Upgrade/install process for August 2023 Mac product releases for ePO SaaS
Technical Articles ID:
KB96552
Last Modified: 2023-08-03 18:58:17 Etc/GMT
Environment
Data Loss Prevention (DLP)
Endpoint Detection and Response (EDR) Client
Endpoint Security for Mac (ENSM)
File and Removable Media Protection (FRP)
Management of Native Encryption (MNE)
Skyhigh Client Proxy (SCP)
Trellix Agent (TA)
Summary
On August 3, 2023, we released multiple updates to our Mac products running on ePO SaaS, adding support for Apple silicon and implementing new certificates.
IMPORTANT: If you choose to move forward with updating any of the products, you must upgrade all of them. You can't upgrade only one or a few selected products.
What products are updated to offer Apple silicon support with ePO - SaaS?
- DLP
- EDR Client
- ENSM
- FRP
- MNE
- SCP
- TA
IMPORTANT: The product builds listed above are checked in to the current branch. If you're not ready to upgrade all MAC products, review all your deployment tasks to make sure that they're not configured to automatically deploy the latest version if they're using the current branch. If configured to automatically deploy the latest versions from the current branch, your existing products will get uninstalled and some of the new versions of the products may not be installed properly due to deployment order dependencies. In such cases, initiate a manual deployment task. Make sure to follow the process documented below on manual deployment steps.
Do I need to upgrade right away?
No. If you're not prepared to upgrade, you can choose to do so at a later time. When you do upgrade, make sure that you follow the process documented below. Remember, upgrading one of the affected products on a device requires upgrading all affected products on that device.
Can I perform individual product upgrades?
No. You can't upgrade products individually. When one of the affected products (except TA) is upgraded, it results in the uninstallation of all other products. This single upgrade process is required because of the implementation of new signing certificates. The latest available version of those other affected products should then be installed. To move to these versions, you must update all your clients at the same time.
Before you upgrade:
- Review the entire upgrade process and be aware of the challenges and actions required.
- View the Known Issues and Release Notes for the products that you're upgrading. Check these documents for installation issues and other product-specific prerequisites and requirements to address before you upgrade.
- Upgrade to the following product versions:
IMPORTANT: If you choose to move forward with updating any of the products, you must upgrade all of them. You can't upgrade only one or a few selected products.
Product |
Version to upgrade to |
TA |
5.7.9.139 |
ENSM |
10.7.9:
- Threat Prevention Version: 10.7.9.138
- Firewall Version: 10.7.9.37
- Web Control Version: 10.7.9.58
- Adaptive Threat Protection Version: 10.7.9.41
|
DLP |
11.6.4.73.1 |
EDR Client |
4.1.1.2821 |
SCP |
4.7.0.91 |
MNE |
5.2.3.48 |
FRP |
5.4.4.92 |
Upgrade process:
- Perform the product installation from the current branch of ePO - SaaS.
- Light blue boxes indicate an action performed on your ePO - SaaS server.
- Dark green boxes indicate an action performed on your Endpoint.
- Light green boxes indicate information for Endpoint.
- The numbers in square brackets [x] are documented in more depth in the process below.
- Verify the extensions and packages for applicable products in the ePO - SaaS current branch. Also, verify that the latest DATs and contents are available.
- [1] Verify that the msgbus certificate checked in to ePO is version 5.7.9.139. If the msgbus certificate version is older, open a Support case with Technical Support and get it updated.
IMPORTANT: Deploy the updated msgbus certificate after you upgrade TA.
- JAMF/MDM users only:
Add the following System Extension MDM payload settings to your Configuration Profiles. These additions ensure the removal of the legacy System Extensions.
Property |
Value |
System Extension Types |
Removable System Extensions |
Team Identifier |
GT8P3H7SPW |
REMOVABLE SYSTEM EXTENSIONS |
com.mcafee.CMF.networkextension
com.mcafee.CMF.endpointsecurity |
FMP covers removal during the deployment process. But, the removal must be approved by either the user/admin or via the MDM profile if configured properly.
For macOS Big Sur and earlier, users/admins should be notified to allow the removal, as Configuration Profiles might not be able to permit the removal of the legacy extensions,
due to a limitation in these OSs.
Additionally, to allow the product to work properly, allow the following either in the Configuration Profiles or by the user/admin:
Property |
Value |
System Extension Types |
Removable System Extensions |
Team Identifier |
P2BNL68L2C |
Bundle Identifiers |
com.trellix.CMF.networkextension
com.trellix.CMF.endpointsecurity |
Finally, add your certificates via configuration profiles.
