Deploying on macOS With Jamf

 

IMPORTANT: The latest version of macOS, Big Sur, may not work properly without additional configuration of permissions for the installer due to the way Jamf works. We recommend checking with Jamf support and the forums for resolutions.

 

Essential/Premium/Ultimate Business Security can be deployed remotely to macOS devices through Jamf using the .dmg installer downloaded from the Management Consoles. For more information on how to download the .dmg installer, see Adding Devices to Business Hub.

While the script was created by a Jamf Nation community member on this forum post, Avast agents have confirmed its effectiveness in other live environments.

Deployment Process Overview

Deploying Antivirus to macOS devices with Jamf follows this general process:

1. Administrator initiates remote deployment by creating and deploying Configuration Profile and installer policy
2. Antivirus install initiates on endpoint device
3. Since BigSur: User action required during the install to enter local admin credentials to confirm adding Avast certificate
4. After adding certificate, Antivirus installation continues and finishes
5. Onboarding screen displays on end device, and user clicks through to finish installation
6. Antivirus is installed and turned on

Creating Jamf Configuration Profile

Creating this profile pre-allows the Privacy settings and System Extension required by Essential/Premium/Ultimate Business Security. Enter the details in the corresponding sections.

Privacy Preferences Policy Control

Identifier: com.avast.AACM

Type: Bundle ID

Code Requirement: identifier "com.avast.AACM" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "6H4HRTU5E3"

App or Services: SystemPolicyAllFiles ▸ Allow

System Extensions

Approved Kernel Extensions is the same information but for pre-BigSur macOS versions. If your devices are running earlier versions, fill out these details in the Approved Kernel Extensions section as well.

If ARM devices are used, a specific Configuration Profile should be used without Approved Kernel Extensions information (as it fails to deploy).

Display Name: Avast Antivirus System Extension

System Extension Types: Allowed System Extensions

Team Identifier: 6H4HRTU5E3

Allowed System Extensions: com.avast.Antivirus.SystemExtension

Content Filter

These settings ensure the web content filter portion of Essential/Premium/Ultimate Business Security is pre-approved.

Filter Name: Avast Antivirus

Identifier: com.avast.Antivirus.SystemExtension

Network Filter

Network Filter Bundle Identifier: com.avast.Antivirus.SystemExtension

Network Filter Designated Requirement: identifier "com.avast.Antivirus.SystemExtension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "6H4HRTU5E3"

Deploying with Jamf

Ensure the machines you will be deploying to have the Configuration Profile created earlier.

1. Rename the vanilla Avast .dmg file to simply "avast.dmg" and upload to Jamf
2. Make your Jamf policy:
   1. Cache avast.dmg
   2. Run the following script set to "After"
   3. Update inventory (under maintenance in the policy)

Script Text