@mikedesmarais That KB article is for the PPPC settings necessary for McAfee ENS. For the prompts regarding the McAfee kernel extensions (it's not currently using system extensions) you need an Approved Kernel Extensions payload. And you really should try installing ENS in kextless mode (although firewall still requires a kext)

You don't need to use the PPPC utility for this, it's available in the Jamf GUI, providing you're on a supported version.

The Team ID you want to whitelist is GT8P3H7SPW. From there it's a case of adding each of the components and granting them SystemPolicyAllFiles, per the KB article. They also have a sample PPPC file that you can upload directly to Jamf Pro and distribute, if you wish.

You will also need a kernel extension whitelist profile, separate to PPPC.

@jtrant Forgive me because I'm pretty fresh to Jamf, could you explain where I need to whitelist that Team ID? I'm assuming under "Identifier" I would enter the path of the component and select "Path" under identifier type. We already have Mcafee's kernel extensions whitelisted in a separate profile. Also, what is required in the "Code Requirement" box? If I try and save this it highlights in red.

If you take a look at the bottom of the page you linked, McAfee have actually provided an example configuration profile, although they don't have the VShieldScanManager part for ENS 10.7.0 included. The code requirement is the same as VShieldTaskManager in their example profile but the code requirement would change slightly.

I'd be happy to share my configuration tomorrow if you still need help. A reminder that you also need to consider kernel extensions, as PPPC are not the same thing.

@jtrant I downloaded the example configuration profile and added VShieldTaskManager, I'm still getting that System Extension Blocked pop up, which I think might be causing McAfee to install without enabling Threat Prevention. Currently an end user would have to allow the extension in Security & Privacy and then enable Threat Prevention under McAfee's preferences. I have also whitelisted McAfee's kernel extensions, I've attached screenshots of the pop up and the kernel extensions I'm whitelisting in case there's something I'm missing.

Can you share the whole KEXT profile?

McAfee Team ID: GT8P3H7SPW
Bundle IDs:
ENS: com.intelsecurity.FileCore, com.McAfee.AVKext, com.McAfee.FileCore, com.McAfee.FMPSysCore, com.McAfee.mfeaac, com.McAfee.SFKext
DLP: com.McAfee.driver.DlpUSB, com.mcafee.DLPKext

I know with true system extensions they must be applied before the software in question is installed, but I didn't think this applied to kernel extensions.

This is the entire kext whitelist profile in Jamf Pro, it looks like I need to add some based off your list.

I was able to get McAfee installed now with no security prompts with your kernel extension list, no PPPC profile involved. The only problem I have now is Threat Prevention is disabled by default, do you have any ideas on how to enable that, whether it be by script or anything else?

You'll still need a PPPC profile so that McAfee ENS/DLP can scan the machine (SystemPolicyAllFiles), but as for Threat Prevention being disabled I'm not sure. Do you have a valid license key entered in ePO, and do you have a policy in place to enable threat prevention?

@mikedesmarais Are you restarting after install? It's been my experience with installing recent versions of ATP is that it requires a restart to start running.

Good call @sdagley.

There is a valid license key and I have restarted, the only thing I haven’t verified is if there’s a policy in place (I’m not the one person that manages ePO, and they insist that the default behavior of McAfee should have Threat Prevention enabled after installing, which is not the reality I’m experiencing)

I'm having the same problem that Threat Prevention is disabled, also after a restart. I have created a Kext profile for McAfee and also created a PPPC profile for the full disk access.
Hope someone has a solution for the Threat Prevention being disabled.

Are you able to enable it manually in McAfee's preferences?
Not sure if it's native to the application or something we control in ePO but our McAfee Threat Prevention will enable itself after a specified time if it get's disabled. Maybe that would be worth looking into if you can actually enable it manually in preferences.

What ended up working for us, was to run the McAfee install.sh script that sets the framework. Then the RTW Package. I am not sure if the script is on the McAfee site, but I can check next week. the product_deployment_sh ( I think that is right) did not work correctly for us.

@kgam Yes, it is possible to enable it manually but, as you know, you need to do this as an admin.
@Nix4Life That's the exact order I use to install McAfee

If you take a look at the following article from McAfee you can see that you will need 6 bundle identifiers. I've set all of them and also created a PPPC to give McAfee Full Disk acces:
End-user experience when installing Endpoint Security for Mac on macOS High Sierra 10.13 and later
But so far, no luck that it will automatically change from "Disabled" to "Enabled".

If anyone else prefers to deploy the McAfee agent and ENS components via Jamf Pro rather than ePO here's the postinstall script for a unified .pkg that bundles all the installers ePO will spit out: McAfeeENS10.7.1postinstall.bash

Note that it installs the modules capable of it in kextless mode so you don't have to switch from kext to kextless mode post install

@sdagley Have you found significant performance boosts in running McAfee in kextless mode? Our Mac clients are running in kext mode and I've just started testing kextless to see if we should switch. My biggest problem with McAfee is when our Macs power on or reboot. At the login screen imput will be unavailable for up to 30 seconds while McAfee is starting it's services and after the user has logged on they'll still get spinning-beach-balls-of-death for the first several minutes until McAffee is fully launched and updated. I'm hoping kextless will improve this.

@kgam We haven't seen the behavior you describe on startup, but in the past some users would experience apps taking almost 2 minutes to launch until the Mac was restarted. That's not something we've seen withMcAfee in kextless mode, and it has definitely eliminated crashes in com.McAfee.mfeaac which was our most common kernel panic trigger.

Thanks @sdagley. Initial testing seems to have improved startup performance but it's still too early to tell. We'll also have to weigh any performance boosts against the lack of Self-Protection in kextless mode.

Just ran another test and macOS came with a pop-up that software was blocked.
I already pushed the Kext profile to this client and I verified that it actually had the profile installed.
But still in "Security and Privacy" there was the notification:
System software from developer "McAfee, Inc." was blocked from loading

@kgam If you're not ready to deploy kextless yet, and your environment has been upgraded to macOS Catalina, you may want to look at the upcoming release that will support the System Extension replacement for kexts. I believe it'll install the System Extension version on macOS Catalina as well as Big Sur, but you'll want to check with your McAfee rep to confirm.

Thanks @sdagley, that's an excellent recommendation. Most of our Macs are on Catalina waiting for Big Sur so I'll definitely check this out.

@sdagley Hey, what would you recommend I do? I'm very new to Jamf and only recently started updating my Approved Kernel Extensions config profile to also include a system extensions payload with the team identifier for the software that will be using system extensions instead of kext. I'm running mojave and catalina machines which is why i have both Approved Kext and Approved system ext. Is this a good way of preparing for the change?

@freshmacman Don't deploy a Configuration Profile with a System Extensions payload to a Mojave system. Since Mojave doesn't support System Extensions it won't install that payload, and when you upgrade that Mac to Catalina the profile won't re-deploy. Technically you could just clone your existing Configuration Profile and have one version targeted at Mojave and the other at Catalina or higher, and when a Mac upgrades from Mojave to Catalina the applicable profiles will be removed/installed but if that'll happen before a user upgrading gets a prompt to approve the System Extension is something you'd have to test.