I know this is not directly related to Merkai however I'm hoping some users can provide some recommendations to the following.
We are about to deploy Systems Manager to all our devices and was seeing what people use for anti- virus and anti- malware for their devices on Systems manager (Windows & MacOS). I would love to be able to use Systems manager to push these apps out to the devices and register the license etc. via either some sort of package or script. I currently don't have a anti-virus/malware vendor so willing to pick one that works better with Systems manager.
Has any done this on or something similar? I would love to know what every else is doing and how they are doing it.
There is nothing as such mentioned in docs of Meraki-SM, I think so you can use any AV and AM Solutions.
If you are looking for something in Advance AntiMalware, check with Meraki Security Appliances Advanced Malware Prevention (AMP).
I quite like Trend Worry-Free Remote Services (the "services" bit mean it is the cloud based version). I prefer all my technology like this to be cloud managed. The same platform does both Windows and Mac.
I have never tried deploying it via Systems Manager. However they have an MSI you can download, and you can run it with a very long GUID parameter to link it to your Trend cloud instance.
I've actually been looking for an antivirus solution as well (but in our case, it's nearly 100% mac users). I tried AVG's and found that it "does not play well" with Meraki. Despite hours of troubleshooting, we (both AVG support and Meraki internal support) were unable to get AVG's antivirus service to work allow Meraki traffic on macbooks properly.
The short version: A macbook that already has the SM installed receives the pushed app AVG from Meraki. It will check-in and work as expected until a reboot. Once it reboots, the AVG service super imposes itself and does not allow the Meraki MDM traffic through (and there was no way to whitelist on the macOS version of the AVG app).
So, I do not recommend AVG. Someone mentioned Sophos to me, but while looking at their website, it looks like they are a whole MDM solution itself (which includes endpoint protection). I'll report back if I find anything useful during the trial to address just the endpoint protection part.
I'm with @PhilipDAth on this, Trend Worry-Free is really good and i've had only good experiences with it and MDM.
I'm on my 3rd day of the Trend Micro Worry Free trial. So far so good with our test system; however, we had to manually install it. I was not able to push it out via the Meraki Applications push.
Furthermore, the link provided in the email to install it would not work in MacOS Chrome. We had to do it from Safari (weird I thought).
@Stoffe did you run into anything similar? How did you push this to your users?
Glad you like it!
Hm, thats weird. I have not run into any issues.
Our end users only have windows machines so i cannot say anything about MacOS unfortunatly. Have you made sure that the SM client is installed on the system you're pushing it to?
Ill have a look in our workshops, there might be a Macbook somewhere. What OS version do you run?
Aaah! gotcha. We have very few win machines. The macOS versions vary.... our devs work on 10.12.1 - 10.13.4 (I know, this makes it a little harder to narrow down). I thought at first it was related to the test machine having 10.13.4 with the new KEXT enforcement, but we've eliminated that as the culprit.
I'm about to wipe a system and use it as a test bed. I'll gladly update the thread down the road with a summary of findings, etc.
Yes, please do keep us updated. I'll try to find and deploy a MacOS machine to test on here.
Well~ our Trial has come and gone. Although I liked the dashboard interface and their support was responsive when we needed them, Trend Micro's Worry Free Business Security Services is not the ideal solution for a mac shop. We were unable to remote install TMWF without end-user interaction, and the uninstall from dashboard does not work. Systems with macOS require a manual uninstall (found in the tools section). Most concerning was the fact that we were unable to create directory exclusions with wildcards. Most of our users use some kind of mounted cloud directory file share, the scan would attempt to include the entire directory... and due to the lack of wildcard usage, we were unable to use the targeted scan options to only include certain directories (which would require a wildcard in lieu of each username). Most of their documentation and advanced scripting/support is geared for Windows environments. Overall, it was very limited functionality.
We know this is not TrendMicro's only offering, so we will be reaching out to sales and consulting on whether they offer something different for our needs.
We are also trying out Sophos (which so far seems more robust for macs although it has the same limitation for user interaction for install). I'll gladly return and post what I find.
Hey Phil! We've crossed each other in the IT nether!!!
I was just on a demo with a couple of the CrowdStrike folks just yesterday afternoon 🙂 Their product is nothing short of amazing. But truthfully, although it was SUUUPER cool and the insight it offered was mind-blowing, it was also overkill for what we need... I think we're still going to trial it in the interest of being thorough (And because I'm dying to play with their features).
Please do follow up and let me know what you decide at the end. We're still on the Sophos trial ourselves. And considering ESET next. Feels like I've been researching and testing this stuff for ages 😐
Update: Meraki Systems Manager is unable to deploy the software with out user interaction. Although Apple have provided a way to allow this with MDM Meraki does not have this feature enabled and recommend I place a Make a wish in the dashboard.
Honestly I think this is ridiculous as Crowd Strike installs fine on Mac OS Sierra, its only High Sierra that has the problem. More and more people are going to have this issue when trying to install certain apps on their Mac unless Meraki provide this feature. I have raised a wish please give it Kudos to get the ball rolling on this one.
Hi Phil~ I definitely feel your pain on this one! The KEXT issues that have come with the added security of 10.13.4 do have a viable workaround (albeit a manual one): create .mobileconfig payloads that are delivered as profiles to the macbooks. You could have individual ones or keep a master list.
1. Create a apple profile / .mobileconfig file that allows the application
2. In Meraki Go to System Manager > MDM Settings > Add Profile > Upload custom Apple profile
For details on step 1 and some excellent info from user sshort, go to this thread:
edit: I see that you ran into that thread. I do agree that this shouldn't have to be a "thing". It's taking a bit of time for developers to catch up to these added securities at the kernel level. I will kudos your post for sure.