[Julian Hexnode 13 February 2024 Julian Moderator]

Hey @Timothy, Thanks for posting.

The packages contain a plugin that is causing the installation failure. The ideal workaround would be to install the ESET packages using scripts. Kindly follow the below-mentioned steps:

1. It is required for you to apply System Extensions and PPPC policies on the macOS device before pushing the installation script. You can also choose to apply VPN and Firewall policies.

   System Extensions:

   (i) Navigate to Policies > New Policy or existing policy > macOS > Configurations > System Extensions, and click on Configure.

   (ii) Under the ‘System Extensions’ section, list the specific system extensions that need to be allowed for Mac.
   Team Identifier: P8DQRXPVLP
   Bundle ID(s): com.eset.endpoint, com.eset.network, com.eset.firewall, com.eset.devices

   PPPC:

   (i) Navigate to Policies > New Policy or existing policy > macOS > Security > Privacy Preferences and click on Configure.

   (ii) Click on +Add new preference and specify the preference for the ‘All Files’ service as ‘Allow’. Then, click on Select Apps.

   (iii) Under ‘Specify Bundle IDs/Path’, add the following information:

   ESET Endpoint Antivirus-

   • • Main product identifier EEA
       Identifier: com.eset.eea.6
       Identifier Type: Bundle ID
       Code Requirement:identifier “com.eset.eea.6” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
     • Device identifier
       Identifier: com.eset.devices
       Identifier Type: Bundle ID
       Code Requirement:identifier “com.eset.devices” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
     • Realtime identifier
       Identifier: com.eset.endpoint
       Identifier Type: Bundle ID
       Code Requirement: identifier “com.eset.endpoint” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP

ESET Endpoint Security-

• • Main product identifier EES
    Identifier: com.eset.ees.6
    Identifier Type: Bundle ID
    Code Requirement:identifier “com.eset.ees.6” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
  • Device identifier
    Identifier: com.eset.devices
    Identifier Type: Bundle ID
    Code Requirement:identifier “com.eset.devices” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
  • Realtime identifier
    Identifier: com.eset.endpoint
    Identifier Type: Bundle ID
    Code Requirement: identifier “com.eset.endpoint” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP 
2. Deploy the installation script to the Mac using the Execute Custom Script action:
   ESET Installation Script

