[KB7324] Deploy ESET Endpoint products for macOS using Jamf Pro (6.11)

Issue

Solution

Follow the instructions below to deploy ESET Endpoint for macOS 11, 12, and 13 using Jamf Pro to manage using ESET PROTECT or ESET PROTECT On-Prem.

  1. Configure System Extensions, Privacy Preference Policy Control (PPPC), VPN, and Content Filter profile
  2. Create Policies
  3. Additional Options

I. Configure System Extensions, PPPC, VPN, and Content Filter profile

One configuration profile can use both settings

System Extensions, PPPC, VPN, and Content Filter are required to deploy to ESET Endpoint products. If all machines have the same macOS version, one configuration profile can be used for both System Extensions, PPPC, VPN, and Content Filter settings.

  1. Open Jamf Pro and click ComputersConfiguration Profiles to set the approval for System Extensions, PPPC, VPN, and Content Filter and then click New to add a new configuration profile (one configuration profile can contain all the settings).

    Figure 1-1
    Click the image to view larger in new window 
  2. Type a Name for the profile.

    Figure 1-2
    Click the image to view larger in new window 
  3. In the Options tab, click System ExtensionsConfigure.

    Figure 1-3
    Click the image to view larger in new window 
  4. In the Allowed TEAM IDs and System Extensions section, type the following information:

    • Display Name: ESET SE [you can choose any name you want]
    • System Extension Types: Allowed System Extensions
    • Team Identifier: P8DQRXPVLP
    • Allowed System Extensions:
      com.eset.endpoint
      com.eset.network
      com.eset.firewall
      com.eset.devices


    Figure 1-4
    Click the image to view larger in new window 
  5. In the Options tab, click Privacy Preferences Policy Control → Configure.

    Figure 1-5
    Click the image to view larger in new window 
  6. Add in the following information for your applicable ESET product:

    Add both ESET Endpoint Antivirus and ESET Endpoint Security in the same PPPC setting

    If you are deploying both ESET Endpoint Antivirus and ESET Endpoint Security, you can add them in the same PPPC setting by clicking the + sign (plus) at the top right and then adding the information for the additional product.


ESET Endpoint Antivirus

Main product identifier EEA:

  • Identifier: com.eset.eea.6
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.eset.eea.6" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
  • App or Service: SystemPolicyAllFiles
  • Access: Allow

Device identifier:

  • Identifier: com.eset.devices
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.eset.devices" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
  • App or Service: SystemPolicyAllFiles
  • Access: Allow

Realtime identifier:

  • Identifier: com.eset.endpoint
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.eset.endpoint" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
  • App or Service: SystemPolicyAllFiles
  • Access: Allow

ESET Endpoint Security

Main product identifier EES

  • Identifier: com.eset.ees.6
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.eset.ees.6" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
  • App or Service: SystemPolicyAllFiles
  • Access: Allow

Device identifier

  • Identifier: com.eset.devices
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.eset.devices" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
  • App or Service: SystemPolicyAllFiles
  • Access: Allow

Realtime identifier

  • Identifier: com.eset.endpoint
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.eset.endpoint" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
  • App or Service: SystemPolicyAllFiles
  • Access: Allow

Figure 1-6
Click the image to view larger in new window 
  1. In the Options tab, click VPN Configure.

  2. Create a configuration profile for the Web Access Protection with the following settings:

    • VPN type: VPN
    • Connection type: Custom SSL
    • Identifier: com.eset.sysext.manager
    • Server: localhost
    • Provider Bundle Identifier: com.eset.network
    • User authentication: certificate
    • Provider Type: App-proxy
    • Provider Designated Requirement: identifier "com.eset.network" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
    • Select the check box next to Enable VPN on Demand
    • On Demand Rules Configuration XML:
      <array>
      <dict>
      <key>Action</key>
      <string>Connect</string>
      </dict>
      </array>
    • Idle Timer: Do not disconnect
    • Proxy Setup: Manual
    • Proxy Server And Port: localhost : 57856

    Figure 1-7
    Click the image to view larger in new window 
    Add Firewall configuration profile for ESET Endpoint Security

    If you are deploying ESET Endpoint Security, in the Content Filter tab, create a configuration profile for the firewall with the following settings:

    • Filter name: ESET Firewall
    • Identifier: com.eset.ees.6
    • Filter order: Firewall
    • Socket Filter: com.eset.firewall
    • Socket filter designated requirement: identifier "com.eset.firewall" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP

  3. Click the Scope tab and click Add.

    Figure 1-8
  1. In the Add Deployment Targets section, select the computers (or Computer Groups) you want to apply the policy to by clicking Add, and then click Done.

