Deploying ESET with Smart Software via Addigy

This guide walks you through deploying ESET Endpoint Antivirus or ESET Endpoint Security to managed Mac devices using Addigy Smart Software. The deployment is script-based — no installation files need to be uploaded to Addigy.

Note: An ESET activation key is required for the product to be activated silently upon installation without end user interaction. Without one, the software will install but remain inactive until a user manually enters a key.

Prerequisites

• An ESET activation key (found in your ESET purchase confirmation email or the subscription overview in your ESET account)
• Familiarity with Smart Software — see Creating Smart Software if you haven't set one up before

How to Add the Required Device Settings (MDM Profiles)

ESET requires three Device Settings (MDM Profiles) for full functionality and a completely automated deployment: PPPC for Full Disk Access, System Extensions, and Web Content Filter. Create each profile in Catalog > Device Settings before deploying the Smart Software item.

Important: Device Settings must be installed on a device before the Smart Software item runs. When added to a policy, this happens automatically based on default Installation Priority. If installing on an individual device via GoLive, deploy the Device Settings first.

1. PPPC (Full Disk Access)

This profile silently grants ESET access to protected and system admin files. For instructions on creating a PPPC profile, see How to Create a PPPC Payload for Full Disk Access (FDA).

Enable Access to All Protected and System Administration Files for the applicable entry below. ESET Endpoint Antivirus and ESET Endpoint Security have different bundle IDs — only add the entry for the product you are deploying.

2. System Extensions

This profile allows ESET's system extensions to load without prompting the user. For instructions on creating this profile type, see Allow System Extensions with Addigy MDM.

Configure the profile with:

• Allowed System Extensions: Enabled
• Team ID: P8DQRXPVLP
• Bundle IDs:
  • com.eset.endpoint
  • com.eset.network
  • com.eset.firewall
  • com.eset.devices

3. Web Content Filter

Note: This profile is only required for ESET Endpoint Security version 8.x. If you are deploying ESET Endpoint Antivirus, or a different version of Endpoint Security, you can skip this profile.

Navigate to Catalog > Device Settings, create a new Web Content Filter, and configure it with the following settings:

• Payload Name: ESET Web Content Filter
• Filter Type: Plug-In
• User Defined Name: ESET Firewall
• Plugin Bundle ID: com.eset.firewall.manager
• Filter Socket Traffic: Enabled
  • Bundle Identifier: com.eset.firewall
  • Designated Requirement: identifier "com.eset.firewall" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
• Filter Grade: Firewall

How to Create the Smart Software Item

In Addigy, navigate to Catalog > Software and create a new Smart Software item. Name it something descriptive — for example, ESET Endpoint Antivirus — and set the version to 1.0.

Note: No installation files need to be uploaded. This deployment is entirely script-based — the installation script downloads the ESET installer directly from ESET's servers at runtime.

Installation Command

Copy the script below and paste it into the Installation Command field of your Smart Software item. Only the three variables on lines 8, 9, and 10 need to be configured — do not modify any other part of the script.

Variable Configuration

Line 8 — Prod (Required)
Set this to the ESET product you are deploying:

• ESET Endpoint Antivirus: Prod="EEA"
• ESET Endpoint Security: Prod="EES"

Line 9 — KEY (Recommended)
Set this to your ESET activation key for the software to be activated silently upon installation:

KEY="XXXX-XXXX-XXXX-XXXX-XXXX"

If left blank, ESET will install but will not be activated — the end user will need to enter a license key manually.

Line 10 — eraa_http_proxy_value (Optional)
If your environment routes outbound traffic through a proxy, set this to your proxy address:

eraa_http_proxy_value="http://Proxy-IP-or-FQDN:3128"

Leave this blank if no proxy is needed.

ESET Installation Script

#!/bin/bash
#
# Enter your product, either EEA or EES. This is required.
# Activation will be attempted if value KEY contains is not empty
# security admin format example: '123-ABC-456:user=security.admin@mail.com:pass=SecurityAdminPass'
# Proxy example: http://Proxy-IP-or-FQDN:3128

Prod=""
KEY=""
eraa_http_proxy_value=""

if [ -z "$Prod" ] ; then echo 'No product selected please specify EEA or EES' & exit 1; fi

if test -n "$Prod"; then
Prod="$(echo "$Prod" | tr "[:lower:]" "[:upper:]")"
fi

files2del="$(mktemp -q /tmp/XXXXXXXX.files)"
dirs2del="$(mktemp -q /tmp/XXXXXXXX.dirs)"
echo "$dirs2del"  "$files2del"
dirs2umount="$(mktemp -q /tmp/XXXXXXXX.mounts)"
echo "$dirs2umount"  "$files2del"

finalize()
{
set +e

echo "Cleaning up:"

