Jamf Nation Community

We are using McAfee at my place. I had our McAfee admin create and installer agent as mentioned above. That installer creates a install.sh script, and hidden files. I then packaged it so it could be placed in a hidden directory. I use a separate script to kick the install.sh that is run on a policy based on a smart group that looks for the receipt from the previous package. I hope this helps.

FYI-
On another note we are deploying the McAfee Security suite to our Macs, not just the antivirus. We have had challenges installing it via epo. We get our client computers to check-in, but deploying the security suite reliably has been hit or miss, regardless of the OS version or specific intel chip set. I have worked with our McAfee admin, on-site, and off-site McAfee engineers to try and diagnose this intermittent behavior but they (McAfee) have no solution for us after many months. That being said we are also deploying the actual McAfee security suite via Casper as well. This has been reliable for us so far but we are just testing it now. Our hopes are that the epo server will at least be able to deploy hot fixes, and updates but I am not opptomistic.

Hi guys. I work for McAfee and can help you here. The most common sticking point is that the root user must be enabled. So if you're getting inconsistent behavior it may be because you don't have the root user enabled. We recently released McAfee Agent for Mac 4.6 patch 1 and that has lots of improvements (including a command line interface). So I'd start by enabling root and getting that latest release.

I am working with the JAMF team to provide instructions for deploying all of the McAfee Security for Mac products (Anti-Malware, Application Protection, Desktop Firewall, and Endpoint Encryption) from the Casper Suite. Stay tuned for more content on that topic on jamfnation.

I have this installed on several Macs all running Lion, and yes, you need to work with McAfee on this, we are using the endpoint encryption agent and an EPO server as well. You need to have the Macs integrated into the AD, at least for us since we are a large enterprise with a mix of PC and Macs, AD integration is a must have. Also the endpoint encryption agent has many caveats with respect to supported Mac platforms. Discovery and registration to the EPO server was also quite painful and took a few days and a number of fixes and patches to get working properly, well, get it working consistently. Bottom line here, work with McAfee..

While I have no problem trying to work with McAfee or any vendor, we have been trying for several months to resolve this with McAfee. McAfee has told us many times to "wait for the latest release that will be out soon and address the issue". They have been given countless logs and have never given us any type of solution or even a workaround. We are an AD house and all our Macs are using AD for login so I know we meet that requirement.

As far as the suggestion that we enable "root", and that this would solve the issues. Well that seems to fly directly in the face of Apple recommended security practices.

Please follow the link below for the "Snow Leopard Security Config" document, and see the bottom of page 125 which states the following;

"The most powerful user account in Mac OS X is the system administrator or root account. By default, the root account on Mac OS X is disabled and it is recommended you do not enable it. The root account is primarily used for performing UNIX commands."

http://images.apple.com/support/security/guides/docs/SnowLeopard_Security_Config_v10.6.pdf

Unfortunately, the installation package scripts require root access, you should be able to disable the root superuser after installation completes. I did that and so far, it seems to be working. Oh yeah, I had been working with McAfee since July of 2010, and only in November 2010 did we get EPO and encryption working. Oh, and on Lion enabling drive encryption kills any and all hope for the recovery partition.

Actually, I:

a) extracted the .dmg from the shell script
b) deployed it using Casper
c) found a blog post from a McAfee employee that referenced what files needed to come from the ePO server, and how they needed to be handled on the Mac
d) packaged up these files, then deployed them and used an "after" script to process them.

A little buried today, but I can get into more details sometime tomorrow. Obviously does not require the root user be enabled to deploy...

I just want to thank everyone for their input it has all been insightful.

@Robert - If you could find that and post the link, I would love to see it.

@Henry - We aren't using McAfee's endpoint encryption software, but we did look at it, got it to work and never had to enable root. I guess we will have to factor that into our decision making in the future.

@Larson - I really would like to see the McAfee documents that state that. Is there is a link you could post to a KB article or white paper? Regardless thank you for your information regarding this. I now have to wonder why, as a platinum support customer, no one at McAfee could have told us this.

Here's the link:

http://thegr8thurston.wordpress.com/2010/04/16/managing-mac-osx-mcafee-agents/

What I did:

a) installed the McAfee Security for Mac Anti-malware 1.1 RTW 1309.mpkg
b) packaged up cma.pkg (extracted from the sh file), and the reqseckey.bin, srpubkey.bin, and SiteList.xml (copied from the ePO server) into /Library/CompanyName/McAfee)
c) wrote a quick script, which looks something like this:
#!/bin/sh
installer -pkg /Library/CompanyName/McAfee/cma.pkg -target /
sleep 20
/Library/McAfee/cma/bin/msaconfig -m -d /Library/CompanyName/McAfee
sleep 20
SystemStarter stop cma
SystemStarter start cma

Two policies, one to install McAfee Security
The other to deploy the files to /Library/CompanyName/McAfee, with the "After" script to point the clients to the ePO server.

This does seem to work and isn't a huge PITA, unlike the "enable the root user and use our crappy .sh script" answer McAfee is giving us.

To the person from McAfee - your installer is broken and not enterprise-friendly (forcing the enabling of the root user is not an acceptable answer to many of us). Long-time Mac IT folks are quite used to re-engineering broken installers. When you decide to re-engineer your approach the "correct" way, please feel free to engage us.

Robert,

Thanks for posting the link. I totally feel the same way about the McAfee products.

Sean

hmmm . . . I didn't have to do any of the extra work that Robert went through- I just threw the install.sh script into a installer package that copies it to /private/tmp/cma and then runs a postflight script that has exactly one line:
/private/tmp/cma/install.sh -i

The security package gets installed by casper as well- I just put the package as supplied by mcafee into casper, and it works at imagetime or on demand.
I have no idea why McAfee says the root account needs to be enabled . . . Maybe they've never heard of sudo??

Actually, this requirement for root seems to be a bit of a moving target. The McAfee Agent for Mac Product Guide explicitly states that root must be used, but this KB says admin OR root https://kc.mcafee.com/corporate/index?page=content&id=KB61125&actp=search&viewlocale=en_US&searchid=1325778515592

Based on my own testing and anecdotal evidence from other customers, it appears that you can install without enabling root. It is as simple as delivering the install.sh file, then sudo chmod +x install.sh, and then sudo ./install.sh -i

I will update this thread when the document that I'm co-authoring with the JAMF team gets published on jamfnation.

@RobertHammen I totally agree with your assessment and am working hard to fix it. I'm on the pre-sales engineering side, so I don't have direct control over the product but we and customers like you do have a voice. Would you please submit your suggestion to the official product enhancement request system? It is https://mcafee.acceptondemand.com I know that "eliminate the root user requirement" is on the roadmap, but multiple customer requests will get it to the top of the list faster. In the meantime, we have to lean on our good friends at JAMF to help us make this successful in the enterprise.

JAMF just posted a new article that explains how to deploy the McAfee Agent for Mac via the Casper Suite: https://jamfnation.jamfsoftware.com/article.html?id=182

Hi All,

I am totally lost here I followed Larson's instructions (Deploying the McAfee ePO Agent Using the Casper Suite)1-19, deployed it to a test mac and its installed the Install.sh folder in the right location. I don't see the Mcafee package install in the mac and no communication from the ePO server. Do my security team need to configure anything on the ePO server for this process to work. Please provide me with the Work-Flow?

Thank You,
Ariel

Hi ArielN .... did you ever get this figured out. Just checking because we are about to set up McAfee through JAMF Casper and want to see what will be the best road to go through.

I have used that article in the past year .. it should still work.. we ran in to issues when we were trying to do both ePO and DLP...

C