Hi All,
I'm just now looking how can I remove McAfee Agent(**McAfee Endpoint Protection for Mac.app, McAfee ePO Remote Provisioning Tool.app) and decrypt Machine from JSS to client Machine. There is any policy for this.
Page 1 / 1
Typically you can use:
EPM:
sudo /usr/local/McAfee/uninstall EPMAgent:
sudo /Library/McAfee/cma/scripts/uninstall.shAnd then pray that your ePO admins don't have a policy running to require a password to run the uninstaller. If so, you can't remotely run the uninstaller, you'll need to tear out the bits and pieces forcefully. There is a script floating around, I forget where though, called RipOffMcafee that will do that.
Remove McAfee version 4 & 5.
[ -f /usr/local/McAfee/uninstall EPM ] && /usr/local/McAfee/uninstall EPM
[ -f /Library/McAfee/cma/uninstall.sh ] && /Library/McAfee/cma/uninstall.sh
[ -f /Library/McAfee/cma/scripts/uninstall.sh ] && /Library/McAfee/cma/scripts/uninstall.sh
[ -f /Library/McAfee/agent/scripts/uninstall.sh ] && /Library/McAfee/agent/scripts/uninstall.sh
[ -d /Applications/McAfee Endpoint Protection for Mac.app ] && rm -rf /Applications/McAfee Endpoint Protection for Mac.app
[ -d /Applications/McAfee Endpoint Security for Mac.app ] && rm -rf /Applications/McAfee Endpoint Security for Mac.app
[ -d /Library/McAfee ] && rm -rf /Library/McAfee
[ -d /usr/local/McAfee ] && rm -rf /usr/local/McAfee
[ -d /Library/Application Support/McAfee ] && rm -rf /Library/Application Support/McAfee
rm -rf /Library/Preferences/com.mcafee*
launchctl unload /Library/LaunchDaemons/com.mcafee*
rm -rf /Library/LaunchDaemons/com.mcafee*
rm -rf /Library/LaunchAgents/com.mcafee*
killall Menulet
killall McAfee ReporterFWIW, you can actually send the password required for removing the McAfee EPM components (if required by your EPO admins) in a script, using Jamf script parameters of course.
Here's an example of how with a script we use in a policy
#!/bin/bash
prdVers="$4"
passAV="$5"
avResult=""
avUninstaller1022="/usr/local/McAfee/uninstall"
if [ -e "$avUninstaller1022" ]; then
echo "McAfee AV 10.2.2 product found. Removing AV..."
while [ "$avResult" != 0 ]; do
echo "$passAV" | sudo -S "$avUninstaller1022" "$prdVers"
removeResult=$?
if [ $removeResult == 0 ]; then
echo "McAfee AV 10.2.2 removed."
fi
done
else
echo "McAfee AV product not found. Skipping."
fi
/Library/McAfee/cma/scripts/uninstall.sh
exit 0You have to pass the product, like "EPM" to $4 and the password to $5.
I believe the one issue with this is that it may end up showing up in the system.log, which you could clear up later if so inclined with a carefully crafted grep/sed command. I will have to go back and check on that, but I know invoking any sudo commands in a script usually end up dropping the entire command that was run after it into the log. It may be the case here as well since it's calling sudo -S
mm2270: The script you provided works great except for the avResult variable. How was that being used to prevent it from running forever?
I found this script called RipOffMcAfee and then modified it to remove some additional extensions and framework for DLP.
McAfee can also cause InTune registration to fail when blocking untrusted certificates.
