7 Replies Latest reply on Dec 24, 2013 5:25 AM by Laszlo G

    Sequencing product upgrade tasks: What is the mcafee supported answer for a "reboot" task?

    Regis

      When sequencing software installs for an upgrade sometimes it's rather nice to have a cascade of tasks such as push new agent of the new ePO,  install the new VSE (lastest version, replacing the older VSE from the prior older ePO), then  the HDLP agent (which wants a reboot).  

       

      Q:  What's the best way to make that reboot happen on machines where you don't want to give a user the option to reboot at their leisure?

       

      I'm on ePO 4.6.6 if it matters.   I have seen a forum posting where someone (not even sure if they were a mcafee employee) had published a reboot taask on the forum, but for all the usual reasons, it'd be nice to have an answer from McAfee on a consensus on how to get such things done, and a clean deployment package to download from an official location. 

       

      Thanks for any tip sharing if you've been down this road!  

        • 1. Re: Sequencing product upgrade tasks: What is the mcafee supported answer for a "reboot" task?
          cllapole

          I am not a rep of McAfee, so my answer won't be a consensus from McAfee, but you have a couple options.  Obviously (or maybe not), creating a deployment task for a product like VSE gives the option of adding command line parameters.  One of the parameters for that package is 'REBOOT=F', which forces a reboot.  You could also choose to deploy something like 'shutdown.exe' everywhere, then add it as a Registered Executable, then create a task to use it (this could be helpful for many things). 

           

          One other thing I started doing, which is helpful for a few reasons, is tagging machines when a product is installed.  I created what I call the McAfee Lifecycle as a server task, this verifies what products are installed, and then adds tags representing the product.  Then actions include checking for product, adding the tag, then sending an install task for the next product in line the tag doesn't exist for.  To some this may sound somewhat redundant, but I find it helpful when doing permission sets and allowing people to view/apply tags that have other conditions associated (such as applying a policy based on tags.  If you want any more info on the why and how, feel free to email me.

          1 of 1 people found this helpful
          • 2. Re: Sequencing product upgrade tasks: What is the mcafee supported answer for a "reboot" task?
            Regis

            According to a tier2 that supports ePO that I'm engaged with,  as this is an OS interaction, their support is relatively limited to  McAfee Agent policy regarding post-product install reboot forcing, selectable in policy.  You can only set a hard number of minutes after a product deployment in which a reboot will occur, and/or give the user a dialog box to let them reboot at their leisure.   

             

            I suppose that can be made to work, but it'd be nice to have a task that could be scheduled at a specific time in certain cases.     For instance, when installing 2 products in a row with a time offset, it'd be a drag to force a reboot between both of them based on the limited mcafee agent general policy of forcing reboot after any product installation.     I also couldn't get anyone to promise that the reboot wouldn't occur if say you had a nightly installation task for VSE   and you're hoping that repeated install attempts just fail out after detecting the product is already installed.    It'd be a bummer if those nightly installs also started triggering reboots if you change the policy to force the reboot.    As apparently the reboot aspect gets passed to the product installer, it's possible a point product installer author could goof up and  you're left with a nighly reboot on a nighly install task that's un necessary.

             

            I did see elsewhere on the forums that someone non-mcafee had written a package to check in to do this sort of thing as a product deployment task (it just reboots), but it didn't seem to have any ring of mcafee endorsement though.  I manually reviewed most of the code and it looked rather benign.  

             

            I love your tag strategy by the way... I'll have to mull that further.   Doing things like that and moving things between bits of the system tree hierarchy would be a way to have a later product install task trigger a reboot while and earlier one wouldn't.     

             

            Thanks for the input!

             

            on 12/20/13 5:11:11 PM CST
            • 3. Re: Sequencing product upgrade tasks: What is the mcafee supported answer for a "reboot" task?
              petersimmons

              The vast majority of products do not require a reboot and those that do (Host DLP, Encryption, Client Proxy) can all be suppressed and the reboot done later. We go out of our way to engineer our products so that you can control things. From my perspective I usually have customers asking how to suppress things and reboot "sometime later".

               

              To reboot the OS, you should issue the "shutdown" command.

              • 4. Re: Sequencing product upgrade tasks: What is the mcafee supported answer for a "reboot" task?
                Regis

                I'm specifically in need of an Agent -> VSE -> HDLP flow   where I can schedule the post HDLP reboot overnight on a kiosk like machine.     Given the network segmentation involved, the agent gets pushed via a file copy and an at job of the agent installer by the Windows folks.