if test -f "$dirs2umount"
then
while read f
do
sudo -S hdiutil detach "$f"
done <"$dirs2umount" fi="fi" if="if" test="test" -f="-f" then="then" while="while" read="read" f="f" do="do" -d="-d" rmdir="rmdir" done="done"><"$dirs2del" fi="fi" if="if" test="test" -f="-f" then="then" while="while" read="read" f="f" do="do" unlink="unlink" done="done"><"$files2del" 300="300" unlink="unlink" fi="fi" trap="trap" finalize="finalize" hup="HUP" int="INT" quit="QUIT" term="TERM" exit="exit" changed="Changed" the="the" url="http://download.eset.com/com/eset/apps/business/ees/mac/latest/ees_osx_en.dmg" and="and" dmg="ees_osx_en.dmg" values="values" for="for" eea="EEA" so="so" far="far" if="if" then="then" app="Security" ees="EES" echo="echo" no="No" valid="valid" product="product" selected="selected" please="please" specify="specify" or="or" local_eset_dmg="$(mktemp -q -u /tmp/ESETInstaller.dmg.XXXXXXXX)" downloading="Downloading" eset="ESET" endpoint="Endpoint" installer="installer" image="image" test="test" -n="-n" export="export" use_proxy="yes" http_proxy="$eraa_http_proxy_value" --connect-timeout="--connect-timeout" --insecure="--insecure" -o="-o" curl="curl" --noproxy="--noproxy"> "$files2del"
else
curl --connect-timeout 300 --insecure -o "$local_ESET_dmg" "$URL" && echo "$local_ESET_dmg"  "$files2del"
fi

if [ ! -f "$local_ESET_dmg" ]; then exit 1 ; fi
test -d '/Library/Application Support/ESET/esets/cache' || mkdir -p '/Library/Application Support/ESET/esets/cache'
touch '/Library/Application Support/ESET/esets/cache/do_not_launch_esets_gui_after_installation'

local_ESET_mount="$(mktemp -q -d /tmp/ESETInstaller.mount.XXXXXXXX)" && echo "$local_ESET_mount" | tee "$dirs2del"  "$dirs2umount"
echo "Mounting image '$local_ESET_dmg':" && sudo -S hdiutil attach "$local_ESET_dmg" -mountpoint "$local_ESET_mount" -nobrowse
local_ESET_pkg="$(ls "$local_ESET_mount"/Resources/ | grep "\.pkg$" | tail -n 1)"

SigCheck="$(pkgutil --check-signature "$local_ESET_mount/Resources/$local_ESET_pkg" | grep -o "ESET, spol. s r.o. (P8DQRXPVLP)")"
if [ "$SigCheck" == "ESET, spol. s r.o. (P8DQRXPVLP)" ]; then
echo "Signature check Passed"
echo "$SigCheck"
echo "Installing package '$local_ESET_mount/Resources/$local_ESET_pkg':" && sudo -S installer -pkg "$local_ESET_mount/Resources/$local_ESET_pkg" -target /
else
echo "Signature check failed"
echo "$SigCheck"
exit 1
fi

sleep 10

if test -n "$KEY"; then
/Applications/ESET\ Endpoint\ Antivirus.app/Contents/MacOS/lic --key "$KEY"
else
echo "No license key provided"
exit 0
fi

exit 0

Condition for Install

Add a Condition for Install to your Smart Software item to prevent ESET from being reinstalled on devices where it's already present. Under Condition for Install, enable If file does not exist and enter the path for the product you are deploying:

• ESET Endpoint Antivirus: /Applications/ESET Endpoint Antivirus.app
• ESET Endpoint Security: /Applications/ESET Endpoint Security.app

Once configured, save your Smart Software item and add it to your desired policy alongside the Device Settings created above.

Custom Fact to Report ESET Status (Optional)

You can create a Custom Fact that surfaces each device's ESET status — including product version, AV signature version, and activation status — directly in the Device Facts tab on the GoLive and Devices pages. For instructions on creating a Custom Fact, see How to Create or Edit a Custom Device Fact.

Note: An active ESET subscription is required for this fact to accurately report a device's activation status. When creating the fact, set Return Type to String and select Bash as the shell. After saving, assign the fact to any policies that include ESET-managed devices.

Custom Fact Script

#!/bin/bash

if [[ -e "/Applications/ESET Endpoint Antivirus.app" ]]; then
    APP="ESET Endpoint Antivirus.app"
fi

if [[ -e "/Applications/ESET Endpoint Security.app" ]]; then
    APP="ESET Endpoint Security.app"
fi

if [[ -z "$APP" ]]; then
    echo "No ESET Endpoint protection"
else
    if [[ "$APP" == "ESET Endpoint Antivirus.app" ]]; then ESET="EEA"; fi
    if [[ "$APP" == "ESET Endpoint Security.app" ]]; then ESET="EES"; fi

    if [[ -e "/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/odscan" ]]; then
        AVSigsVer=$(/Applications/ESET\ Endpoint\ Antivirus.app/Contents/MacOS/upd --get-info | grep AVSigsVer | sed 's/AVSigsVer=//g')
        ClientVer=$(/Applications/ESET\ Endpoint\ Antivirus.app/Contents/MacOS/odscan --version | head -n 1)
        Activation=$(/Applications/ESET\ Endpoint\ Antivirus.app/Contents/MacOS/lic --status)
        echo "$ESET $ClientVer $AVSigsVer $Activation"
    else
        Status="$(mktemp -q /tmp/ESETstatus.XXXXX)"
        /Applications/"$APP"/Contents/MacOS/esets_daemon --status  $Status
        AVSigsVer=$(grep AVSigsVer $Status | sed 's/AVSigsVer=//g')
        ClientVer=$(grep ClientVer $Status | sed 's/ClientVer=//g')
        Activation=$(grep Activation $Status | sed 's/Activation=//g')
        echo "$ESET $ClientVer $AVSigsVer $Activation"
        rm -f $Status
    fi
fi

Related Articles

• Smart Software Overview
• How to Create a PPPC Payload for Full Disk Access (FDA)
• Allow System Extensions with Addigy MDM
• How to Create or Edit a Custom Device Fact