#!/usr/bin/env bash
## HEADER
## DEFINITIONS
## FUNCTIONS
grabConsoleUserAndHome(){
# don't assume the home folder is equal to the user's name
currentUser=""
homeFolder=""
currentUser=$(stat -f %Su "/dev/console")
homeFolder=$(dscl . read "/Users/$currentUser" NFSHomeDirectory | cut -d: -f 2 | sed 's/^ *//'| tr -d '
')
}
removeMcAfee(){
bolRunARecon=true
grabConsoleUserAndHome
## ARRAYS
McAfeeKernelExtensions=(
'/usr/local/McAfee/AntiMalware/Extensions/AVKext.kext'
'/usr/local/McAfee/AppProtection/Extensions/AppProtection.kext'
'/usr/local/McAfee/StatefulFirewall/Extensions/SFKext.kext'
'tocal/McAfee/fmp/Extensions/FMPSysCore.kext'
'/usr/local/McAfee/fmp/Extensions/FileCore.kext'
'/usr/local/McAfee/fmp/Extensions/NWCore.kext'
)
McAfeeLaunchDaemons=(
'/Library/LaunchDaemons/com.mcafee.agent.cma.plist'
'/Library/LaunchDaemons/com.mcafee.ssm.Eupdate.plist'
'/Library/LaunchDaemons/com.mcafee.ssm.ScanFactory.plist'
'/Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist'
'/Library/LaunchDaemons/com.mcafee.virusscan.fmpd.plist'
'/Library/LaunchDaemons/com.mcafee.agent.ma.plist'
'/Library/LaunchDaemons/com.mcafee.agent.macmn.plist'
'/Library/LaunchDaemons/com.mcafee.agent.macompat.plist'
)
McAfeeFiles=(
'/etc/cma.conf'
'/Library/LaunchDaemons/com.mcafee.agent.cma.plist'
'/Library/LaunchDaemons/com.mcafee.ssm.Eupdate.plist'
'/Library/LaunchDaemons/com.mcafee.ssm.ScanFactory.plist'
'/Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist'
'/Library/LaunchDaemons/com.mcafee.virusscan.fmpd.plist'
'/Library/LaunchAgents/com.mcafee.menulet.plist'
'/Library/LaunchAgents/com.mcafee.reporter.plist'
'/Library/Preferences/.com.mcafee.StatefulFirewall.license'
'/Library/Preferences/.com.mcafee.antimalware.license'
'/Library/Preferences/.com.mcafee.appprotection.license'
'/Library/Preferences/com.mcafee.ssm.StatefulFirewall.plist'
'/Library/Preferences/com.mcafee.ssm.antimalware.plist'
'/Library/Preferences/com.mcafee.ssm.appprotection.plist'
'/var/log/McAfeeSecurity.log'
'/private/var/db/receipts/com.mcafee.agent.pkg.bom'
'/private/var/db/receipts/com.mcafee.agent.pkg.plist'
'/private/var/db/receipts/com.mcafee.epm.pkg.bom'
'/private/var/db/receipts/com.mcafee.epm.pkg.plist'
'/private/var/db/receipts/com.mcafee.mscui.bom'
'/private/var/db/receipts/com.mcafee.mscui.plist'
'/private/var/db/receipts/com.mcafee.pkg.StatefulFirewall.bom'
'/private/var/db/receipts/com.mcafee.pkg.StatefulFirewall.plist'
'/private/var/db/receipts/com.mcafee.ssm.appp.bom'
'/private/var/db/receipts/com.mcafee.ssm.appp.plist'
'/private/var/db/receipts/com.mcafee.ssm.fmp.bom'
'/private/var/db/receipts/com.mcafee.ssm.fmp.plist'
'/private/var/db/receipts/com.mcafee.virusscan.bom'
'/private/var/db/receipts/com.mcafee.virusscan.plist'
'/etc/cma.conf'
'/Library/Receipts/cma.pkg'
