There is no /private/var/McAfee/ directory. There's nothing in /Library/Logs/ either. The only McAfee related log is /private/var/McAfeeSecurity.log and it doesn't have any entries that correspond to the time I tried to delete that folder. It seems to only have entries that correspond to the startup of the agent.

I began limited deployment of the 5.0.2.xxx version of the McAfee Agent and it was working great (as much as one can get excited about McAfee), the different modules were getting downloaded/installed finally. Then sporadic little issues started rolling in--longer than "normal" delays at login, lots of log entries and multiple processes each exceeding 30% bogging down the Macs. Uninstall and everything is normal. I heard the 5.0.2.xxx agent is considered unstable for Windows (blue screen) at our site so they're getting rolled back to 5.0.1.xxx.

Here is what I am doing to install McAfee, it has worked all the way through El Cap. I drop the script and pkg into folders, uninstall the existing client and then install the new one. Hope this helps.

!/bin/bash

This script installs the McAfee Client (VSM980-RTW-1791.pkg) then uninstalls the old McAfee Agent and reinstalls the new EPO Agent (install98.sh)

Created by Jeffrey Conte 5-22-2013

Modified by Jeff Conte on 10/20/2015 to uninstall any previous McAfee Agents (testing to see if the uninstall exists first)

This will uninstall any previously installed McAfee agents

if [ -e /Library/McAfee/cma/uninstall.sh ] then /Library/McAfee/cma/uninstall.sh
fi

This will install the upgraded Virus Protection and updated McAfee Agent

installer -package /Library/CompanyName/Packages/VSM980-RTW-1791.pkg -target /
/Library/McAfee/cma/uninstall.sh
/Library/CompanyName/bin/install98.sh -i

I think you're using a completely different version than we are.

I just discovered that there may be a .plist that is blocking access to /Library/Application Support/McAfee/ under the new version. I found /usr/local/.McAfee/3/com.mcafee.ssm.appprotection.plist and among other things it has this section:

<key>SpecialFolders</key>
    <array>
        <string>/usr/sbin</string>
        <string>/System/Library</string>
        <string>/bin</string>
        <string>/sbin</string>
        <string>/usr/bin</string>
        <string>/usr/libexec</string>
        <string>/Applications/Utilities/</string>
        <string>/Library/McAfee</string>
        <string>/usr/local/McAfee</string>
        <string>/Applications/McAfee Endpoint Protection for Mac.app</string>
        <string>/Applications/AppPro Profile Generator.app</string>
        <string>/Library/Application Support/McAfee</string>
        <string>/Library/Frameworks/VirusScanPreferences.framework</string>
        <string>/Applications/McAfee VDisk.app</string>
        <string>/Library/Frameworks/McAfeeVDisk.framework</string>
        <string>/Applications/McAfeeSecurityUninstaller.app</string>
    </array>

My guess is that as long as the new McAfee software is running the folders listed in this section are protected. It is still a mystery for how future upgrades will be done with this in place.

@AVmcclint I've been successfully testing a package that drops the install.sh to a temp location and then installs/upgrades/reinstalls the McAfee agent based on the current condition of the client.

I think you stated you were doing something similar, with the notable exception that you were putting the install.sh in /Library/Application Support/McAfee , is that right? Would moving install.sh to another directory solve your issue?

@Josh.Smith would you be willing / able to share the script that you used that includes the new/upgrade/reinstall logic?

@jwojda This is what I came up with....working well so far in limited testing: McAfeeAgentInstallation.sh

I use it as a postinstall script in a package that places install.sh in /private/tmp/install.sh

Is anyone deploying the ePO agent installer script also blocking the writing to Removable Media using a configuration profile?
In our environment, the install script fails when the configuration profile is installed. After removal and reboot, the install script works normally.

