On April 27, 2023, we released multiple updates to our Mac products, adding support for Apple silicon and implementing new certificates. To ensure a seamless experience, make sure that all applicable products in your environment are upgraded to the latest available version.
IMPORTANT: If you choose to move forward with updating any of the products,
you must upgrade all of them. You can't upgrade only one or a few selected products.
What products are updated to offer Apple silicon support?
- DLP
- EDR Client
- ENSM
- FRP
- MNE
- PA
- SCP
- TA
Do I need to upgrade right away?
No. If you're not prepared to upgrade, you can choose to do so at a later time. When you do upgrade, make sure that you follow the process documented below.
Remember, upgrading one of the affected products on a device requires upgrading
all affected products on that device.
Can I perform individual product upgrades?
No. You can't upgrade products individually. When one of the affected products (except TA or PA) is upgraded, it results in the uninstallation of all other products.
This single upgrade process is required because of the implementation of new signing certificates.
The latest available version of those other affected products should then be installed.
To move to these versions, in an Intel
®-based or mixed environment, you
must update all your clients at the same time.
Before you upgrade:
- Review the entire upgrade process and be aware of the challenges and actions required.
- View the Known Issues and Release Notes for the products that you're upgrading. Check these documents for installation issues and other product-specific prerequisites and requirements to address before you upgrade.
- Determine which product versions you need to download. View the following table and download as required.
For more information, see KB56057 - How to download Enterprise product updates and documentation.
IMPORTANT: If you choose to move forward with updating any of the products, you must upgrade all of them. You can't upgrade only one or a few selected products.
| Product |
Version to upgrade to |
| TA |
5.7.9.139 |
| ENSM |
10.7.9:
- Threat Prevention Version: 10.7.9.138
- Firewall Version: 10.7.9.37
- Web Control Version: 10.7.9.58
- Adaptive Threat Protection Version: 10.7.9.41
|
| DLP |
11.10.0.1776 |
| EDR Client |
4.1.1.2821 |
| SCP |
4.6.0.242 |
| MNE |
5.2.3.11 |
| FRP |
5.4.4.92 |
| PA |
6.5.5.246 |
Upgrade process:
- Light blue boxes indicate an action performed on your ePO on-prem server.
- Dark green boxes indicate an action performed on your Endpoint.
- Light green boxes indicate information for Endpoint.
- The numbers in square brackets [x] are documented in more depth in the process below.
.JPG)
- Check in your downloaded extensions and packages for applicable products to ePO. Then, check in the latest DATs and content updates.
- [1] Verify that the msgbus certificate checked in to ePO is version 5.7.9.139. If the msgbus certificate version is older, check version 5.7.9.139 in to ePO.
IMPORTANT: Deploy the updated msgbus certificate after you upgrade TA.
- JAMF/MDM users only:
Add the following System Extensions MDM payload settings to your Configuration Profiles. These additions ensure the removal of the legacy System Extensions:
| Property |
Value |
| System Extension Types |
Removable System Extensions |
| Team Identifier |
GT8P3H7SPW |
| REMOVABLE SYSTEM EXTENSIONS |
com.mcafee.CMF.networkextension
com.mcafee.CMF.endpointsecurity |
FMP covers removal during the deployment process. But, the removal must be approved by either the user/admin or via the MDM profile if configured properly.
For macOS Big Sur and earlier, users/admins should be notified to allow the removal, as Configuration Profiles might not be able to permit the removal of the legacy extensions,
due to a limitation in these OSs.
Additionally, to allow the product to work properly, allow the following either in the Configuration Profiles or by the user/admin.
| Property |
Value |
| System Extension Types |
Allowed System Extensions |
| Team Identifier |
P2BNL68L2C |
| Bundle Identifiers |
com.trellix.CMF.networkextension
com.trellix.CMF.endpointsecurity |
Finally, add your certificates via configuration profiles.
- Deploy TA via ePO to your applicable endpoints.
[2] Policy enforcement issues with upgraded TA and other products:
The TA monitor might show that the agent service is running, but policy enforcement fails. This is because the TA code signing has been updated.