)
McAfeeFolders=(
'/Library/McAfee'
'/Library/StartupItems/cma'
'/private/etc/cma.d'
'/private/etc/ma.d'
'/Library/Application Support/McAfee'
'/Applications/McAfee Endpoint Protection for Mac.app'
'/Applications/McAfee Endpoint Security for Mac.app'
'/Library/Documentation/Help/McAfeeSecurity_AVOnly.help'
'/Library/Documentation/Help/McAfeeSecurity_ApplicationProtection.help'
'/Library/Documentation/Help/McAfeeSecurity_Firewall.help'
'/usr/local/McAfee'
'/private/var/McAfee'
'/Applications/McAfeeSystemExtensions.app'
)
if [[ "$currentUser" != "root" ]]; then
su - $currentUser -c 'launchctl unload /Library/LaunchAgents/com.mcafee.menulet.plist'
su - $currentUser -c 'launchctl unload /Library/LaunchAgents/com.mcafee.reporter.plist'
su - $currentUser -c 'killall "McAfee Endpoint Protection for Mac"'
su - $currentUser -c 'killall "McAfee Endpoint Security for Mac"'
sleep 5
fi
#Stop StartupItems
/Library/StartupItems/cma/cmamesh forcestop
#Unload all LaunchDaemons from array McAfeeLaunchDaemons
for EachFile in "${McAfeeLaunchDaemons[@]}"; do
[[ -e "$EachFile" ]] && launchctl unload "$EachFile" && echo "Unloading $EachFile"
done
#Unload all Kernel Extensions
for EachFile in "${McAfeeKernelExtensions[@]}"; do
[[ -e "$EachFile" ]] && kextunload "$EachFile" > /dev/null 2>&1 && echo "Unloading $EachFile" && sleep 5
done
#Delete all files from array McAfeeFiles
for EachFile in "${McAfeeFiles[@]}"; do
[[ -e "$EachFile" ]] && rm -f "$EachFile" && echo "Deleting $EachFile"
done
#Delete all folders from array McAfeeFolders
for EachFolder in "${McAfeeFolders[@]}"; do
[[ -e "$EachFolder" ]] && rm -rf "$EachFolder" && echo "Deleting $EachFolder"
done
#Delete all LaunchDaemons from array McAfeeLaunchDaemons
for EachFile in "${McAfeeLaunchDaemons[@]}"; do
echo $EachFile
[[ -e "$EachFile" ]] && rm -f "$EachFile" && echo "Deleting $EachFile"
done
#Unload all Kernel Extensions
for EachFile in "${McAfeeKernelExtensions[@]}"; do
[[ -e "$EachFile" ]] && rm -rf "$EachFile" > /dev/null 2>&1 && echo "Deleting $EachFile"
done
#If above 10.6 forget package receipt
pltvrsn=`/usr/bin/sw_vers | grep ProductVersion | cut -d: -f2`
majvrsn=`echo $pltvrsn | cut -d. -f1`
minvrsn=`echo $pltvrsn | cut -d. -f2`
if (($majvrsn>=10 && $minvrsn>=6)); then
echo "Forgetting McAfee Agent package..."
/usr/sbin/pkgutil --forget comp.nai.cmamac > /dev/null 2>&1
fi
dscl . -delete /Users/mfe
dscl . -delete /Groups/mfe
dscl . -delete /Groups/Virex
killall -c Menulet
}
## BODY
removeMcAfee
#jamf policy -event <Your event name to install new goes here>
## FOOTER
exit 0love this.
You'll find the latest RipOffMcAfee script pinned in the #mcafee channel of the MacAdmins Slack. The script posted above looks like it was based on an older version, so here's the current one (v2.2):
