Recommendations on Anti-Virus

New Contributor II

My company is adamant about having our 40 some Macs protecting with McAfee Endpoint protection. I have been working on this project for months and there seems to be issue after issue with McAfee and its deployment of the agent with Jamf and then ePO communicating with the device effectively to push the AV. I am just about done with it at this point.

I am looking for a recommendation on a different End Point protection that is suitable for Macs, easier to deploy though Jamf, and has shown success in the corporate space with a high standard for security.



Release Candidate Programs Tester

Gatekeeper and xProtect? It works for IBM, and the price is right.

Esteemed Contributor

@eric.difulvio Why not use Jamf to install the McAfee components instead of ePO? That's the approach I use. There was a little work involved in setting things up (helped by multiple posts with examples on Jamf Nation), but once that's done it's pretty reliable.

New Contributor II

@sdagley Here's the problem. For a while I was having success with my process of installing the agent via Jamf and then ePO pushing the AV. Then things started getting funky. Now, I can't even deploy the agent via Jamf. I think its deploying properly but ePO is not able to see the device as managed, so something is wrong. On top of that, my organization really wants everything viewable and deployed from ePO for whatever reason. Every time I get McAfee support involved, they come back with "there are old, existing McAfee files that are disturbing the communication between the Mac and ePO. I worked on a script that was to delete all those all files. I have even been using the McAfee stripper tool to wipe the Mac clean of anything McAfee related. All in all, no success. Very frustrating.

Valued Contributor II

1st choice is Gatekeeper and xProtect you can use AE to see if they are current and scripts to keep them updated...

if that isn't an option and I would push hard for Gatekeeper and xProtect as that is what IBM is trusting....

2nd choice is cylance, Carbon Black or CrowdStrike....


Esteemed Contributor

@eric.difulvio The McAfee removal tool has been effective for all of the 10.5.x variants of ENS in my experience. I can't speak for other versions.

My install process is to use Composer to create a package containing all of the ENS component .pkgs which dumps them into /var/tmp/McAfee and then run a postinstall script to install each component in the necessary sequence (and that can vary from release to release so it's lots of fun tweaking that). Here's that script in case you find it useful:

## postinstall

# Single install package for complete install of McAfee Endpoint Security for Mac
# Created 2018-09-27 by @sdagley
# Borrows from

function JHWrapper() {
if [ -d "/Library/Application Support/JAMF/bin/" ]; then
    "/Library/Application Support/JAMF/bin/" -windowType hud -windowPosition ur -title "McAfee ENS Install" -heading "$1" -alignHeading left -description "$2" -alignDescription natural -icon /System/Library/CoreServices/ -timeout 4 &
/bin/echo "$1 $2"

# Remove any existing McAfee install and purge package receipts
/bin/sleep 2
/usr/sbin/pkgutil --pkgs | /usr/bin/grep "com.mcafee" | /usr/bin/xargs -L 1 /usr/sbin/pkgutil --forget 

# Run with -i (Install) option
/bin/bash /var/tmp/McAfee/1_Agent/ -i

/bin/sleep 10

# Call installer for each subsequent component
# 2
/usr/sbin/installer -verbose -pkg /var/tmp/McAfee/2_ThreatPrevention/McAfee-Threat-Prevention-for-Mac.pkg -target /

# 3
/usr/sbin/installer -verbose -pkg /var/tmp/McAfee/3_Firewall/McAfee-Firewall-for-Mac.pkg -target /

# 4
/usr/sbin/installer -verbose -pkg /var/tmp/McAfee/4_AdaptiveThreatProtection/McAfee-Adaptive-Threat-Protection-for-Mac.pkg -target /

# 5
/usr/sbin/installer -verbose -pkg /var/tmp/McAfee/5_DEGO/DEGO-OSX.pkg -target /

/usr/sbin/installer -verbose -pkg /var/tmp/McAfee/6_MNE/mne-osx.pkg -target /
# The McAfee ePO Remote Provisioning Tool app seems to be triggered by MNE to prompt the user to log in to the ePO server so kill the app
/usr/bin/killall McAfeeEpoRemoteProvisioning

# 7
/usr/sbin/installer -verbose -pkg /var/tmp/McAfee/7_FRP/MfeFRP_Client_OSX.pkg -target /

## Start agent
/Library/McAfee/cma/scripts/ma start

/bin/sleep 30

## Make sure the agent is awake
/Library/McAfee/cma/bin/cmdagent -p

/bin/sleep 30

## Check for policy updates
/Library/McAfee/cma/bin/cmdagent -c

# Remove the files we placed in /var/tmp
/bin/rm -rf /var/tmp/McAfee/

exit 0

The JHWrapper function is from when I thought it might be useful to report each component being installed. My McAfee team provides the components to be installed, and I believe the is the only thing specific to the environment with our config being baked in when the McAfee console spits out the file.



New Contributor III

We were customers of Cylance and moved away to Crowdstrike. The product is far superior a lot less false positive

Contributor III

@eric.difulvio We are a McAfee shop at the moment, moving to Microsoft Defender after having trouble with McAfee and ePO.

Found that McAfee ePO did not like the later macOS versions, so we found ourselves going away from the ePO setup to installing the standalone ENS installer then removing the unwanted modules. So far this has worked 100% in deployment.

Process to remove earlier versions of McAfee:
Push the McAfee Clean-up Tool to the client, then run a command to run the Clean-up Tool, restart the computer after the cleanup to clear cached files.

Process to install McAfee Standalone ENS:
Create with Composer an install pkg for McAfee (current version 10.6.2) and push out with Jamf.
Run a post-install script to remove the unwanted modules - Firewall and Web Control.

This is working well since moving away from using ePO. Hope this helps.

Valued Contributor

We have Cisco AMP deployed on 50K Macs if that’s of any interest to you ;)