Package Malwarebytes Endpoint Agent

New Contributor III

Does anyone know how to best Package up the Malwarebytes Endpoint Agent for Business? The file they provide has special characters so it prevents me from just uploading it directly into Jamf. I have tried changing the name and am able to upload it, but when it installs, the icon appears on the Menu bar, but is not interactive (can't click to start a scan) and does not appear in their Nebula platform.

I've added the kernel extension in Configuration Profiles. And I can perform the manual install on a computer successfully. I'm currently using Movaje, but will be looking for any other help for Catalina that might vary given we will be migrating this summer.

Thank you.


Contributor III

I haven't looked into this specific case, but you might be able to create a "package in a package." Using your preferred package creation tool, create an installer that places the Malwarebytes .pkg file into someplace like /tmp. Then, add a postinstall script to the package that installs the Malwarebytes .pkg.

Contributor III

I've never had any trouble uploading or deploying Malwarebytes packages generated from AutoPkgr.

As always, test before deployment.

Contributor III

@pete_c Are you referring to the consumer Malwarebytes, or the managed Malwarebytes Cloud client? I wouldn't think you'd be able to do a Autopkg recipe for the managed client.

New Contributor III

@dwaterbury Good afternoon i am also trying to get this application running in our environment at the moment if you dont mind me asking how did you setup your configuration profile to bypass the KEXT for the app. So that the requirement to have user click allow is not a need?

New Contributor

@dwaterbury I sent the same question in to Malwarebytes support. We just pulled the trigger to get started so we can deploy this out. The way I'm intending to get around this in Jamf is by hosting the file and creating a shell script to curl it down.

@bjones Malwarebytes have two articles here, and here that should be helpful.

New Contributor III

Hi Everyone. Thank you for the responses. I reached out to Malwarebytes Support to get the answer. I was able to use push it out last Friday and I started seeing computers come into their "Nebula" interface.

The Support Tech said to download the mac .pkg from them and just change the 2 brackets in the name to _
I had initially tried renaming it differently, but some sort of licensing number is within those brackets and it prevents the laptop from registering within Nebula.

Here is an example of what it looks like initially when you download it:

Here is how it will look after you edit the name of the file:

After doing this, I was able to load it into our JAMF cloud instance without a problem.
After I pushed it out, with a Restart of the computer after install, the users appeared in the Nebula interface.

I also created a Configuration Profile that Approved Kernel Extension TeamID: GVZRY6KDKR
As was instructed here.

I hope this helps everyone.

Contributor III

@dwaterbury are you simply removing the brackets and adding an underscore to make the pkg file work? if so how many on each end?

Valued Contributor

@dwaterbury Last time I checked, the MalwareBytes package did not correctly load the LaunchAgent it installs. So you can add this as a payload to your policy to load the LaunchAgent after the package installs, which might eliminate the need to restart:


loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' )
loggedInUID=$(/usr/bin/id -u "$loggedInUser")

# Stop the LaunchAgent if it is running
if launchctl list | grep "$identifier" &> /dev/null ; then
    /bin/launchctl asuser "$loggedInUID" /bin/launchctl unload "$agentPlist"

# Load the LaunchAgent
/bin/launchctl asuser "$loggedInUID" /bin/launchctl load "$agentPlist"

exit 0

New Contributor III

I have the policy created without the brackets and adding the underscore but it doesn't show that its being installed, I just show a pending in the logs, I seen the payload info above but can you tell me where that would go?

New Contributor

I also have the policy without the brackets. With JAMF, since brackets are not allowed, you'll need to replace the brackets with underscores.

New Contributor II

(just chiming in to confirm removing the bracket on either end and replacing with _ works, you will have 2 underscores in front and 3 on the trail)

Anyone know how to make a smart group to search who has this installed and who does not? I've been banging away at a few different ways but can't seem to find it.

New Contributor II

also this is helpful as well:
config profile for Malwarebytes full disk access, which is needed

New Contributor II

I couldn't find anything to search with so I created an Extension Attribute to check if Malwarebytes Nebula Endpoint Agent is installed or not.

if [ -d "/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent" ] 
    echo "<result>Installed</result>"
    echo "<result>Not Installed</result>"


Malwarebytes uninstall script any thing is available?

Contributor III

as a follow up, if your running MB from the enterprise web version, simply deleting it from the server will force an uninstall on the end points.