    Figure 1-9
  2. Click Save to apply your changes.

    Figure 1-10
    Click the image to view larger in new window

II. Create policies

  1. Click Policies in the left menu and click New.

    Figure 2-1
  2. Type a Display Name for the policy, and in the Trigger section, select the Recurring Check-in check box.

    Figure 2-2
  3. Download the following ESET Security product and ESET Management Agent installation scripts:

    • ESET Security product installation script: ESETavJamf.sh (right-click and select Save link as)
    • ESET Management Agent installation script: Create the Agent Live Installer and download the PROTECTAgentinstaller.sh file from ESET PROTECT or ESET PROTECT On-Prem.
  4. After downloading the scripts, follow the steps in Jamf Pro Administrator's Guide to add the scripts to Jamf.

    Install Rosetta 2 before installing ESET Security products

    If you are deploying ESET Security products on macOS computers with Apple Silicon (M1 chips), ensure you install Rosetta 2 before you run the ESET installation scripts.

    You can install Rosetta 2 with the command sudo softwareupdate --install-rosetta that you run in Terminal or with a Jamf script.

  5. From the Options tab, click Scripts and then click Configure.

    Figure 2-3
  6. Click Add to select the scripts to add to the policy.

  1. Add the following Parameter Values for the Endpoint script:

    • Parameter 4 (Required): Type 'EES' (if you use ESET Endpoint Security) or 'EEA' (if you use ESET Endpoint Antivirus)
    • Parameter 5 (Optional): License Key or Security Admin in the format PID:SecurityAdmin:Password, for example — 123-ABC-456:user=security.admin@email.com:pass=SecurityAdminPass
    • Parameter 6 (Optional): Specify HTTP Proxy in the format http://10.0.0.100:3128

    Figure 2-4
  2. Click the Scope tab and click Add.

    Figure 2-5
  1. In the Add Deployment Targets section, select the computers (or Computer Groups) you want to apply the policy to by clicking Add, and then click Done

    Double deployment

    Before adding deployment targets, ensure no other installation policy for earlier versions of the ESET security product is assigned to the intended targets. This may cause the product to be installed twice, resulting in the product not functioning.
    If you are using ESET PROTECT or ESET PROTECT On-Prem and Jamf, check the installation policies in both.

    Figure 2-6
  1. Click Save to apply your changes.


III. Additional options

  • Verify you can manage the ESET Endpoint using ESET PROTECT or ESET PROTECT On-Prem: Open the ESET PROTECT or ESET PROTECT On-Prem Web Console, click Computers and verify that the Jamf endpoint is displayed in the All Group.
  • If you did not type the License Key or Security Admin during the install scripts, you can activate the ESET products using ESET PROTECT.
  • Extension Attributes: Extension Attributes show information regarding ESET products in the Computer detailsSearch InventoryGeneral section.

Follow the instructions below to add the Extension Attribute:

  1. Open Jamf pro and click the All Settings gear icon → Computer ManagementExtension attributes.

    Figure 3-1
  1. Click New to create a new extension attribute.

    Figure 3-2
  1. In Display Name type a name for the extension attribute, select Script in the Input Type drop-down menu and then paste the ESETstatusEA.sh (right-click and select Save link as) script into the Shell field and click Save.

    Figure 3-3
  1. The extension attribute will be automatically set to all computer groups. Click a computer, and in the General section it will display the extension attribute.

    Figure 3-4

Jamf Pro deployment for ESET Endpoint for macOS (earlier versions)

Follow the instructions below to deploy ESET Endpoint for macOS products using Jamf Pro to manage using ESET PROTECT or ESET PROTECT On-Prem.

I. Configure KEXT and PPPC profile

One configuration profile can contain both settings

KEXT (High Sierra 10.13+) and PPPC (Mojave 10.14+) or one configuration profile can contain both KEXT and PPPC settings if all machines are Mojave.

  1. Click Configuration Profiles to set the approval for the KEXT and PPPC and then click New to add a new configuration profile (one configuration profile can contain both KEXT and PPPC settings).

    Figure 4-1
  2. Type a Name for the profile.

    Figure 4-2
  3. In the Options tab, scroll down and click Approved Kernel ExtensionsConfigure.

