Symantec Endpoint Protection

rderewianko
Valued Contributor II

I've been trying for a few weeks to implement sep as a self service item. Its working however, it never comes up with a managed client. Has anyone else ran into this problem?

2 ACCEPTED SOLUTIONS

brian_flynn
New Contributor III

When you export the SEP client from SEPM, the export includes a pkg and a folder called Additional Resources. The Additional Resources are needed for the client to install properly and be managed.

What I did was packaged up the pkg and additional files, and used a post install script to manually run installer for the package.

View solution in original post

brian_flynn
New Contributor III

The Additional Resources folder needs to be in the same folder as the pkg.

So in the package, I have the files:

/private/tmp/SEP12.1.2/Symantec Endpoint Protection.pkg
/private/tmp/SEP12.1.2/Additional Resources/* (not going to list out all the files in that directory)

Then the postinstall script runs:

#!/bin/sh
cd /private/tmp/SEP12.1.2
/usr/sbin/installer -pkg "Symantec Endpoint Protection.pkg" -target /
if [ $? -eq 0 ]; then exit 0
else exit 1
fi

View solution in original post

25 REPLIES 25

brian_flynn
New Contributor III

When you export the SEP client from SEPM, the export includes a pkg and a folder called Additional Resources. The Additional Resources are needed for the client to install properly and be managed.

What I did was packaged up the pkg and additional files, and used a post install script to manually run installer for the package.

rderewianko
Valued Contributor II

Awesome, thats exactly what I was missing

colonelpanic
Contributor

Just to clarify, when you run the installer, the "Additional Resources" folder needs to be in the same folder as the installer? Or did you run the installer normally, and place the files in "Additional Resources" somewhere on the machine afterwards?

Thanks!

brian_flynn
New Contributor III

The Additional Resources folder needs to be in the same folder as the pkg.

So in the package, I have the files:

/private/tmp/SEP12.1.2/Symantec Endpoint Protection.pkg
/private/tmp/SEP12.1.2/Additional Resources/* (not going to list out all the files in that directory)

Then the postinstall script runs:

#!/bin/sh
cd /private/tmp/SEP12.1.2
/usr/sbin/installer -pkg "Symantec Endpoint Protection.pkg" -target /
if [ $? -eq 0 ]; then exit 0
else exit 1
fi

colonelpanic
Contributor

Awesome, I was packaging the new sep client and saw this post come up so I figured I would ask before I tested a new image. Thank you!

iJake
Valued Contributor

I've been working on making one package that can remove the old SAV and install SEP all without a reboot. If you are interested here is the script to start the SEP services as the logged in user so the customer doesn't haven't to reboot. These are normally started by LaunchAgents and Daemons on login and they will be the next time the customer reboots. If nobody is logged in it won't start them since they will be launched by a user log in. I've tested it on 10.6-10.8

#!/bin/sh

loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

if  [ "$loggedInUser" != "root" ]
then
cd /
su $loggedInUser -c "/Library/Application Support/Symantec/SymQuickMenu/SymQuickMenu.app/Contents/MacOS/SymQuickMenu &"
su $loggedInUser -c "/Library/Application Support/Norton Solutions Support/Scheduler/SymSecondaryLaunch.app/Contents/MacOS/SymSecondaryLaunch &"
fi

blackholemac
Valued Contributor III

Here's a multi-step method I've developed for it if it helps

So after talking with Symantec, it's clear that their tech support doesn't seem to know Mac stuff too well. I've reached out to Mike Romo, the lead Mac developer at Symantec who has demonstrated that he knows the Mac very well. Haven't heard back from him yet, but he's the guy that Mac SysAdmins need to report their issues if they are getting no where with Symantec Tech Support.

Anyway, while waiting for a response, I have developed a workaround that I wanted to share with JAMFNation:

Step 1: Get Java 6 out to your workstations. In Mac OS X 10.8, it is not installed and will need to be if LiveUpdate is to work. That should be easy, upload the package to Casper Admin and deploy however you normally would.

Step 2: Run the uninstaller script from this Symantec article on your machines. http://www.symantec.com/business/support/index?page=content&id=TECH103489
Make sure you look toward the bottom of the page. There are two scripts...one designed to be run interactively by a user and the one further down that is able to be run by products such as ARD or in our case, Casper.

