Well first thing- 3.6.1 is no longer supported, so i'd strongly suggest they upgrade/start afresh to a newer verion- 4.5 or 4.6.
how do they install the epo agent?
I used a GPO startup script to check and deploy the agent (did when i used 3.6.1 and still do) (since that will run with admin rights). once the agent is deployed, They then appeared in the console then if you have a deployment task to install Vscan it would do it automatically.
I still have my 3.6.1 up and all my services are running as local admin. Trying to think why- unless they want to force a client install from within the console- they'd need local admin rights and I can't see anywhere where you set this as an account to use.
as its unsupported the best bet is to upgrade to a support version ASAP.
Would LOVE to see your GPO if possible...
I JUST got off the phone with the McAfee admin after spending several hours last night reading through the documentation. What I did was set their ePO Application Server service to run as a domain admin account (but they can't log in with it interactively).
When they go to push the client out, they will use the same credentials...we'll have to test this once we lock the service account down, but for now, it seems to have solved their issue.
As for the console version, they are apparently in the process of installing a v4.5 console.