    Figure 4-3
  4. In the Approved TEAM ID section, type the following information:

    • Display Name: ESET KEXT [you can choose any name you want]
    • Team ID: P8DQRXPVLP

    Figure 4-4
  5. In the Options tab, scroll to Privacy Preferences Policy Control and add in the following information for your applicable ESET product:

    Add both ESET Endpoint Antivirus and ESET Endpoint Security in the same PPPC setting

    If you are deploying both ESET Endpoint Antivirus and ESET Endpoint Security, you can add them in the same PPPC setting by clicking the + (plus) sign at the top right and then adding the information for the additional product.


ESET Endpoint Antivirus

Main product identifier EEA:
  • Identifier: com.eset.eea.6
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.eset.eea.6" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
  • App or Service: SystemPolicyAllFiles
  • Access: Allow
Device identifier:
  • Identifier: com.eset.devices
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.eset.devices" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
  • App or Service: SystemPolicyAllFiles
  • Access: Allow
Realtime identifier:
  • Identifier: com.eset.endpoint
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.eset.endpoint" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
  • App or Service: SystemPolicyAllFiles
  • Access: Allow

ESET Endpoint Security

Main product identifier EES:
  • Identifier: com.eset.ees.6
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.eset.ees.6" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
  • App or Service: SystemPolicyAllFiles
  • Access: Allow
Device identifier:
  • Identifier: com.eset.devices
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.eset.devices" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
  • App or Service: SystemPolicyAllFiles
  • Access: Allow
Realtime identifier:
  • Identifier: com.eset.endpoint
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.eset.endpoint" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
  • App or Service: SystemPolicyAllFiles
  • Access: Allow

Figure 4-5
  1. Click Save to apply your changes.


II. Create policies

  1. Click Policies in the left menu and click New.

    Figure 5-1
  2. Type a name for the policy and in the Trigger section, select Recurring Check-in.

    Figure 5-2
  3. Download the following ESET Security product and ESET Management Agent installation scripts:

    • ESET Security product installation script: ESETavJamf.sh (right-click and select Save link as)
    • ESET Management Agent installation script: Create the Agent Live Installer and download the PROTECTAgentinstaller.sh file from ESET PROTECT or ESET PROTECT On-Prem.
  4. After downloading the scripts, add the scripts to Jamf (this link takes you to the Jamf Pro Administrator's Guide).

  5. From the Options tab, click Scripts and then click Configure.

    Figure 5-3
  6. Click Add to select the scripts to add to the policy.

  7. Add the following Parameter Values for the Endpoint script:

    • Parameter 4 (Required): 'EES' (if you use ESET Endpoint Security) or 'EEA' (if you use ESET Endpoint Antivirus)
    • Parameter 5 (Optional): License Key or Security Admin in the format PID:SecurityAdmin:Password, for example — 123-ABC-456:user=security.admin@email.com:pass=SecurityAdminPass
    • Parameter 6 (Optional): Specify HTTP Proxy in the format http://10.0.0.100:3128

    Figure 5-4
  8. Click the Scope tab and then click Add.

    Figure 5-5
  9. In the Add Deployment Targets section, select the computers (or Computer Groups) you want to apply the policy to by clicking Add.

    Figure 5-6
  10. Click Done when finished and then click Save to apply your changes.


III. Additional options

  • Verify you can manage the ESET Endpoint using ESET PROTECT or ESET PROTECT On-Prem: Open the ESET PROTECT or ESET PROTECT On-Prem Web Console, click Computers and verify that the Jamf endpoint is displayed in the All Group.
  • If you did not type the License Key or Security Admin during the install scripts, you can activate the ESET products using ESET PROTECT or ESET PROTECT On-Prem.
  • Extension Attributes: Extension Attributes show information regarding ESET products in the Computer detailsSearch InventoryGeneral section.

Follow the instructions below to add the Extension Attribute:

  1. In the top-right of the window, click the All Settings gear icon → Computer managementExtension attributes.

    Figure 6-1
  2. Click New to create a new extension attribute.

    Figure 6-2
  3. Type a name for the extension attribute, change the input type to Script and then paste the ESETstatusEA.sh (right-click and select Save link as) script into the Shell field and click Save.

    Figure 6-3
  4. The extension attribute will be automatically set to all computer groups. Click a computer and in the General section it will display the extension attribute.

    Figure 6-4