Step 3: Upload the PKG WITHOUT THE ADDITIONAL RESOURCES FOLDER to Casper Admin like you would any other package. When you install this package without the Additional Resources folder, it is the equivalent of installing Symantec Endpoint Protection to your Mac clients in unmanaged mode.

Step 4: Use Composer to build a new package. You are going to take the sylink.xml file located in the Additional Resources folder and package it up. Basically you need to get this file to /Library/Application Support/Symantec/SMC as per Symantec article http://www.symantec.com/business/support/index?page=content&id=TECH131585 which talks about converting an unmanaged client to a supported managed client.

Step 5: Upload this package that you just created to Casper Admin and assign it a priority number that is one less than the priority you assigned to the main package in Step 4 of this post. THE MANAGEMENT PACKAGE NEEDS TO COME ON BEFORE YOU PUSH THE MAIN PACKAGE. You should also have the workstation reboot after installing both of these package.

This can all be built to deploy to existing workstations via a policy in Casper or as part of your imaging workflow. I set up my policy to first run the uninstall script, second run Java 6 installer (I'm trying to get this going on 10.8), third install SEP package, fourth install the sylink.xml package. Fifth, I update inventory and reboot. If I wanted to be fancy, I could scope it to all machines that have any Symantec product installed, but in our environment all managed clients do so I didn't have to think too hard on how to scope. I triggered it appropriately and tested and it worked one some sample machines.

I invite feedback on this post too from anyone who modifies this to simplify, automate or remove a reboot if someone has gotten that far. I'm fine with the reboot, but others might not be.

hkim
Contributor II

iJake, a suggestion, to get rid of the old processes that might still be running, consider putting in a

killall SymQuickMenu killall SymSecondaryLaunch

iJake
Valued Contributor

Sorry, I left that part out. I was only showing what I do to start SEP. I have some SAV processes clean up that I run which is:

launchctl unload /Library/LaunchDaemons/com.symantec.Sched501-1.plist
launchctl unload /Library/LaunchDaemons/com.symantec.avscandaemon.plist
launchctl unload /Library/LaunchDaemons/com.symantec.diskMountNotify.plist
launchctl unload /Library/LaunchDaemons/com.symantec.navapd.plist
launchctl unload /Library/LaunchDaemons/com.symantec.navapdaemonsl.plist
launchctl unload /Library/LaunchDaemons/com.symantec.sharedsettings.plist
launchctl unload /Library/LaunchDaemons/com.symantec.symSchedDaemon.plist
launchctl unload /Library/LaunchDaemons/com.symantec.symdaemon.plist
launchctl unload /Library/LaunchAgents/com.symantec.uiagent.application.plist
killall NortonAutoProtect
ps ax|grep Sym|awk '{print $1}'|xargs kill

hkim
Contributor II

Great find and thank you for the detailed write up blackholemac! For someone who is just handed installers from another SEP admin, it's nice to have more options to use to be more official than the patchwork solutions I've seen so far.

blackholemac
Valued Contributor III

updated my post here to reflect a reality when starting our first 10 machine upgrades...it turns out, it's best to have the sylink.xml package come onto the machine first and then push the main one...small correction, but an important one.

llitz123
Contributor III

I know it's a bit old, yet any official word from Symantec/Mike Romo regarding an official way to deploy using Casper? Or is blackholemac's solution still my best bet?
Thanks.

donmontalvo
Esteemed Contributor III

@blackholemac wrote:

So after talking with Symantec, it's clear that their tech support doesn't seem to know Mac stuff too well. I've reached out to Mike Romo, the lead Mac developer at Symantec who has demonstrated that he knows the Mac very well. Haven't heard back from him yet, but he's the guy that Mac SysAdmins need to report their issues if they are getting no where with Symantec Tech Support.

Yea, these big name companies are putting people in roles they're not capable/competent to hold, to save money. Only a tsunami of complaints has a chance of catching the company's eye. Otherwise for them it's business as usual..."Meh, we're making bookoo money, what's not to like?"

I miss Todd Woodward, he was their sharpest engineer...he moved on to some other division. Good to hear they've got a competent person. But sorry to hear it's business as usual in the fill-roles-with-cheap-low-skilled-labor area.