#!/bin/sh
## RipOff-McAfee.sh
## version 2.0
##
## Author: Adam Scheblein, McAfee IT
## E-Mail: adam_scheblein@mcafee.com
##
## version 2.1 mods by Steve Dagley <@sdagley Jamf Nation/Twitter/MacAdmins Slack>
## Updated launchctl calls to use bootout instead of unload
## Remove Privileged HelperTool added with ENS 10.7.1
## Kill McAfee Agent Status Monitor when unloading launch items
##
## version 2.2 mods by Adam Scheblein
## Removes system extension
## Kill McAfee Reporter when unloading launch items
##
# This script has been verified to work on McAfee Endpoint Security 10 for Mac.
# It supports uninstalls through ENSM 10.7.5, and removes all McProducts.
#get current user name and ID
userName=$(/bin/echo 'show State:/Users/ConsoleUser' | /usr/sbin/scutil | /usr/bin/awk '/Name / { print $3 }')
currentUserID=$(/usr/bin/id -u "$userName")
# stop running processes
echo "stopping running processes"
/usr/local/McAfee/DlpAgent/bin/DlpAgentControl.sh mastop
/usr/local/McAfee/AntiMalware/VSControl mastop
/usr/local/McAfee/StatefulFirewall/bin/StatefullFirewallControl mastop
/usr/local/McAfee/WebProtection/bin/WPControl mastop
/usr/local/McAfee/atp/bin/ATPControl mastop
/usr/local/McAfee/FRP/bin/FRPControl mastop
/usr/local/McAfee/Mar/MarControl stop
/usr/local/McAfee/mvedr/MVEDRControl stop
/usr/local/McAfee/Mcp/bin/mcpcontrol.sh mastop
/usr/local/McAfee/MNE/bin/MNEControl mastop
/usr/local/McAfee/fmp/bin/fmp stop
/opt/McAfee/dx/bin/dxlservice stop
/Library/McAfee/agent/bin/maconfig -stop
echo ""
# unload kexts
echo "unloading kexts"
/sbin/kextunload /Library/Application Support/McAfee/AntiMalware/AVKext.kext
/sbin/kextunload /Library/Application Support/McAfee/FMP/mfeaac.kext
/sbin/kextunload /Library/Application Support/McAfee/FMP/FileCore.kext
/sbin/kextunload /Library/Application Support/McAfee/FMP/FMPSysCore.kext
/sbin/kextunload /Library/Application Support/McAfee/StatefulFirewall/SFKext.kext
/sbin/kextunload /usr/local/McAfee/AntiMalware/Extensions/AVKext.kext
/sbin/kextunload /usr/local/McAfee/StatefulFirewall/Extensions/SFKext.kext
/sbin/kextunload /usr/local/McAfee/Mcp/MCPDriver.kext
/sbin/kextunload /usr/local/McAfee/DlpAgent/Extensions/DLPKext.kext
/sbin/kextunload /usr/local/McAfee/DlpAgent/Extensions/DlpUSB.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/FileCore.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/NWCore.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/FMPSysCore.kext
echo ""
echo "uninstalling system extensions"
if [ -e /Applications/McAfeeSystemExtensions.app ] ; then
/usr/bin/sudo -u $userName /usr/local/McAfee/fmp/AAC/bin/deactivatesystemextension com.mcafee.CMF.networkextension
fi
# unload launch items
echo "unloading launch items"
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.McAfeeSafariHost.plist
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.menulet.plist
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.reporter.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.aac.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.ma.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.macmn.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.macompat.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.dxl.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.Eupdate.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.ScanFactory.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.virusscan.fmpcd.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.virusscan.fmpd.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agentMonitor.helper.plist
/usr/bin/killall -c Menulet
/usr/bin/killall -c "McAfee Agent Status Monitor"
/usr/bin/killall -c McAfee Reporter
echo ""
# rm program dirs
echo "removing program dirs"
/bin/rm -rf /usr/local/McAfee/
/bin/rm -rf /opt/McAfee/
/bin/rm -rf /Applications/DataLossPrevention.app/
/bin/rm -rf /Applications/McAfee Endpoint Security for Mac.app/
/bin/rm -rf /Applications/McAfee Endpoint Protection for Mac.app/
/bin/rm -rf /Applications/McAfeeSystemExtensions.app/
/bin/rm -rf /Applications/Utilities/McAfee ePO Remote Provisioning Tool.app/
echo ""
# rm support dirs
echo "removing support dirs"
/bin/rm -rf /Users/Shared/.mcafee
/bin/rm -rf /Library/Application Support/McAfee/
/bin/rm -rf /Library/Documentation/Help/McAfeeSecurity*
/bin/rm -rf /Library/Frameworks/AVEngine.framework/