   #!/bin/bash # Prod variable for install EEA or EES # # Activation will be attempted if value KEY contains is not empty # security admin format example: '123-ABC-456:user=security.admin@mail.com:pass=SecurityAdminPass' # Proxy example: http://Proxy-IP-or-FQDN:3128 Prod_P=$1 Lic_P=$2 Proxy_P=$3 Prod="" KEY="" eraa_http_proxy_value="" if [ -z "$Prod_P" ] && [ -z "$Prod" ] ; then echo 'No product selected please specify EEA or EES' & exit 1; fi if test -n "$Prod"; then Prod="$(echo $Prod | tr "[:lower:]" "[:upper:]")" fi if test -n "$Prod_P"; then Prod="$(echo $Prod_P | tr "[:lower:]" "[:upper:]")" fi if test -n "$Lic_P"; then KEY=$Lic_P fi if test -n "$Proxy_P"; then eraa_http_proxy_value=$Proxy_P fi files2del="$(mktemp -q /tmp/XXXXXXXX.files)" dirs2del="$(mktemp -q /tmp/XXXXXXXX.dirs)" echo "$dirs2del" >> "$files2del" dirs2umount="$(mktemp -q /tmp/XXXXXXXX.mounts)" echo "$dirs2umount" >> "$files2del" finalize() { set +e echo "Cleaning up:" if test -f "$dirs2umount" then while read f do sudo -S hdiutil detach "$f" done < "$dirs2umount" fi if test -f "$dirs2del" then while read f do test -d "$f" && rmdir "$f" done < "$dirs2del" fi if test -f "$files2del" then while read f do unlink "$f" done < "$files2del" unlink "$files2del" fi } trap 'finalize' HUP INT QUIT TERM EXIT if [ $Prod == EEA ]; then DMG=eea_osx_en.dmg URL=http://download.eset.com/com/eset/apps/business/eea/mac/latest/eea_osx_en.dmg APP=Antivirus fi if [ $Prod == EES ]; then DMG=ees_osx_en.dmg URL=http://download.eset.com/com/eset/apps/business/ees/mac/latest/ees_osx_en.dmg APP=Security fi if ! [[ $Prod =~ (EEA|EES) ]]; then echo 'No valid product selected please specify EEA or EES' && exit 1; fi local_ESET_dmg="$(mktemp -q -u /tmp/ESETInstaller.dmg.XXXXXXXX)" echo "Downloading ESET Endpoint $APP installer image '$URL':" if test -n "$eraa_http_proxy_value" then export use_proxy=yes export http_proxy="$eraa_http_proxy_value" (curl --connect-timeout 300 --insecure -o "$local_ESET_dmg" "$URL" || curl --connect-timeout 300 --noproxy "*" --insecure -o "$local_ESET_dmg" "$URL") && echo "$local_ESET_dmg" >> "$files2del" else curl --connect-timeout 300 --insecure -o "$local_ESET_dmg" "$URL" && echo "$local_ESET_dmg" >> "$files2del" fi if [ ! -f $local_ESET_dmg ]; then exit 1 ; fi test -d '/Library/Application Support/ESET/esets/cache' || mkdir -p '/Library/Application Support/ESET/esets/cache' touch '/Library/Application Support/ESET/esets/cache/do_not_launch_esets_gui_after_installation' local_ESET_mount="$(mktemp -q -d /tmp/ESETInstaller.mount.XXXXXXXX)" && echo "$local_ESET_mount" | tee "$dirs2del" >> "$dirs2umount" echo "Mounting image '$local_ESET_dmg':" && sudo -S hdiutil attach "$local_ESET_dmg" -mountpoint "$local_ESET_mount" -nobrowse local_ESET_pkg="$(ls "$local_ESET_mount"/Resources/ | grep "\.pkg$" | tail -n 1)" SigCheck="$(pkgutil --check-signature "$local_ESET_mount/Resources/$local_ESET_pkg" | grep -o "ESET, spol. s r.o. (P8DQRXPVLP)")" if [ "$SigCheck" == "ESET, spol. s r.o. (P8DQRXPVLP)" ]; then echo "Signature check Passed" echo "$SigCheck" echo "Installing package '$local_ESET_mount/Resources/$local_ESET_pkg':" && sudo -S installer -pkg "$local_ESET_mount/Resources/$local_ESET_pkg" -target / else echo "Signature check failed" echo "$SigCheck" exit 1 fi sleep 10 if test -n "$KEY"; then /Applications/ESET\ Endpoint\ $APP.app/Contents/MacOS/esets_daemon --wait-respond --activate "key=$KEY" fi exit 0

