cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Advice on policy config for .msi files?

Jump to solution

Aloha,

I'm generally comfortable with updaters, binaries, installers, etc but I've run into a snag whitelisting an msi that we need to execute in the field.  Since the msi itself isn't truly an executable, it shouldn't be able to function as an updater.

Examing the event logs,  I see that explorer.exe calls msiexec.exe when the msi in question is double-clicked.  Granting updater status to explorer.exe is an obviously bad idea and I'm not too fond of giving msiexec.exe such status either, so I'm trying to determine the best strategy.  I've toyed with parent and library settings, but none seem to achieve the granularity I'd prefer in regards to the specific msi. 

Does anyone have any suggestions/feedback on Application Control policies and msi's?

Thanks,

T.

1 Solution

Accepted Solutions
Highlighted

Re: Advice on policy config for .msi files?

Jump to solution

Hi,

Try running the following command

sadmin features enable pkg-ctrl

you need to reboot the system, after that you will be able to run msi from an autorized share folder

View solution in original post

7 Replies
Highlighted

Re: Advice on policy config for .msi files?

Jump to solution

Hi,

Try running the following command

sadmin features enable pkg-ctrl

you need to reboot the system, after that you will be able to run msi from an autorized share folder

View solution in original post

Highlighted

Re: Advice on policy config for .msi files?

Jump to solution

So in the Application Control Options in ePO 5.10 with SC extension v. 8.32.103 what does the Package Control  and Bypass Package Control. Is this the same as the command.

sadmin features enable pkg-ctrl

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: Advice on policy config for .msi files?

Jump to solution

Hi @aponjos613 Yes, the "sadmin features enable pkg-ctrl" command is the MACC Package Control feature.  Please reference the Product Guide for further details about how this feature work.  There are 3 separate options to the Package Control feature.  Package Control is the main feature, with options to "Allow Uninstallation" and "Bypass Package Control" subfeatures.  You can see the status of all three, if you run "sadmin features list" in an Admin cmd prompt.  

NOTE: Use the "Bypass Package Control" if you're wanting to just allow any .msi installer to install/uninstall on systems; rather than 'disabling' the Package Control feature.

https://docs.mcafee.com/bundle/application-change-control-8.3.x-product-guide-windows/page/GUID-347B...

Highlighted

Advice on policy config for .msi files?

Jump to solution

How about adding the msi as an installer...?

Highlighted

Advice on policy config for .msi files?

Jump to solution

@Ciphent - I experimented with the msi as an installer/updater, but utlimately an msi functions as a document, not an executable.

@aacordoba - Good info, I will look into that.  Is there a way to translate that into a policy or would I have to run that as a command line task through ePO?

Highlighted

Advice on policy config for .msi files?

Jump to solution

So far now I just run a command in ePO.

But what I can´t know if what system already have this feature enable, If you are able to find some query regarding this please let me know.

Regards.

Highlighted

Advice on policy config for .msi files?

Jump to solution

Hmm...

I can setup a Solidcore Command Line task to enable or list features, but the results are only viewable in ePO on a per system basis in a similar manner to an 'xray' command line task.  Reviewing the data I can query, I don't believe there is a way to create a query of the status of Solidcore features via ePO 4.5.

I enabled the package control feature and it appears to have given me a lot more flexibility with the MSI's, but the required reboot is a deal killer in the short term.

Thanks again for the info!

-T.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community