/bin/rm -rf /Library/Frameworks/VirusScanPreferences.framework/
/bin/rm -rf /Library/Internet Plug-Ins/Web Control.plugin/
/bin/rm -rf /Library/McAfee/
/bin/rm -rf /Quarantine/
echo ""
# rm prefs/launch items
echo "removing prefs and launch items"
/bin/rm -f /Library/Preferences/com.mcafee*
/bin/rm -f /Library/Preferences/.com.mcafee*
/bin/rm -f /Library/LaunchDaemons/com.mcafee*
/bin/rm -f /Library/LaunchAgents/com.mcafee*
/bin/rm -rf /Library/StartupItems/cma/
/bin/rm -f /private/etc/cma.conf
/bin/rm -rf /private/etc/cma.d/
/bin/rm -rf /private/etc/ma.d/
/bin/rm -f /private/etc/init.d/dx
/bin/rm -rf /private/var/McAfee/
/bin/rm -rf /private/var/tmp/.msgbus/
/bin/rm -rf /Users/$userName/Library/Containers/com.McAfee*
/bin/rm -rf /Users/$userName/Library/Application Scripts/com.McAfee*
/bin/rm -rf /Users/$userName/Library/Group Containers/group.com.Mcafee*
/bin/rm -rf /Users/$userName/Library/Preferences/com.mcafee*
/bin/rm -f /Library/Google/Chrome/NativeMessagingHosts/siteadvisor.mcafee.chrome.extension.json
/bin/rm -f /Library/PrivilegedHelperTools/com.mcafee.agentMonitor.helper
echo ""
# rm logs
echo "removing logs"
/bin/rm -f /Library/Logs/Native Encryption.log
/bin/rm -f /Library/Logs/FRP.log
/bin/rm -f /private/var/log/McAfeeSecurity.log*
/bin/rm -f /private/var/log/mcupdater*
/bin/rm -f /private/var/log/MFEdx*
echo ""
# forget receipts
echo "forgetting receipts"
/usr/sbin/pkgutil --forget com.mcafee.dxl
/usr/sbin/pkgutil --forget com.mcafee.mscui
/usr/sbin/pkgutil --forget com.mcafee.mar
/usr/sbin/pkgutil --forget com.mcafee.mvedr
/usr/sbin/pkgutil --forget com.mcafee.pkg.FRP
/usr/sbin/pkgutil --forget com.mcafee.pkg.MNE
/usr/sbin/pkgutil --forget com.mcafee.pkg.StatefulFirewall
/usr/sbin/pkgutil --forget com.mcafee.pkg.utility
/usr/sbin/pkgutil --forget com.mcafee.pkg.WebProtection
/usr/sbin/pkgutil --forget com.mcafee.ssm.atp
/usr/sbin/pkgutil --forget com.mcafee.ssm.fmp
/usr/sbin/pkgutil --forget com.mcafee.ssm.mcp
/usr/sbin/pkgutil --forget com.mcafee.ssm.dlp
/usr/sbin/pkgutil --forget com.mcafee.virusscan
/usr/sbin/pkgutil --forget comp.nai.cmamac
echo ""
# remove users/groups
echo "removing user and groups"
/usr/bin/dscl . delete /Users/mfe
/usr/bin/dscl . delete /Groups/mfe
/usr/bin/dscl . delete /Groups/Virex
echo ""
##mcafee support article: KB88461
#cd /usr/local/
#rm –rf McAfee/
#cd /Library/Application Support/
#rm –rf McAfee/
#cd /Library/LaunchDaemons/
#rm –rf com.mcafee.*
#cd /Library/LaunchAgents/
#rm –rf com.mcafee.*
#cd /Library/Preferences/
#rm –rf com.mcafee.*
exit 0sweet! thanks for this
The RipOff-McAfee script has been updated to use the method @rich.trouton documented for suppressing the user authorization prompt when removing a System Extension on macOS Catalina, Big Sur, and Monterey:
#!/bin/bash
## RipOff-McAfee.sh
## version 2.3
##
## Author: Adam Scheblein, McAfee IT
## E-Mail: adam_scheblein@mcafee.com
##
## version 2.1 mods by Steve Dagley <@sdagley Jamf Nation/Twitter/MacAdmins Slack>
## Updated launchctl calls to use bootout instead of unload
## Remove Privileged HelperTool added with ENS 10.7.1
## Kill McAfee Agent Status Monitor when unloading launch items
##
## version 2.2 mods by Adam Scheblein
## Removes system extension
## Kill McAfee Reporter when unloading launch items
##
## version 2.3 mods by Steve Dagley <@sdagley Jamf Nation/Twitter/MacAdmins Slack>
## If McAfee Network Extension is loaded remove it without prompting for user approval
## Uses method documented by @rtrouten's post:
## https://derflounder.wordpress.com/2021/10/26/silently-uninstalling-system-extensions-on-macos-monterey-and-earlier/
# Temp plist files used for import and export from authorization database.
management_db_original_setting="$(mktemp).plist"
management_db_edited_setting="$(mktemp).plist"
management_db_check_setting="$(mktemp).plist"
# Expected settings from management database for com.apple.system-extensions.admin
original_setting="authenticate-admin-nonshared"
updated_setting="allow"
ManagementDatabaseUpdatePreparation() {
# Create temp plist files
touch "$management_db_original_setting"
touch "$management_db_edited_setting"
touch "$management_db_check_setting"
# Create backup of the original com.apple.system-extensions.admin settings from the management database
/usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_original_setting"
