo 5.10.0
+ cut -d. -f3
v3=0
'[' x5 = x ']'
'[' x10 = x ']'
'[' x0 = x ']'
result=1
'[' 5 -lt 5 ']'
'[' 5 -gt 5 ']'
'[' 10 -lt 1 ']'
'[' 10 -gt 1 ']'
result=1
echo 1
ok=1
'[' 1 -eq 0 ']'
mv -f /tmp/RelayServer.ini /var/McAfee/agent/keydata
chmod 755 /var/McAfee/agent/keydata/RelayServer.ini
cp -f mfeT5FKdG/sitelist.xml /var/McAfee/agent/keydata/SiteList.xml
cp -f mfeT5FKdG/srpubkey.bin /var/McAfee/agent/keydata
cp -f mfeT5FKdG/reqseckey.bin /var/McAfee/agent/keydata
cp -f mfeT5FKdG/sr2048pubkey.bin /var/McAfee/agent/keydata
cp -f mfeT5FKdG/req2048seckey.bin /var/McAfee/agent/keydata
cp -f mfeT5FKdG/agentfipsmode /var/McAfee/agent/keydata/agentfipsmode
cp -f mfeT5FKdG/RepoKeys.ini /var/McAfee/agent/keydata/RepoKeys.ini
'[' -f /Library/McAfee/cma/scratch/keystore/agentprvkey.bin ']'
'[' -f /Library/McAfee/cma/scratch/keystore/agentpubkey.bin ']'
'[' '!' -f /var/McAfee/agent/keydata/SiteList.xml ']'
'[' '!' -f /var/McAfee/agent/keydata/srpubkey.bin ']'
'[' '!' -f /var/McAfee/agent/keydata/reqseckey.bin ']'
'[' '!' -f /var/McAfee/agent/keydata/sr2048pubkey.bin ']'
'[' '!' -f /var/McAfee/agent/keydata/req2048seckey.bin ']'
mktemp -d /Volumes/MFEMAXXXXX
MA_DMG_MP=/Volumes/MFEMA0kGv2
'[' 0 -ne 0 ']'
'[' -z /Volumes/MFEMA0kGv2 ']'
hdiutil attach -noverify -nomount -nobrowse mfeT5FKdG/MFEma.x86_64.dmg
/dev/disk2 hdiutil attach -nobrowse mfeT5FKdG/MFEma.x86_64.dmg -mountpoint /Volumes/MFEMA0kGv2
Checksumming whole disk (Apple_HFS : 0)…
............................................................................... whole disk (Apple_HFS : 0): verified CRC32 $F0E23273
verified CRC32 $2938B982
hdiutil: attach failed - no mountable file systems
'[' 1 -ne 0 ']'
hdiutil attach mfeT5FKdG/MFEma.x86_64.dmg -mountpoint /Volumes/MFEMA0kGv2
expected CRC32 $2938B982
hdiutil: attach failed - no mountable file systems
'[' '!' -z '' ']'
'[' -f /etc/ma.d/.upgradeagentonly.txt ']'
'[' '!' -z '' ']'
rm -f /var/McAfee/agent/keydata/.force
'[' '!' -z '' ']'
returncode=0
'[' -z '' ']'
pwd
mypwd=/Users/tomg2
cd /Volumes/MFEMA0kGv2
echo IsLegacyEPO:N
echo ConfigDirPath:/Volumes/MFEMA0kGv2
echo StartService:Y
flag=1
/usr/bin/sw_vers
grep ProductVersion
cut -d: -f2
pltvrsn=' 11.1'
+ echo 11.1
cut -d. -f1
majvrsn=11
+ echo 11.1
cut -d. -f2
minvrsn=1
'[' -f /Library/McAfee/agent/bin/maconfig ']'
(( 11>=10 && 1>=6 && 1 ))
'[' -n '' ']'
'[' -f /etc/cma.d/.upgrade ']'
sudo /usr/sbin/installer -dumplog -pkg ma.pkg -target /
Jan 6 08:54:13 installer[1499] <Critical>: PFPkg: No file found at path: /Volumes/MFEMA0kGv2/ma.pkg
Jan 6 08:54:13 installer[1499] <Critical>: PFPackage::packageWithURL - can't instantiate package: /Volumes/MFEMA0kGv2/ma.pkg
installer: Error - the package path specified was invalid: 'ma.pkg'.
returncode=1
sleep 5
cd /Users/tomg2
hdiutil detach /Volumes/MFEMA0kGv2
hdiutil: detach failed - No such file or directory
rm -rf /etc/mainstall.config
contribInstallation mfeT5FKdG
directory=mfeT5FKdG
cd mfeT5FKdG
pwd
echo 'installing client extension from : /Users/tomg2/mfeT5FKdG'
installing client extension from : /Users/tomg2/mfeT5FKdG
'[' -f contrib.ini ']'
cat contrib.ini
grep -i contrib.count
cut -d= -f2
tr -d '[:space:]'
CONTRIB_COUNT=1
echo 'Product count is : 1'
Product count is : 1
ccount=0
'[' 0 -lt 1 ']'
cat contrib.ini
grep -i contrib.0
cut -d= -f2
tr -d '[:space:]'
Product_zip=DXL.zip
echo 'Product is : DXL.zip'
Product is : DXL.zip
pwd
cp -rf /Users/tomg2/mfeT5FKdG/DXL.zip /var/McAfee/agent/data/contrib/
cp: directory /var/McAfee/agent/data/contrib does not exist
ccount=1
'[' 1 -lt 1 ']'
+ pwd
cp -rf /Users/tomg2/mfeT5FKdG/contrib.ini /var/McAfee/agent/data/contrib/
cp: directory /var/McAfee/agent/data/contrib does not exist
sleep 10
pwd
echo 'Calling mcupdater : location : /Users/tomg2/mfeT5FKdG'
Calling mcupdater : location : /Users/tomg2/mfeT5FKdG
+ pwd
/Library/McAfee/agent/bin/mcupdater -install -location /Users/tomg2/mfeT5FKdG -initiator 1385
/Users/tomg2/Desktop/install.sh: line 95: /Library/McAfee/agent/bin/mcupdater: No such file or directory
/Library/McAfee/agent/scripts/ma restart
/Users/tomg2/Desktop/install.sh: line 97: /Library/McAfee/agent/scripts/ma: No such file or directory
'[' 127 '!=' 0 ']'
echo MA Start Failed
MA Start Failed
cd /Users/tomg2
'[' -z '' ']'
rm -rf mfeT5FKdG
'[' -d /Volumes/MFEMA0kGv2 ']'
rm -rf /Volumes/MFEMA0kGv2
'[' 1 -ne 0 ']'
rm -rf /var/McAfee/agent/keydata
+ exit 1
tomg2@JAMFDEVB-01 ~ %

@glennt That looks like your install.sh is FUBAR. Can you have your McAfee team generate a new one from your ePO console?

I've just blitzed my test MBP, re-installed 11.1 & re-built with my DEP enrolment policy - all's well in McAfee land! Thanks for everyone's input on this, really appreciated. Have a good one guys.