[KB8712] Deploy ESET Endpoint Security for macOS using Jamf Pro (8.x)

Issue

Solution

Follow the instructions below to deploy your ESET Endpoint Security product for macOS using Jamf Pro to manage using ESET PROTECT. 

  1. Configure System Extensions, Privacy Preference Policy Control (PPPC), VPN, and Content Filter profile
  2. Create Policies
  3. Additional Options

Enable pre-installation settings

To enable all necessary pre-installation settings download the .plist payload file for ESET Endpoint Security version and use it to create a configuration profile in your MDM. If you disable program components via component installation, you should also remove these components from your MDM configuration profiles.

I. Configure System Extensions, PPPC, VPN, and Content Filter profile

  1. Open Jamf Pro and click ComputersConfiguration Profiles to set the approval for System Extensions, PPPC, VPN, and Content Filter and click New to add a new configuration profile (one configuration profile can contain all the settings).
    Figure 1-1
    Click the image to view larger in new window
  1. Type a Name for the profile.

    Figure 1-2
  1. In the Options tab, click System ExtensionsConfigure.

    Figure 1-3
    Click the image to view larger in new window
  2. In the Allowed TEAM IDs and System Extensions section, type the following information:

    • Display Name: ESET SE [you can choose any name you want]
    • System Extension Types: Allowed System Extensions
    • Team Identifier: P8DQRXPVLP
    • Allowed System Extensions:
      com.eset.endpoint
      com.eset.network
      com.eset.firewall
      com.eset.devices


    Figure 1-4
    Click the image to view larger in new window 
  3. In the Options tab, click Privacy Preferences Policy Control → Configure.

    Figure 1-5
    Click the image to view larger in new window

Add in the following information for your applicable ESET product:

ESET Endpoint Security for macOS

  • Main product identifier EES:
    • Identifier: com.eset.ees.g2
    • Identifier Type: Bundle ID
    • Code Requirement: identifier "com.eset.ees.g2" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP 
    • App or Service: SystemPolicyAllFiles
    • Access: Allow

  • Realtime identifier:
    • Identifier: com.eset.endpoint
    • Identifier Type: Bundle ID
    • Code Requirement: identifier "com.eset.endpoint" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP 
    • App or Service: SystemPolicyAllFiles
    • Access: Allow

  • Network identifier:
    • Identifier: com.eset.network
    • Identifier Type: Bundle ID
    • Code Requirement: identifier "com.eset.network" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP 
    • App or Service: SystemPolicyAllFiles
    • Access: Allow

  • Firewall identifier:
    • Identifier: com.eset.firewall
    • Identifier Type: Bundle ID
    • Code Requirement: identifier "com.eset.firewall" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP 
    • App or Service: SystemPolicyAllFiles
    • Access: Allow

  • Uninstaller identifier:
    • Identifier: com.eset.Uninstaller
    • Identifier Type: Bundle ID
    • Code Requirement: identifier "com.eset.app.Uninstaller" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP  
    • App or Service: SystemPolicyAllFiles
    • Access: Allow
Full disk access may appear disabled

After allowing full disk access and system extensions remotely, in System SettingsPrivacy & Security, these settings might appear disabled. If ESET Endpoint Security does not display any warnings, full disk access and system extensions are allowed, regardless of their status in System SettingsPrivacy & Security.

 



Figure 1-6
Click the image to view larger in new window
  1. In the Options tab, click VPN Configure.

  2. Create a configuration profile for ESET Web and Email Protection with the following settings:

Web and Email protection

You must add the Web and Email protection configuration to system settings for Web and Email protection to function. If the Web and Email protection configuration is missing after the ESET Endpoint Security installation, users will receive "ESET Endpoint Security" Would Like to Filter Network Content.

Web Access Protection configuration is removed after uninstalling ESET Endpoint Security. If you need to uninstall and reinstall ESET Endpoint Security, you must redeploy the Web and Email protection configuration to the target computer.

In the General section, fill in the following:
  • Name: for example, ESET Web&Email Protection
  • Level: Computer level
  • Distribution method: usually: Install automatically
In the VPN section, fill in the following:
  • VPN Type: VPN
  • Connection type: Custom SSL
  • Identifier: com.eset.network.manager
  • server: localhost
  • Provider Bundle Identifier: com.eset.network
  • User Authentication: Certificate
  • Provider Type: App-proxy
  • Provider Designated Requirement: identifier "com.eset.network" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP 
  • Identity Certificate: None
  • Idle Timer: Do not disconnect
  • Proxy Setup: None
To add firewall configuration to system settings remotely, create a content filter configuration profile for the firewall before the installation/upgrade. Use the following settings: 
    • Identifier: com.eset.firewall.manager 
    • Filter order: Firewall
    • Socket filter: com.eset.firewall
    • Socket filter designated requirement: identifier "com.eset.firewall" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP 
For more information, see the Online Help guide.

Figure 1-7
Click the image to view larger in new window
 
  1. Click the Scope tab and click Add.

    Figure 1-8
  2. In the Add Deployment Targets section, select the computers (or Computer Groups) you want to apply the policy to by clicking Add, and then click Done.

    Figure 1-9
  3. Click Save to apply your changes.