Here is the output from the install log

Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: Product archive /Library/Application Support/JAMF/Downloads/edit_McAfee_ePO_5.0.3.pkg trustLevel=100
Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: location = file://localhost
Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: file://localhost/Library/Application%20Support/JAMF/Downloads/edit_McAfee_ePO_5.0.3.pkg#payload.pkg
Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: Set authorization level to root for session
Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: Administrator authorization granted.
Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: Will use PK session
Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: Using authorization level of root for IFPKInstallElement
Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: Starting installation:
Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: Configuring volume "Macintosh HD"
Jun 7 12:48:39 WM-C02QV298G8WM installer[67005]: Preparing disk for local booted install.
Jun 7 12:48:39 WM-C02QV298G8WM installer[67005]: Free space on "Macintosh HD": 344.11 GB (344112967680 bytes).
Jun 7 12:48:39 WM-C02QV298G8WM installer[67005]: Create temporary directory "/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//Install.67005ec65J7"
Jun 7 12:48:39 WM-C02QV298G8WM installer[67005]: IFPKInstallElement (1 packages)
Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: Adding client PKInstallDaemonClient pid=67005, uid=0 (/usr/sbin/installer)
Jun 7 12:48:39 WM-C02QV298G8WM installer[67005]: PackageKit: Enqueuing install with framework-specified quality of service (utility)
Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: ----- Begin install -----
Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: request=PKInstallRequest <1 packages, destination=/>
Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: packages=( "PKLeopardPackage <file://localhost/Library/Application%20Support/JAMF/Downloads/edit_McAfee_ePO_5.0.3.pkg#payload.pkg>" )
Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: Will do receipt-based obsoleting for package identifier editmcafeeepo5.0.3 (prefix path=)
Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: Extracting file://localhost/Library/Application%20Support/JAMF/Downloads/edit_McAfee_ePO_5.0.3.pkg#payload.pkg (destination=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager/E47C350C-EFEC-4733-8277-E627EE165A8C.activeSandbox/Root, uid=0)
Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: prevent user idle system sleep
Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: suspending backupd
Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: Using trashcan path /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/PKInstallSandboxTrash/E47C350C-EFEC-4733-8277-E627EE165A8C.sandboxTrash for sandbox /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager/E47C350C-EFEC-4733-8277-E627EE165A8C.activeSandbox
Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: Shoving /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager/E47C350C-EFEC-4733-8277-E627EE165A8C.activeSandbox/Root (1 items) to /
Jun 7 12:48:39 WM-C02QV298G8WM install_monitor[67008]: Temporarily excluding: /Applications, /Library, /System, /bin, /private, /sbin, /usr
Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: Executing script "./postinstall" in /private/tmp/PKInstallSandbox.enfZJo/Scripts/editmcafeeepo5.0.3.tJj7f4
Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: ./postinstall: space required to copy archive is 13285292 bytes
Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: ./postinstall: space available at mfesKLW2c is 344106283008 bytes
Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: ./postinstall: extracting archive to mfesKLW2c... please wait
Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: 231+0 records in
Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: 231+0 records out
Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: 118272 bytes transferred in 0.000573 secs (206437255 bytes/sec)
Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: 12724+1 records in
Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: 12724+1 records out
Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: 6515016 bytes transferred in 0.034234 secs (190308088 bytes/sec)
Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: Archive: mfesKLW2c/package.zip
Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: inflating: mfesKLW2c/MFEma.dmg Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: inflating: mfesKLW2c/reqseckey.bin Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: inflating: mfesKLW2c/srpubkey.bin Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: inflating: mfesKLW2c/sitelist.xml Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: inflating: mfesKLW2c/req2048seckey.bin Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: inflating: mfesKLW2c/sr2048pubkey.bin Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: inflating: mfesKLW2c/agentfipsmode Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: inflating: mfesKLW2c/RepoKeys.ini Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: Checksumming whole disk (Apple_HFS : 0)…
Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: whole disk (Apple_HFS : 0): verified CRC32 $D2FAD3B4
Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: verified CRC32 $7353B941
Jun 7 12:48:41 WM-C02QV298G8WM installd[1690]: ./postinstall: hdiutil: attach failed - no mountable file systems
Jun 7 12:48:41 WM-C02QV298G8WM installd[1690]: ./postinstall: /usr/local/.edit/TMPPKG/ePO/install.sh: line 274: cd: /Volumes/MFEMA: No such file or directory
Jun 7 12:48:41 WM-C02QV298G8WM installer[67095]: PFPkg: No file found at path: /private/tmp/PKInstallSandbox.enfZJo/Scripts/editmcafeeepo5.0.3.tJj7f4/ma.pkg
Jun 7 12:48:41 WM-C02QV298G8WM installd[1690]: ./postinstall: Jun 7 12:48:41 installer[67095] <Critical>: PFPkg: No file found at path: /private/tmp/PKInstallSandbox.enfZJo/Scripts/editmcafeeepo5.0.3.tJj7f4/ma.pkg
Jun 7 12:48:41 WM-C02QV298G8WM installer[67095]: PFPackage::packageWithURL - can't instantiate package: /private/tmp/PKInstallSandbox.enfZJo/Scripts/editmcafeeepo5.0.3.tJj7f4/ma.pkg
Jun 7 12:48:41 WM-C02QV298G8WM installd[1690]: ./postinstall: Jun 7 12:48:41 installer[67095] <Critical>: PFPackage::packageWithURL - can't instantiate package: /private/tmp/PKInstallSandbox.enfZJo/Scripts/editmcafeeepo5.0.3.tJj7f4/ma.pkg
Jun 7 12:48:41 WM-C02QV298G8WM installd[1690]: ./postinstall: installer: Error the package path specified was invalid: 'ma.pkg'.
Jun 7 12:48:46 WM-C02QV298G8WM installd[1690]: ./postinstall: hdiutil: detach failed - No such file or directory
Jun 7 12:48:52 WM-C02QV298G8WM installd[1690]: ./postinstall: /usr/local/edit/TMPPKG/ePO//install.sh
Jun 7 12:48:52 WM-C02QV298G8WM installd[1690]: ./postinstall: /usr/local/edit/TMPPKG/ePO/

The line in bold is where the failure occurs. The encrypted pkg within the script cannot mount, there for no install can happen.

Any thoughts?

@jrserapio I discovered that having a config profile that prevented WRITING to disk images caused a LOT of problems. As soon as I unchecked that box that prevented writing to disk images, nearly all my install problems disappeared. I opened a case with tech support and a new defect was filed. I don't remember the defect number off the top of my head, but it is on record. At this point, I just hope users don't realize that they can create writable dmg files until this is fixed. I still don't understand why this causes problems when some dmgs are read-only and can't be written to anyway.