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124

   #!/bin/bash # Prod variable for install EEA or EES # # Activation will be attempted if value KEY contains is not empty # security admin format example: '123-ABC-456:user=security.admin@mail.com:pass=SecurityAdminPass' # Proxy example: http://Proxy-IP-or-FQDN:3128   Prod_P=$1 Lic_P=$2 Proxy_P=$3   Prod="" KEY="" eraa_http_proxy_value=""   if [ -z "$Prod_P" ] && [ -z "$Prod" ] ; then echo 'No product selected please specify EEA or EES' & exit 1; fi   if test -n "$Prod"; then   Prod="$(echo $Prod | tr "[:lower:]" "[:upper:]")" fi   if test -n "$Prod_P"; then   Prod="$(echo $Prod_P | tr "[:lower:]" "[:upper:]")" fi   if test -n "$Lic_P"; then   KEY=$Lic_P fi   if test -n "$Proxy_P"; then   eraa_http_proxy_value=$Proxy_P fi   files2del="$(mktemp -q /tmp/XXXXXXXX.files)" dirs2del="$(mktemp -q /tmp/XXXXXXXX.dirs)" echo "$dirs2del" >> "$files2del" dirs2umount="$(mktemp -q /tmp/XXXXXXXX.mounts)" echo "$dirs2umount" >> "$files2del"   finalize() {   set +e     echo "Cleaning up:"     if test -f "$dirs2umount"   then     while read f     do       sudo -S hdiutil detach "$f"     done < "$dirs2umount"   fi     if test -f "$dirs2del"   then     while read f     do       test -d "$f" && rmdir "$f"     done < "$dirs2del"   fi     if test -f "$files2del"   then     while read f     do       unlink "$f"     done < "$files2del"     unlink "$files2del"   fi }   trap 'finalize' HUP INT QUIT TERM EXIT   if [ $Prod == EEA ]; then   DMG=eea_osx_en.dmg   URL=http://download.eset.com/com/eset/apps/business/eea/mac/latest/eea_osx_en.dmg   APP=Antivirus fi if [ $Prod == EES ]; then   DMG=ees_osx_en.dmg   URL=http://download.eset.com/com/eset/apps/business/ees/mac/latest/ees_osx_en.dmg   APP=Security fi   if ! [[ $Prod =~ (EEA|EES) ]]; then echo 'No valid product selected please specify EEA or EES' && exit 1; fi   local_ESET_dmg="$(mktemp -q -u /tmp/ESETInstaller.dmg.XXXXXXXX)" echo "Downloading ESET Endpoint $APP installer image '$URL':"   if test -n "$eraa_http_proxy_value" then   export use_proxy=yes   export http_proxy="$eraa_http_proxy_value"   (curl --connect-timeout 300 --insecure -o "$local_ESET_dmg" "$URL" || curl --connect-timeout 300 --noproxy "*" --insecure -o "$local_ESET_dmg" "$URL") && echo "$local_ESET_dmg" >> "$files2del" else   curl --connect-timeout 300 --insecure -o "$local_ESET_dmg" "$URL" && echo "$local_ESET_dmg" >> "$files2del" fi   if [ ! -f $local_ESET_dmg ]; then exit 1 ; fi test -d '/Library/Application Support/ESET/esets/cache' || mkdir -p '/Library/Application Support/ESET/esets/cache' touch '/Library/Application Support/ESET/esets/cache/do_not_launch_esets_gui_after_installation'   local_ESET_mount="$(mktemp -q -d /tmp/ESETInstaller.mount.XXXXXXXX)" && echo "$local_ESET_mount" | tee "$dirs2del" >> "$dirs2umount" echo "Mounting image '$local_ESET_dmg':" && sudo -S hdiutil attach "$local_ESET_dmg" -mountpoint "$local_ESET_mount" -nobrowse local_ESET_pkg="$(ls "$local_ESET_mount"/Resources/ | grep "\.pkg$" | tail -n 1)"   SigCheck="$(pkgutil --check-signature "$local_ESET_mount/Resources/$local_ESET_pkg" | grep -o "ESET, spol. s r.o. (P8DQRXPVLP)")" if [ "$SigCheck" == "ESET, spol. s r.o. (P8DQRXPVLP)" ]; then   echo "Signature check Passed"   echo "$SigCheck"   echo "Installing package '$local_ESET_mount/Resources/$local_ESET_pkg':" && sudo -S installer -pkg "$local_ESET_mount/Resources/$local_ESET_pkg" -target / else   echo "Signature check failed"   echo "$SigCheck"   exit 1 fi   sleep 10   if test -n "$KEY"; then   /Applications/ESET\ Endpoint\ $APP.app/Contents/MacOS/esets_daemon  --wait-respond --activate "key=$KEY" fi   exit 0

   (i) Navigate to the device details page of the macOS device and select Actions > Execute Custom Script.

   (ii) The script provided requires certain arguments for the installation to work:

   • Argument 1 (Required): Type ‘EES‘ (if you are installing ESET Endpoint Security) or ‘EEA‘ (if you are installing ESET Endpoint Antivirus).
   • Argument 2 (Optional): Specify the license key, username of the security admin and password in the format PID:SecurityAdmin:Password, for example, 123-ABC-456:user=security.admin@email.com:pass=SecurityAdminPass.
   • Argument 3 (Optional): Specify HTTP Proxy in the format: http://10.0.0.100:3128.

   There are two methods to pass the argument to the script:

   a. Directly edit the script by replacing $1, $2, and $3 present (in the 8th, 9th, and 10th lines of the script) with the arguments (in the same order) mentioned above.

   b. Under the Execute Custom Script action, pass the three arguments (in the same order mentioned above) separated by a space inside the Arguments section.

Once the script is deployed, the ESET package(s) gets silently installed in the macOS device. The installation time can be long.

Make sure you follow these precautions before executing the ESET installation script:

1. Install Rosetta 2 on macOS systems without Intel chips. Run the command sudo softwareupdate –install-rosetta either in Terminal or via the Execute Custom Script action for the installation.
2. The macOS device should not have any other installation policies assigned for any previous versions of the ESET security solution.

I hope you are satisfied with our solution. Kindly reach out to us for further queries.

Regards,
Julian Refn
Hexnode UEM