Install McAfee MOVE Multiplatform for VDI

These are my brief notes on the topic but if you know your way with McAfee’s ePO you will find the hereunder very helpful, the hereunder will aid you to perform the installation whether to be used with VMware Horizon View and Citrix XenDesktop.

Configuration

  1. Install ePO (here I used 5.1 with the latest patch).
    1. Disable product compatibility (Server Settings) and download the latest from here https://epo.mcafee.com/ProductCompatibilityList.xml
  2. Add the VSE8.8, MOVE client and offload scan server extensions and check in all the packages on the ePO server.
  3. Create the sub-tree categories and classify each group
  4. Create the product deployment client task for the VSE8.8, MOVE offload scan server and MOVE client.
  5. Deploy the McAfee agent to all the systems including the master image / golden image.
  6. Deploy Virus Scan Enterprise 8.8 (used patch 4 here) to the offload scanning servers.
  7. Deploy the offload scanning server to the offload scanning server (check the service and telnet to port 9053).
  8. Deploy the MOVE MP client to all virtual machines including the master image / golden image
    1. Check status cmd -> cd C:\Program Files (x86)\McAfee\MOVE AV Client\ -> mvadm status.
  9. VDI Golden Image / Master Image:
    1. For 32bit delete the AgentGUID value from it before sealing it (regedit -> AgentGUID ->HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent).
    2. For 64bit delete the AgentGUID value from it before sealing it (regedit -> AgentGUID -> HKLM\SOFTWARE\Wow6432Node\Network Associates\ePolicyOrchestrator\Agent).
  10. Configure both MOVE server and client policies and enforce them.
  11. Configure VSE8.8 policies (scan to archives, lock down, etc etc etc).
  12. Configure updates (get an extra dat and check it in then create a new policy and assign it to the tree).

Validation

  1. Virus scanning: Get the EICAR test virus and put in on one of the protected virtual machines.
  2. VDI: Create a machine catalog (XenDesktop) or create a new pool (Horizon View) and after the VDI virtual machines are provisioned you should see new machines popping in the ePO system tree and then you need to place them in their proper sub-tree group.

(Abdullah)^2

18208 Total Views 1 Views Today

Abdullah

Knowledge is limitless.

10 Responses

  1. Boyd says:

    I like what you guys are up too. This type of clever work and coverage!

    Keep up the terrific works guys I’ve added you guys to
    my blogroll.

  2. Richard says:

    Anyone try these same steps with EPO 4.6.9 ?

  3. Preetam says:

    Hi,

    What are your experience with McAfee MOVE on non-persistent desktop? Can you share best practices? We are going with non-persistent VDI desktops. Non-persistent desktop or statless desktops are provisioned/re-provisioned upon logon/logout. So McAfee client and agent needs to get new policy/DAT files with each logon. So there is anticipated delays in login.

    • doOdzZZ says:

      Hello Preetam,

      Actually I am facing no issues with non-persistent, you just need to make sure that your ePO is clean from GUIDs that were replaced upon rebuilding the pools/catalogs or so.

    • doOdzZZ says:

      Also the policy/DAT are enforced on the offload scanner or the virtual scan appliance, so the clients are only reporting the scan events to the offload scanner or VSA and the latter does the job so you don’t have to worry about mass updates or policy pushing.

  4. tim says:

    Looking for some direction.

    We have MOVE rolled out and i want to set it up for our VDI. We are on non-persistent desktops – we are vm persona.

    i need some steps on what to do 1st? or maybe some clear steps.

    do i go to my golden image and load the frames package and then the multi platform client and remove the reg key. then do a recompose of that pool.

    • doOdzZZ says:

      Hello, since you mentioned recompose then you’re using VMware Horizon View and you’re on ESXi. So why are you using multiplatform when you can use the agent-less? Otherwise with multiplatform what you’ve mentioned in sufficient but you also need to install the offload scan servers and have their policies configured in ePO.

    • Boris Groenhout says:

      For non-persistent desktops:

      1. Install the McAfee Agent.
      For unattended install:
      FramePkg.exe /install=agent /enableVDIMode /forceinstall /silent

      2. Install the Move AV Multi-Platform Client
      For unattended install:
      setup-win-amd64.exe” /S /v/qn
      Afterwards configure the SVA Manager Adddress from commandline:
      C:
      cd “C:\Program Files (x86)\McAfee\MOVE AV Client\”
      mvadm disable
      mvadm config set SVAManagerAddress=x.x.x.x
      mvadm config set SVAManagerPort=8080
      mvadm enable

      3. Remove some register settings to make the workstation independent.
      Windows Registry Editor Version 5.00
      [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent]
      “AgentGUID”=-
      “MacAddress”=-

      Desktop is now ready to deploy.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.