1 2 3 Previous Next 25 Replies Latest reply on Mar 20, 2012 7:36 AM by JoeBidgood

    EPO Agent Distribution

      I'm trying to implement EPO server within my organisation.  I want to disribute the agent and VSE using group policy.  I've setup VSE and that installs fine.  The agent however, seems to install in unmanaged mode.  After the installation has completed I can manually change the client to managed mode by running frminst.exe with the appropriate command switches or I can run Framepkg.exe which is where I extracted the msi from.  I'd want the client to be installed in managed mode in the first place as this seems the optimal was to do things.


      Ultimately I'm looking for the best method to ensure all clients new and old will be installed with vse and the client in managed mode without any user intervention.



        • 1. Re: EPO Agent Distribution

          Bascially the easiest way to install the Agent is to deploy it from ePO.


          If you need to do the install manually then use the agent installer generated by ePO (Add new system -> create and download agent installion package) as that will have all the management config wrapped into the installer.



          UPDATE: Forgot to mention....I usually install the managed agent first via ePO or manaul install and then install VSE but it really doesn't matter which way you do it.


          Message was edited by: Tristan on 14/03/12 17:38:11 GMT
          • 2. Re: EPO Agent Distribution

            That's no good because you have to do that every time a system is setup.  I prefer the installation of antivirus to be automatic and be there from day 1.


            I'm not looking for the easiest way, I'm looking for the best way to ensure all systems are covered.


            With kaspersky the agent is configured so when it's installed it joins the appropriate server management application automatically.

            • 3. Re: EPO Agent Distribution

              ePO is really the best tool for the job.


              I have multiple install groups in my ePO system tree with different tasks permenently assign to them. Install VSE, Install DLP, Update to Patch 1, Full system scan ....etc. When ever i want to add a new machine or upgrade an existing one i just drop it in the relevant groups.


              Step 1. Add system to ePO. This installs an agent in managed mode

              Step 2. Move computer in ePO to a group with the VSE install task assigned to it

              Step 3. Sit back and relax as ePO does the rest.


              If you really want to use group policy then you'll need to look into building a custom install package for VSE, that contains the framepkg.exe generated by ePO, the agent that comes with the downloaded VSE installer will always be in a generic unmanaged mode.


              Another option in the non-ePO route is to look at 'local update publisher' http://localupdatepubl.sourceforge.net/ which allows you to use WSUS to distribute anything you want.

              • 4. Re: EPO Agent Distribution

                That's sub-optimal.  At the moment the only steps required for me to depoy a workstation, (be it one or the entire network) is to press deploy next to the appropriate workstation.  Anything that would require further intervention would mean that I have to wait till that whole process completes, which is about an hour for a single workstation, and then complete further steps.  I don't want any additional steps to that process as it only creates a potential area for errors.  A deployment process that requires administrators to carry out multiple steps is not what I want under any circumstances.


                As I said I've already made the installer package for VSE, and I've made a package for the agent.  All that's required to convert the agent to managed mode is (from the manual) to run either Framepkg.exe or "C:\Program File\McAfee\Common Framework\frmins.exe /Install=agent /siteinfo=<full path\SiteList.xml."  Running both these is relatively trivial, if I wanted I could modify the MFEagent.msi package I have already produced to do this, however, this seems like it could potentially create problems.  I would expect given that this is so trivial that the installer was designed with this functionality already and if it isn't then why isn't it?

                • 5. Re: EPO Agent Distribution

                  As i've tried to explain. If you use the FramePkg.exe agent installer created by ePO it will install in managed mode.


                  I'm 99% sure that the instructions you quoted from the manual are if your using the generic installer downloaded from the McAfee website.

                  • 6. Re: EPO Agent Distribution

                    In order to deploy the agent via group policy I require the installer to be in the windows installer package (.msi) format.  I could write a script that runs FramePkg.exe however this again seems sub-optimal as you often lose the error handling and logging associated with msi packages.


                    I can extract FramePkg.exe to produce the files contained within in it ie MFEagent.msi, Sitelist.xml etc which is how I've created the agent installer package already however the files extracted from FramePkg.exe still install the client in unmanaged mode.

                    • 7. Re: EPO Agent Distribution

                      Moved this to our ePO product space for housekeeping.

                      • 8. Re: EPO Agent Distribution



                        Why not use a computer startup script? even a simple batch file or something to check the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\EPOAGENT3000- version for your required version and if its not the same then run the install?


                        Copy the framepkg.exe from here on your ePO server:  c:\Program Files\McAfee\ePolicy Orchestrator\DB\Software\Current\EPOAGENT3000\Install\0409  and install using the framepkg.exe /install=agent /silent


                        this file has the embedded info from the ePO server.


                        And the framepkg.exe creates the  frminst* log and also an msi log on the local machine.


                        There's also this article in the KB which could also help:







                        Message was edited by: jmcleish on 15/03/12 10:01:08 CDT
                        • 9. Re: EPO Agent Distribution

                          As I say, I don't like using scripts because they lack the logging and error handling of windows installer packages.  From experience it's quite easy for a the application to prompt because of an error at which point the startup process hangs and never gets resolved.


                          That KB article however is pretty much exactly what I want.  However it states "McAfee Agent 4.6 simplifies the process of creating a deployment package to use with the Group Policy Object. For more informatoin, see PD23185 - McAfee Agent 4.6 Product Guide." and PD23185 has no information in it.


                          And while I could probably achieve what I wanted as the article says "

                          • MFEAgent.msi contains many options and components required to ensure a successful Agent installation. Do not modify this file except as instructed below.



                          So I'd rather not poke arround in the windows installer without specific instructions.

                          1 2 3 Previous Next