    Figure 1-10
    Click the image to view larger in new window

II. Create policies

      1. Click Policies in the left menu and click New.

        Figure 2-1
        Click the image to view larger in new window
      2. Type a Display Name for the policy, and in the Trigger section, select the Recurring Check-in check box.

        Figure 2-2
        Click the image to view larger in new window
      3. Download the following ESET Security product and ESET Management Agent installation scripts:

        • ESET Security product installation script: ESETavJamf_g2.sh (right-click and select Save link as)
        • ESET Management Agent installation script: Create the Agent Live Installer and download the PROTECTAgentinstaller.sh file from ESET PROTECT On-Prem.

      4. After downloading the scripts, follow the steps in Jamf Pro Administrator's Guide to add the scripts to Jamf.

      5. From the Options tab, click Scripts and then click Configure.

        Figure 2-3
        Click the image to view larger in new window
      6. Click Add to select the scripts to add to the policy.

      7. Optionally, add the Parameter Values below for the Endpoint script. 

        • Parameter 4 (Optional): Activate with EBA or EPH account information in the following format: 123-ABC-456:user=security.admin@mail.com:pass=SecurityAdminPass

        • Parameter 5 (Optional): Specify HTTP Proxy in the format http://Proxy-IP-or-FQDN:3128

        • Parameter 6 (Optional): If no parameter values are added, it will install the latest version of ESET Endpoint Security for macOS and need to be activated by the ESET PROTECT On-Prem server. If you want to install the latest version of ESET Endpoint Antivirus for macOS, type EEA.

        Figure 2-4
      8. Click the Scope tab and click Add.

        Figure 2-5
        Click the image to view larger in new window
      9. In the Add Deployment Targets section, select the computers (or Computer Groups) you want to apply the policy to by clicking Add, and then click Done.

        Double deployment

        Before adding deployment targets, ensure no other installation policy for earlier versions of the ESET security product is assigned to the intended targets. This may cause the product to be installed twice, resulting in the product not functioning.
        If you are using ESET PROTECT On-Prem and Jamf, check the installation policies in both.

        Figure 2-6
        Click the image to view larger in new window
      10. Click Save to apply your changes.


III. Additional options

      • Verify you can manage the ESET Endpoint using ESET PROTECT On-Prem: Open the ESET PROTECT Web Console, click Computers and verify that the Jamf endpoint is displayed in the All Group.
      • If you did not type the License Key or Security Admin during the install scripts, you can activate the ESET products using ESET PROTECT.
      • Extension Attributes: Extension Attributes show information regarding ESET products in the Computer detailsSearch InventoryGeneral section.

Follow the instructions below to add the Extension Attribute:

      1. Open Jamf pro and click the All Settings gear icon → Computer ManagementExtension attributes.

        Figure 3-1
        Click the image to view larger in new window
      2. Click New to create a new extension attribute.

        Figure 3-2
        Click the image to view larger in new window
      3. In Display Name type a name for the extension attribute, select Script in the Input Type drop-down menu and then paste the ESETstatusEA.sh (right-click and select Save link as) script into the Shell field and click Save.

        Figure 3-3
        Click the image to view larger in new window
      4. The extension attribute will be automatically set to all computer groups. Click a computer and in the General section, it will display the extension attribute.

        Figure 3-4
        Click the image to view larger in new window

Troubleshooting issues after upgrading to version 8

Issues after automatically updating to version 8

Following an automatic upgrade from version 7 to version 8 of ESET Endpoint for macOS, computers display a notification stating that a restart is required to upgrade.

After restarting, ESET cannot run without approving the necessary system extensions. If you are experiencing this issue, you may be required to re-activate ESET on macOS endpoints and approve the necessary system extensions for ESET to run on the macOS operating system.

Approve system extensions via MDM

In environments with a remote management tool such as JAMF or Kandji, the steps below will resolve the system extension issue. If you are currently using Endpoint for macOS version 7 without automatic updates enabled, follow these steps before upgrading to version 8 to avoid system extension conflicts.

  1. Download the configuration profile .plist from the Endpoint Security User Guide.

  2. Change the file extension from .plist to mobileconfig. For example ESET_enable_all.mobileconfig.

  3. In Jamf, navigate to computersconfiguration profiles → select upload and select the file from step 2. In other management platforms, use the appropriate functionality to upload the configuration profile from step 2.

  4. Assign the version 8 computers to the configuration profile scope and then click save. Extension alerts should begin to resolve within minutes.

  5. Unassign the previously used configuration profiles(s) in JAMF or the management client. Only the version 8 configuration profile should be used with version 8.

ESET Endpoint Security for macOS Firewall is Automatically Enabled

With the upgrade to version 8, the firewall feature will be present and enabled upon installation.

To disable the firewall via an ESET PROTECT policy in environments where a firewall solution is already in place, follow these steps:

  1. Navigate to Settings in the Common Features policy that is applied to macOS devices. In the Common Features policy, the macOS logo is missing but still applies.

    Windows and macOS environments

    In environments with Windows and macOS devices managed under the same policy, you can create a new policy to prevent the disabling of firewall settings on your Windows devices.

  2. Navigate to SettingsNetwork Access ProtectionFirewall.

  3. Click the toggle next to Enable Firewall to disable the setting.

    Figure 4-1