Jamf Nation Community

@eric.difulvio Why not use Jamf to install the McAfee components instead of ePO? That's the approach I use. There was a little work involved in setting things up (helped by multiple posts with examples on Jamf Nation), but once that's done it's pretty reliable.

@sdagley Here's the problem. For a while I was having success with my process of installing the agent via Jamf and then ePO pushing the AV. Then things started getting funky. Now, I can't even deploy the agent via Jamf. I think its deploying properly but ePO is not able to see the device as managed, so something is wrong. On top of that, my organization really wants everything viewable and deployed from ePO for whatever reason. Every time I get McAfee support involved, they come back with "there are old, existing McAfee files that are disturbing the communication between the Mac and ePO. I worked on a script that was to delete all those all files. I have even been using the McAfee stripper tool to wipe the Mac clean of anything McAfee related. All in all, no success. Very frustrating.

1st choice is Gatekeeper and xProtect you can use AE to see if they are current and scripts to keep them updated...

if that isn't an option and I would push hard for Gatekeeper and xProtect as that is what IBM is trusting....

2nd choice is cylance, Carbon Black or CrowdStrike....

C

@eric.difulvio The McAfee removal tool has been effective for all of the 10.5.x variants of ENS in my experience. I can't speak for other versions.

My install process is to use Composer to create a package containing all of the ENS component .pkgs which dumps them into /var/tmp/McAfee and then run a postinstall script to install each component in the necessary sequence (and that can vary from release to release so it's lots of fun tweaking that). Here's that script in case you find it useful:

#!/bin/sh
## postinstall

# Single install package for complete install of McAfee Endpoint Security for Mac
# Created 2018-09-27 by @sdagley
# Borrows from https://www.jamf.com/jamf-nation/discussions/7431/install-mcafee

function JHWrapper() {
if [ -d "/Library/Application Support/JAMF/bin/jamfHelper.app" ]; then
    "/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" -windowType hud -windowPosition ur -title "McAfee ENS Install" -heading "$1" -alignHeading left -description "$2" -alignDescription natural -icon /System/Library/CoreServices/Installer.app/Contents/Resources/package.icns -timeout 4 &
/bin/echo "$1 $2"
fi
}

# Remove any existing McAfee install and purge package receipts
/var/tmp/McAfee/0_RemoverTool/McAfee_removal_tool
/bin/sleep 2
/usr/sbin/pkgutil --pkgs | /usr/bin/grep "com.mcafee" | /usr/bin/xargs -L 1 /usr/sbin/pkgutil --forget 

# Run install.sh with -i (Install) option
/bin/bash /var/tmp/McAfee/1_Agent/install.sh -i

/bin/sleep 10

# Call installer for each subsequent component
# 2
/usr/sbin/installer -verbose -pkg /var/tmp/McAfee/2_ThreatPrevention/McAfee-Threat-Prevention-for-Mac.pkg -target /

# 3
/usr/sbin/installer -verbose -pkg /var/tmp/McAfee/3_Firewall/McAfee-Firewall-for-Mac.pkg -target /

# 4
/usr/sbin/installer -verbose -pkg /var/tmp/McAfee/4_AdaptiveThreatProtection/McAfee-Adaptive-Threat-Protection-for-Mac.pkg -target /

# 5
/usr/sbin/installer -verbose -pkg /var/tmp/McAfee/5_DEGO/DEGO-OSX.pkg -target /

#6
/usr/sbin/installer -verbose -pkg /var/tmp/McAfee/6_MNE/mne-osx.pkg -target /
# The McAfee ePO Remote Provisioning Tool app seems to be triggered by MNE to prompt the user to log in to the ePO server so kill the app
/usr/bin/killall McAfeeEpoRemoteProvisioning

# 7
/usr/sbin/installer -verbose -pkg /var/tmp/McAfee/7_FRP/MfeFRP_Client_OSX.pkg -target /


## Start agent
/Library/McAfee/cma/scripts/ma start

/bin/sleep 30

## Make sure the agent is awake
/Library/McAfee/cma/bin/cmdagent -p

/bin/sleep 30

## Check for policy updates
/Library/McAfee/cma/bin/cmdagent -c

# Remove the files we placed in /var/tmp
/bin/rm -rf /var/tmp/McAfee/

exit 0

The JHWrapper function is from when I thought it might be useful to report each component being installed. My McAfee team provides the components to be installed, and I believe the install.sh is the only thing specific to the environment with our config being baked in when the McAfee console spits out the file.

Cylance

We were customers of Cylance and moved away to Crowdstrike. The product is far superior a lot less false positive

@eric.difulvio We are a McAfee shop at the moment, moving to Microsoft Defender after having trouble with McAfee and ePO.

Found that McAfee ePO did not like the later macOS versions, so we found ourselves going away from the ePO setup to installing the standalone ENS installer then removing the unwanted modules. So far this has worked 100% in deployment.

Process to remove earlier versions of McAfee:
Push the McAfee Clean-up Tool to the client, then run a command to run the Clean-up Tool, restart the computer after the cleanup to clear cached files.

Process to install McAfee Standalone ENS:
Create with Composer an install pkg for McAfee (current version 10.6.2) and push out with Jamf.
Run a post-install script to remove the unwanted modules - Firewall and Web Control.

This is working well since moving away from using ePO. Hope this helps.

We have Cisco AMP deployed on 50K Macs if that’s of any interest to you ;)