Don

--
https://donmontalvo.com

blackholemac
Valued Contributor III

Wanted to update this post months later to reflect some new discoveries:

  1. Mike Romo is no longer with them (this coming from one of their engineers)
  2. It turns out the fix I deduced back in January has been codified into an article from Symantec on how to do this using ARD.

Here is my post on their board which includes a link to their article: http://www.symantec.com/connect/forums/sep-1212-mac-installation

Matt
Valued Contributor

SEP for Mac might as well be Malware!

acdesigntech
Contributor II

Allegedly they are releasing a "fully integrated Mac client" at the end of the year per our Symantec acct mgr. Most amusing thing I've heard all day.

donmontalvo
Esteemed Contributor III

Most IT departments are suckers for vendor's claims of cross platform compatibility and "full support for Mac".

--
https://donmontalvo.com

jkgrosh
New Contributor

So which is the better method (less chance of failure)? Brian.Flynn or blackhole?

blackholemac
Valued Contributor III

I'm laughing myself about them releasing a "fully-integrated Mac client". I honestly thought version 11.0.6 was supposed to be...the "integration" is lacking in the ability to push out new definitions even still in 12.1.2.

As for why our department uses it on the Mac...the simple answer involves a school district regulation that states "All personal computers are required to have anti-malware software." My philosophies and background on the Mac is irrelevant in such matters. I do have some basic input on what we choose for antimalware keeping in mind how we are weighted (90% Windows, 10% Mac). The Windows guys preferences will obviously carry greater weight.

It also comes down to money for that matter. So we can use SEP for Mac very cheaply since we purchased the enterprise kit for Windows. If I had us acquire my personal preference (Intego) we would have spent way more money.

Now, all this having been said, I'll attempt to help jkgrosh with his quandary. Basically, both methods function well. What I was going to do prior to figuring out this method was similar to Brian.Flynn's method. Essentially, I was going to create a PKG package with postinstall script that would dump Symantec's PKG and the "Additional Resources" folder to a temporary location, install Symantec's PKG (which would have the "Additional Resources" where the installer expected to find it) and then at the end of the postinstall script, delete the installer files from the temp location. That method should work to, but honestly a little more "roundabout" to me. My method of installing the Sylink.xml file (as part of a package) and installing the unmanaged package allows a bit more flexibility in using Casper to deploy and has many fewer variables (Did the stupid installer get deleted from the temp location once it was done? Will there be any annoyances calling an installer package from a postinstall script from another installer package?)

Again it's a matter of administrator's preference, but I can say that my method was successful on 200 + Macs and was totally automatable through a Casper Policy.

Hope it helps,
blackholemac

Matt
Valued Contributor

Symatec came here and did a big dog and pony show when they found out we wanted to move to Sophos. Well the company bought it... we don't run SEP on Macs though... who would!!! :D

donmontalvo
Esteemed Contributor III

Synantec = McDonalds (your company was probably sold on the bottom line)

It sucks less if you have admin rights to their console to manage settings for the Macs... ;)

Don

--
https://donmontalvo.com

blackholemac
Valued Contributor III

amen to having admin rights to the console...while I don't as it is handled by our Windows admins, I do have view rights and a good working relationship with them so all in all it's doable. Again, wish I didn't have to fart with it, but policy dictates it.

scottb
Honored Contributor

@blackholemac: I have tried using the Symantec scripts with no luck. This is the one you tag above (TECH103489) for ARD.
I've made no changes to it.

ERROR: Invalid option or volume name: "computername". # - the computer name is the hostname. Usage: SymantecRemovalTool.command [-CcdeFfhIiLlmpQqRrV] [-QQ] [-re] [volume ...]

mjohnston
New Contributor

I followed the instructions here which worked - http://www.symantec.com/business/support/index?page=content&id=HOWTO92266

I also added a script to run first which uninstalls Sophos, then installs the SEP package via the above instructions.

Have tested with a few single machines and will deploy it to a larger group tomorrow. After week, if no issue I'm going to roll it out across the organization.

c0n0r
Contributor

Unfortunately, the SYMC kinase article that @mjohnston mentions requires a reboot, and the process that @iJake mentions to limit the reboot breaks on newer versions of SEP.