                 

                 

                Shutdown is great and all, but the question then becomes, "how do I do that from ePO?"   If there's functionality I'm missing, I'm all ears.  

                 

                Often in larger companies separate groups handling Microsoft's world (SCCM/SUS and the like, and separate groups doing ePO things...such as poor sods like me), so while shutdown sounds great conceptually, the reality is harder.  Which is why it'd be nice to have a way to schedule a shutdown -r task specifically, leveraging the toe hold that the mcafee agent already has on the system.

                • 5. Re: Sequencing product upgrade tasks: What is the mcafee supported answer for a "reboot" task?
                  petersimmons

                  The easiest thing to help is to uncheck the box in the Agent properties asking for the reboot prompt. Specifically the text is "

                  • 6. Re: Sequencing product upgrade tasks: What is the mcafee supported answer for a "reboot" task?
                    cllapole

                    Well, if you really want something straight from McAfee that is fully supported, then you are talking about getting into their Deep Command product.  Of course that is seperate licensing and yet another product to try to learn, deploy, support, etc.  The SDREBOOT package you are referring to is how I would deal with a reboot if I was insistent upon doing it from within ePolicy but did not have access to Deep Command.  Without knowing your exact situation and settings I can only give you a rough and generic example, but I am sure once you set some things up and tested you would see it works.  Create tags for installDLP and Rebooted.  Make sure you have a DLP install task (that doesn't force a reboot) and the SDReboot task.  Create a quick query for everything that doesn't have DLP installed, and tag it installDLP.  Create a query that checks for the existence of having the DLP product installed AND having the installDLP tag.  Create a server task that runs at night that runs the aforementioned query, anything that you had tagged manually and now shows having the product needs a reboot, so take the action in the server task to run client task of the SDReboot and subsequently removes the installDLP tag and adds the Rebooted tag. 

                     

                    That is all a little clunky sounding in that generic format.  And you will need to look in the logs to see if any failed the reboot request.  But it gives you some control and some options to track.  Remember more sub-options can be to email you a copy of the query after it is run.  You don't even need the Rebooted tag, maybe you just clear the installDLP tak; or maybe better yet it is it clears the last tag (or aggregates) and you can then add a needsEncryption tag or any other product installs or policy changes.  I basically run through (and I actually have the tags start numbered with descriptive names) my lifecycle of tags.  They are based on a Server task that runs multiple times a day.  The tags go roughly 0-Rogue (systems found through RSD then added to a safe spot in the system tree) and this trigers the installMcAfeeAgent task.  If the Server Task sees MA installed, it tags the computer 1-MA, and computer with just this tag level needs VSE installed and that is triggered.  I run through the rest of my products like this MA, VSE, DeepDR, EEGO, EEADMIN, and EEPC (and I will soon be adding in EEFF/EFRM and DLP).  I could mix in RebootNeeded tags etc. if I wanted. 

                     

                    At some point I thought I should share this in more detail in a post on the Community, finding time has been tough as of late.  Hopefully this gets you started in the right direction.  Once you start creating the matching Queries, Install Tasks, Tags, and a controlling Server Task; then just play around with it all some I am sure a light bulb will go off.  This may be a lot more work and clumsy for some people.  But, as just one benefit, this form of tagging then can be used to give lesser permission sets to ePo users, allowing them to change policy configurations (this is how our tech support can 'tag' a workstation for encryption, I just have Policy Assignment Rules that look for tags and change policies on the system to have the encryption become 'enabled').  Then they only need the ability to apply a tag, not to assign policy, and that makes the process so much more simple on the front-end.  Tags really allow everything to be so much easier to admin IMO; that is once you get really used to them. 

                    • 7. Re: Sequencing product upgrade tasks: What is the mcafee supported answer for a "reboot" task?
                      Laszlo G

                      Hi Regis, maybe you saw people doing this using a script.

                       

                      There's a McAfee ePO Endpoint Deployment Kit that allows you to create your own packages to be deployed through ePO and you can execute files, scripts...

                       

                      For example you can create a .bat file with a shutdown -r -f -t 5 -q , then create an epo package with EDK tool and set a scheduled deployment task  so computers will reboot (-r) forcing to reboot (-r) in 5 seconds (-t 5) and quiet, without popus (-q)