Symantec Management not installing during ZTP

howie_isaacks
Valued Contributor II

I have been having problems getting Symantec Management deployed during my enrollment process. Like a lot of Apple admins, I use a script that runs the whole ZTP process. All other apps deploy reliably with no issues. What makes this even harder to figure out is that if I use Terminal to run the SAME POLICY that is being ran during ZTP, it works. Every time. The ZTP script is running "jamf policy -event install-symantecmanagement". The only difference between this and me using Terminal is that in Terminal, I need to use "sudo" before the Jamf policy command. Also, a Symantec Management install policy that we have setup to run at check-in for Macs that don't have it installed for some reason works. There is only one Symantec Management install policy. It works when we use Terminal. It works with a check-in policy, but it won't work when the ZTP script runs the policy. Here's the breakdown of the install policy. I get a "Cloud-enabled Agent Installation Package" from the app owner at my company in a zip file. The zip file contains a package called "Symantec_Management_Agent_Installer.pkg" and a "Resources" folder. Inside Resources is a script called "cem_package.sh". I can run this script manually in Terminal using the "-pwd" option to include the decryption password. It will install Symantec Management with no issues. I use Jamf Composer to create a package to deploy the install files to /private/tmp/Altiris. I put the package into a Jamf install policy with this command to run after the package is installed "sh /private/tmp/Altiris/CEM/Resources/cem_package.sh -pwd XXXXXX -reinstall; rm -rf /private/tmp/Altiris; aex-helper agent -s "MachineID" ignore_resource_keys fqdn,uniqueid,macaddress. The final part of the command is meant to fix an issue with computer name duplication. The last part of the policy is to run inventory. As I said before, this policy works perfectly when ran on demand in Terminal with a custom trigger or using the policy ID. It also works if we allow the Mac to get the install at check-in. What am I doing wrong? I didn't know this was happening until I created an extension attribute in Jamf Pro to help track successful or unsuccessful ZTP experiences. Symantec Management is the only app that fails to install as part of ZTP. The Jamf policy log shows that the package install completed and then nothing. There is no mention of the command that is supposed to run as part of the policy. The policy log of a successful install shows the command being run. I have other policies that have a similar workflow and they always work when deployed through ZTP.

1 ACCEPTED SOLUTION

howie_isaacks
Valued Contributor II

As luck would have it, someone from Broadcom, the company who owns Symantec Management, was in my office yesterday. He suggested that I create an installer package that includes a post install script to run the install after the installer files are staged by a package at /private/tmp/Altiris. I already had this script written to do the install. I used Composer to add this script as a post install script to my deployment package. For the "-pwd" option, you would fill in your own decryption password. I hope this helps others who may find themselves in the same situation.

#!/bin/zsh

###########################
# Installs Altiris from staged installer files at /private/tmp/Altiris.
# Checks for successful install.
# 4/23/24 | Howie Isaacks
###########################

altirisInstalled="/opt/altiris"

# Install Altiris from staged install files
echo "Running Altiris install..."
sh /private/tmp/Altiris/CEM/Resources/cem_package.sh -pwd XXXXX -reinstall
echo "Install process complete.. Checking if Altiris installed."

# Is Symantec Management installed?
if [ -d "$altirisInstalled" ]; then
	echo "Altiris installed successfully. Running GUID fix."
	aex-helper agent -s "MachineID" ignore_resource_keys fqdn,uniqueid,macaddress
	echo "Removing installer files."
	rm -rf /private/tmp/Altiris
else
	echo "Altiris did not install successfully."
fi

# Set the appropriate exit code
if [ -d "$altirisInstalled" ]; then
	exit 0
else
	exit 1
fi

View solution in original post

5 REPLIES 5

howie_isaacks
Valued Contributor II

As luck would have it, someone from Broadcom, the company who owns Symantec Management, was in my office yesterday. He suggested that I create an installer package that includes a post install script to run the install after the installer files are staged by a package at /private/tmp/Altiris. I already had this script written to do the install. I used Composer to add this script as a post install script to my deployment package. For the "-pwd" option, you would fill in your own decryption password. I hope this helps others who may find themselves in the same situation.

#!/bin/zsh

###########################
# Installs Altiris from staged installer files at /private/tmp/Altiris.
# Checks for successful install.
# 4/23/24 | Howie Isaacks
###########################

altirisInstalled="/opt/altiris"

# Install Altiris from staged install files
echo "Running Altiris install..."
sh /private/tmp/Altiris/CEM/Resources/cem_package.sh -pwd XXXXX -reinstall
echo "Install process complete.. Checking if Altiris installed."

# Is Symantec Management installed?
if [ -d "$altirisInstalled" ]; then
	echo "Altiris installed successfully. Running GUID fix."
	aex-helper agent -s "MachineID" ignore_resource_keys fqdn,uniqueid,macaddress
	echo "Removing installer files."
	rm -rf /private/tmp/Altiris
else
	echo "Altiris did not install successfully."
fi

# Set the appropriate exit code
if [ -d "$altirisInstalled" ]; then
	exit 0
else
	exit 1
fi

Hi Howie, 

I am a novice at this and would appreciate your assistance. I am trying to setup a policy to rollout Symantec Management Agent and it does  not necessarily need to be run during ZTP. My package looks different based on your script and I have attached a photo of what my package looks like. Last thing, where would I get the decryption password on the script or do I just set one on the script myself? 

Screenshot 2024-05-31 at 10.20.36.png

 

Some guidance would really be appreciated. 

howie_isaacks
Valued Contributor II

If there is a decryption password, you would need to get that from who ever in your organization runs Symantec Management. Your screenshot suggests that you may be installing the software differently from the way we're doing it. I think my issue was being caused by specifically "who" initiates the install. Apparently, having the Jamf agent run the package at check-in or during the ZTP process was running the install from the wrong user account. I manually called up the policy using a custom trigger, (sudo jamf policy -event install-symantecmanagement) it worked every time. Installing through PreStage I believe is installing the app as an MDM function, not a Jamf agent action. It also appears that including the install script as a post install script helps this install more reliably. I normally shy away from using post install scripts in my packages unless they're necessary since I may want to change the script. I wouldn't want to recompile a new package every time I do that. We are using the "cloud enabled management" method for deployment. Here are screenshots of what is in my install package.

Screenshot 2024-06-03 at 11.09.51.pngScreenshot 2024-06-03 at 11.11.10.png

Thanks Howie, we finally got someone to assist and got us the CEM package and it worked seamlessly. Thanks once again!

howie_isaacks
Valued Contributor II

After all this, we're about to abandon Symantec Management. Oh well.