The About and Console pages display all the products installed, but events from other products aren't reported back to ePO. Policy enforcement from ePO won't happen on client machines.
NOTE: The menulet icon displays the McAfee logo until ENSM is updated.
- Deploy the msgbus certificate from ePO.
For details, see KB95958 - Trellix Agent MsgBus cert updater package 5.7.7.435 or later contains updated Musarubra and McAfee Inc certificates.
- Deploy your products from ePO:
[3] Recommended deployment order for products:
- Create a single deployment task for all applicable products.
IMPORTANT: Deploy the products in the following order:
- ENSM (Threat Prevention, Firewall, Web Control, Adaptive Threat Prevention)
- DLP
- EDR Client
- SCP
- MNE
- FRP
- PA
NOTES:
- If you have a subset of the products, choose the product that you want to deploy, but deploy them in the above order.
- Support recommends setting the Randomization option on the deployment task, so task execution is spread out across your endpoint.
- To handle any deployment failures in a previous run, Support recommends setting the Repeat option on the deployment task, so that the task can execute multiple times at the endpoint.
- Push the ePO deployment task to the endpoints.
[4] Backing up of artifacts and uninstalling products:
As part of the first product upgrade, the artifacts of all installed products are backed up, and except for MNE and PA, all other products are uninstalled. After the products are upgraded, these artifacts are restored.
- On the client, provide consent to uninstall system extensions.
For details, see KB93600 - Consent needed to enable ENSM Firewall 10.7.5 and later.
IMPORTANT: Administrator consent is required on the client to remove the software extensions.
[5] Uninstalling old system extensions on the client:
In non-MDM deployments, during uninstallation, the following McAfee-branded system extensions are removed:
- com.mcafee.CMF.networkextension
- com.mcafee.CMF.endpointsecurity (applicable if EDR Client is installed)
- Provide consent on the clients to install the new system extensions:
[6] Installing new system extensions
In non-MDM deployments, during installation, allow the following Trellix system extensions to load new extensions through the pop-ups:
- com.trellix.CMF.networkextension
- com.trellix.CMF.endpointsecurity (prompted if EDR Client is installed)
- NetworkFilterContent
- Provide full disk access for specific applications on your clients:
[7] When prompted, provide full disk access on the client for fmpd, VShieldScanner, and VShieldScanManager.app.
NOTES:
- The ENSM VShieldScanner Full Disk Access prompt is shown every 10 minutes until accepted.
- The ENSM System Extensions Full Disk Access prompt is shown every 30 minutes until accepted.
- [8] Provide full disk access for the new extensions and process, via the Full Disk Access list:
- Click System Settings, Privacy & Security, Full Disk Access.
- Add TrellixNetworkExtension, TrellixEndpointSecurity, and masvc.
For details, see KB91109 - Compatibility with Privacy Policy Preference Control.
IMPORTANT: If DLP is the first product to be updated, DLP doesn't show you a notification to enable Full Disk Access for fmpd.
You must manually enable Full Disk Access for the fmpd process.
- [9] View the upgrade process. Be aware of the following:
- MNE won't be uninstalled. The MNE functionality won't work until MNE is upgraded to the latest version.
- You might see MNEHost and MNEMacTool stop responding (crash) due to this issue.
- Until MNE is upgraded, the menulet icon displays the red alert MAC is at risk, whereas the console displays MAC is secured.
All other products work properly.
- PA isn't uninstalled, but is upgraded to the provided version.
- You'll see a pop-up: Background Items Added.
- The complete pop-up is as follows:
- When the upgrade finishes, you see the entry FireEye Security Holdings US LLC present under Login Items. The number of items depends on the products that you've installed.
.JPG)
- [10] Verify product upgrades:
After all applicable products are upgraded, check the following items to ensure successful upgrading of all products:
- Menulet shows the Trellix logo.
- Menulet, About displays all products installed and their versions.
- Menulet, Console displays the status of the client, all the products installed, and their status (Enabled or Running).
