Had some problems with the forum so this may be a repost:
Step 1: Get Java 6 out to your workstations. In Mac OS X 10.8, it is not installed by default and will need to be if LiveUpdate is to work. That should be easy, deploy with ARD or use whatever mechanisms you normally would.
Step 2: Run the uninstaller script from this Symantec article on your machines. http://www.symantec.com/business/support/index?page=content&id=TECH103489
Could be done with ARD or in my case I use an managed client solution such as Jamf Casper, Absolute Manage or FileWave. I could also see this script being used as a properly developed self-destructing login hook in Workgroup Manager or locally based. If using ARD, make sure you use the second script on the page that works with tools such as ARD.
Step 3: Use Apple's PackageMaker or Jamf Composer to build a new package. You are going to take the sylink.xml file located in the Additional Resources folder and package it up and set proper permissions on it. Installing this by hand I have found that Symantec put this file on with root:staff ownership and seems to assign it 666 permissions.
Basically you need to get this sylink.xml file to /Library/Application Support/Symantec/SMC as per Symantec article http://www.symantec.com/business/support/index?page=content&id=TECH131585 which talks about converting an unmanaged Symantec Mac client to a supported managed Symantec client. Optionally, a customer could use his or her Apple Developer account certificate to digitally sign the package if you are in a Gatekeeper secured environment. ARD could also be used if you simply wish to just push out the sylink.xml file without fancy repackaging.
Step 4: Install the PKG WITHOUT THE ADDITIONAL RESOURCES FOLDER like you would any other package using ARD or a managed client solution. When you install this package without the Additional Resources folder, it is the equivalent of installing Symantec Endpoint Protection to your Mac clients in unmanaged mode. That plus the sylink.xml file in Step 3 should equal a managed installation.
Step 5: reboot the workstations you sent these packages out to.
Step 6: after the reboot, use the SEPM console to require a LiveUpdate or in the case of my devices, they checked for a LiveUpdate on first login anyway.
I am disappointed at Symantec for this terrible installer, but think I have found a way to mitigate it that seems to work in our environment. For those with Jamf Software's Casper, I can provide directions to turn all of this into a simple policy.
<note: I updated this post to reflect a reality I discovered after mass deploying to a small group of machines. For whatever reason, if you don't get the sylink.xml file out first before pushing the main package, some machines seem to have trouble checking in with the SEPM server. Don't really know why...have filed a case with Symantec for clarification on the issue.>
Brian Martin
Lafayette School Corporation