Webroot Catalina Script

jlombardo
New Contributor III

Hello Jamfers,

Since the new Webroot came out for Catalina, I can't seem to create a script that works to automating it with DEP notify.

I previous had a script that would ping the website, download Webroot, add they key, and it would work perfectly.. This was used mostly for Mohave. If I use this in Catalina, it tells me that the software is not compatible with the current OS version. If you manually install it, there is a point where it downloads a .DMG in the temp folder and updates the software... Sort of seems like a shoddy way to updating a program, but I digress.

As a short term solution I just created a .PKG that put a folder with the Webroot installer and key so the techs can manually install it once the automation is done.

Has anyone had any luck? I am semi new to Apple scripting so I may just be making a newbie mistake here...

11 REPLIES 11

rhooper
Contributor III

@jlombardo I have been having issues with scripting as well and by no way a scripter. But I did read that the Shebang used to be #!/bin/sh and in Catalina a new change is #!/bin/zsh. Have you tried changing the shebang?
https://www.infoq.com/news/2019/06/macos-ditches-bash-for-zsh/
I have a script as well that will launch great locally, but placing it in the JAMF Script editor and downloading it from Self Service fails each and every time. Still trying to work through that issue but maybe yours can just be adapted.
Good luck.

jlombardo
New Contributor III

the script works... its is just when it gets to installing the program it pops up an error that says "this software is not compatible with this OS."

If you run the webroot installer.. There is a part where it says "updating software." If you look at the temp folder afterwards, you will see a .dmg shows up... The installer runs the .dmg and installs the update during the initial install.

I would think that is a poor way of doing things.

wildfrog
Contributor II

What version of the agent is being installed? We moved away from Webroot in the summer but still get mail from them. Sounds like v9.1.1.5 is the first version that's compatibile with Catalina.

bentoms
Honored Contributor III
Honored Contributor III

@rhooper zsh is the default shell for terminal, sh & bash are still there.. no need to change the shebang.

But seconding @wildfrog’s post, sounds like an old version of WebRoot

wildfrog
Contributor II

@jlombardo One (of several) reasons we left Webroot was because on the Windows side, you could download a site-specific installer. Couldn't do that on the Mac. Mass deployment on the Mac was limited to the script you described. When we were on Webroot (and Jamf) we passed the site UID to the script via a variable. It worked, but was never what I considered 'clean'. And as whenever you curl an installer, you're depending on the source to provide you a proper/problem-free version. The lack of Mac-friendliness was a major reason for us leaving Webroot.

Good luck.

mzago
New Contributor III

So I had to look at this yesterday/today to fix for our 16" MacBook pros. Webroot scripts downloads a .dmg that's 9.0.x. Their web console (at least for us) also downloads a stupid 9.0.x dmg.

That 9.0.x dmg has Webroot's .app whose GUI will download 9.1.x after you put in the keycode.

So for just getting by with silent installs, I grabbed a copy of the 9.1.x version to have JAMF push out and then have our silent script run.

This is a little tricky because it appears they clean up the installer (/Applications/Webroot SecureAnywhere.app/Contents/MacOS/Installer) when the installation finishes. So getting a copy AFTER the GUI installer downloads the new .app, but before it's fully installed and have removed the installer is critical.

So to get this consistently working we:
1. Made sure to have the full disk access configuration profile setup for Webroot.
2. Made sure the kernel extension team ID is set in a configuration profile.
3. Made a policy that:
- Runs an uninstall script:

#!/bin/bash
# This script will attempt to remove all Webroot components.
# There is no official installer


launchctl unload /Library/LaunchDaemons/com.webroot.security.mac.plist
kextunload /Library/Extensions/SecureAnywhere.kext
kextunload /System/Library/Extensions/SecureAnywhere.kext
rm /usr/local/bin/WSDaemon
rm /usr/local/bin/WFDaemon
killall -9 WSDaemon
killall -9 WFDaemon
killall -9 "Webroot SecureAnywhere"
rm -rf /Library/Extensions/SecureAnywhere.kext
rm -rf /System/Library/Extensions/SecureAnywhere.kext
rm -rf "/Applications/Webroot SecureAnywhere.app"
rm /Library/LaunchAgents/com.webroot.WRMacApp.plistSudo
rm /Library/LaunchDaemons/com.webroot.security.mac.plist
rm ~/Library/Preferences/com.webroot.WSA.plist
rm ~/Library/Preferences/com.webroot.Webroot-SecureAnywhere.plist
rm -rf ~/Library/Application Support/Webroot
rm -rf /Library/Application Support/Webroot

exit 0

- Copies a .dmg of the /Applications/Webroot SecureAnywhere.app that was captured of 9.1.x before it cleaned up the installer.
- Runs a silent install script after:

#!/bin/bash

"/Applications/Webroot SecureAnywhere.app/Contents/MacOS/Installer" -keycode=WHATEVER -language=en -silent

I have no idea why their URL they use in the console and many people's silent install scripts is of a 9.0.x version. It could be laziness, it could be that app is now forked and not expected to work for 10.15 AND older clients (I didn't focus on compatibility testing of older clients).

I do still have a lot of issues with Webroot's Mac support, but on the flip side I'll say I haven't had a bad update where the real-time scanner has completely broken machines. In 2014, a bad Sophos update led to all of our Macs at a previous employer to use nearly 100% of all CPU cores for Sophos until we downgraded (this was initially reported as people saying their machines felt slow and the fans are always on).

Also test extensively. The approach above still shows the webroot GUI to our users when the app installs. We have the GUI disabled so it seems to take about 5s-60s for the app to phone home and realize it shouldn't show a GUI and then close. If you don't disable the GUI, I wouldn't be surprised if your entire fleet will open the GUI if you deploy this way with a user logged in.

Argh it would appear another JAMF thread figured this out https://www.jamf.com/jamf-nation/discussions/25360/webroot-secureanywhere-install-register#responseChild195719

There does appear to be a real URL with the 9.1 installer. Use that install script.

wildfrog
Contributor II

It frustrations like this that drove us away from Webroot. I never got the impression that they actually cared about the Mac platform. I mean, the right answer - IMO - is to provide an installer pkg with the site UID embedded - like they offer for installing on Windows. But they never gave any indication that they'd do this. Otherwise, you're left to use a script to curl the installer and hope they don't change the URL.

sdagley
Honored Contributor II

@wildfrog Rather than have an installer with the site UID embedded I'd prefer to have a .pkg postinstall script smart enough to look for a configuration file in the same directory the .pkg is bring run from, and it would apply the configuration from it. That's not an uncommon approach.

wildfrog
Contributor II

@sdagley We're a Mac-only MSP so I'd prefer a site-specific installer, but like you mention, there are lots of ways to skin it.
It's been a while but I'm not sure Webroot SA handles the site assignments at install time in a way that will let you do what you're asking.

jlombardo
New Contributor III

Thanks for the responses everyone I was out of office the past few weeks.

yes @bentoms , the link I had my script pointing to downloads and old version of Webroot... But during the installation updates it to its most recent version. It seems pretty sloppy.

@mzago Awesome! Sorry, I thought I looked to make sure this chat wasn't redundant... I am going to test and see what we get.

Side note... There was a program in Mohave that would create the permissions for you kernal extentions.. I used it in Mohave for a few apps so the service desk wouldn't have to go into the security tab to give the app the proper permissions.

Does anyone know what the program was called? I am drawing a total blank, I am also not sure if it works for Catalina (probably not).

bentoms
Honored Contributor III
Honored Contributor III

@jlombardo you can create the profile for Kernel Extensions in Jamf, do you mean PPPC-Utility?