- Deploy TA from the current branch of ePO - SaaS to your applicable endpoints.
[2] Policy enforcement issues with upgraded TA and other products:
The TA monitor might show that the agent service is running, but policy enforcement fails. This is because the TA code signing has been updated.
The About and Console pages display all the products installed, but events from other products aren't reported back to ePO. Policy enforcement from ePO won't happen on client machines.
NOTE: The menulet icon displays the McAfee logo until ENSM is updated.
- Deploy your products from the current branch of ePO - SaaS:
[3] Recommended deployment order for products:
- Create a single deployment task for all applicable products from the current branch of ePO - SaaS.
IMPORTANT: Deploy the products in the following order:
- ENSM (Threat Prevention, Firewall, Web Control, Adaptive Threat Prevention)
- DLP
- EDR Client
- SCP
- MNE
- FRP
NOTES:
- If you have a subset of the products, choose the product that you want to deploy, but deploy them in the above order.
- Support recommends setting the Randomization option on the deployment task, so task execution is spread out across your endpoint.
- Push the ePO deployment task to the endpoints.
[4] Backing up of artifacts and uninstalling products:
As part of the first product upgrade, the artifacts of all installed products are backed up, and except for MNE, all other products are uninstalled. After the products are upgraded, these artifacts are restored.
- On the client, provide consent to uninstall system extensions.
For details, see KB93600 - Consent needed to enable ENSM Firewall 10.7.5 and later.
IMPORTANT: Administrator consent is required on the client to remove the software extensions. Failure to provide consent to remove System Extension (in a non-MDM environment) signed by McAfee, Inc. upon an upgrade may result in crashing the System Extension application upon reboot. However, this will not adversely impact the upgraded products. For details, see KB96551 - McAfee system extensions are not removed after pushing an upgrade from ePO and rebooting.
[5] Uninstalling old system extensions on the client:
In non-MDM deployments, during uninstallation, the following McAfee-branded system extensions are removed:
- com.mcafee.CMF.networkextension
- com.mcafee.CMF.endpointsecurity (applicable if EDR Client is installed)
- Provide consent on the clients to install the new system extensions:
[6] Installing new system extensions:
In non-MDM deployments, during installation, allow the following Trellix system extensions to load new extensions through the pop-ups:
- com.trellix.CMF.networkextension
- com.trellix.CMF.endpointsecurity (prompted if EDR Client is installed)
- NetworkFilterContent
- Provide full disk access for specific applications on your clients:
[7] When prompted, provide full disk access on the client for fmpd, VShieldScanner, and VShieldScanManager.app.
For details, see KB91109 - Compatibility with Privacy Policy Preference Control.
Having both McAfee Privacy Policy Preference Control (PPPC) and Trellix PPPC loaded onto a client system can lead to conflicts during the upgrade. Make sure to use the respective profiles with the appropriate Mac products to avoid any issues.
NOTES:
- The ENSM VShieldScanner Full Disk Access prompt is shown every 10 minutes until accepted.
- The ENSM System Extensions Full Disk Access prompt is shown every 30 minutes until accepted.
- [8] Provide full disk access for the new extensions and process, via the Full Disk Access list:
- Click System Settings, Privacy & Security, Full Disk Access.
- Add TrellixNetworkExtension, TrellixEndpointSecurity, and masvc.
IMPORTANT: If DLP is the first product to be updated, DLP doesn't show you a notification to enable Full Disk Access for fmpd.
You must manually enable Full Disk Access for the fmpd process.
- [9] View the upgrade process. Be aware of the following:
- MNE won't be uninstalled. The MNE functionality won't work until MNE is upgraded to the latest version.
- You might see MNEHost and MNEMacTool stop responding (crash) due to this issue.
- Until MNE is upgraded, the menulet icon displays the red alert MAC is at risk, whereas the console displays MAC is secured. All other products work properly.
- You'll see a pop-up: Background Items Added.
- The complete pop-up is as follows:
- When the upgrade finishes, you see the entry FireEye Security Holdings US LLC present under Login Items. The number of items depends on the products that you've installed.
- [10] Verify product upgrades:
After all applicable products are upgraded, check the following items to ensure successful upgrading of all products:
- Menulet shows the Trellix logo.
- Menulet, About displays all products installed and their versions.
- Menulet, Console displays the status of the client, all the products installed, and their status (Enabled or Running).
- [11] Run the deployment task again, but only for the products not deployed.
NOTE: This step is only needed if some products aren't upgraded successfully.
|