# Create copy of the original com.apple.system-extensions.admin settings from the management database for editing.
/usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_edited_setting"
}
UpdateManagementDatabase() {
if [[ -r "$management_db_edited_setting" ]] && [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_edited_setting") = "$original_setting" ]]; then
/usr/libexec/PlistBuddy -c "Set rule:0 $updated_setting" "$management_db_edited_setting"
if [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_edited_setting" ) = "$updated_setting" ]]; then
echo "Edited $management_db_edited_setting is set to allow system extensions to be uninstalled without password prompt."
echo "Now importing setting into authorization database."
/usr/bin/security authorizationdb write com.apple.system-extensions.admin < "$management_db_edited_setting"
if [[ $? -eq 0 ]]; then
echo "Updated setting successfully imported."
UpdatedAuthorizationSettingInstalled="true"
fi
else
echo "Failed to update $management_db_edited_setting file with the correct setting to allow system extension uninstallation without prompting for admin credentials."
fi
fi
}
RestoreManagementDatabase() {
/usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_check_setting"
if [[ ! $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_check_setting") = "$original_setting" ]]; then
if [[ -r "$management_db_original_setting" ]] && [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_original_setting") = "$original_setting" ]]; then
echo "Restoring original settings to allow system extension uninstallation only after prompting for admin credentials."
echo "Now importing setting into authorization database."
/usr/bin/security authorizationdb write com.apple.system-extensions.admin < "$management_db_original_setting"
if [[ $? -eq 0 ]]; then
echo "Original setting successfully imported."
OriginalAuthorizationSettingInstalled=1
fi
else
echo "Failed to update the authorization database with the correct setting to allow system extension uninstallation only after prompting for admin credentials."
fi
fi
}
# This script has been verified to work on McAfee Endpoint Security 10 for Mac.
# It supports uninstalls through ENSM 10.7.5, and removes all McProducts.
#get current user name and ID
userName=$(/bin/echo 'show State:/Users/ConsoleUser' | /usr/sbin/scutil | /usr/bin/awk '/Name / { print $3 }')
# stop running processes
echo "stopping running processes"
/usr/local/McAfee/DlpAgent/bin/DlpAgentControl.sh mastop
/usr/local/McAfee/AntiMalware/VSControl mastop
/usr/local/McAfee/StatefulFirewall/bin/StatefullFirewallControl mastop
/usr/local/McAfee/WebProtection/bin/WPControl mastop
/usr/local/McAfee/atp/bin/ATPControl mastop
/usr/local/McAfee/FRP/bin/FRPControl mastop
/usr/local/McAfee/Mar/MarControl stop
/usr/local/McAfee/mvedr/MVEDRControl stop
/usr/local/McAfee/Mcp/bin/mcpcontrol.sh mastop
/usr/local/McAfee/MNE/bin/MNEControl mastop
/usr/local/McAfee/fmp/bin/fmp stop
/opt/McAfee/dx/bin/dxlservice stop
/Library/McAfee/agent/bin/maconfig -stop
echo ""
# unload kexts
echo "unloading kexts"
/sbin/kextunload /Library/Application\\ Support/McAfee/AntiMalware/AVKext.kext
/sbin/kextunload /Library/Application\\ Support/McAfee/FMP/mfeaac.kext
/sbin/kextunload /Library/Application\\ Support/McAfee/FMP/FileCore.kext
/sbin/kextunload /Library/Application\\ Support/McAfee/FMP/FMPSysCore.kext
/sbin/kextunload /Library/Application\\ Support/McAfee/StatefulFirewall/SFKext.kext
/sbin/kextunload /usr/local/McAfee/AntiMalware/Extensions/AVKext.kext
/sbin/kextunload /usr/local/McAfee/StatefulFirewall/Extensions/SFKext.kext
/sbin/kextunload /usr/local/McAfee/Mcp/MCPDriver.kext
/sbin/kextunload /usr/local/McAfee/DlpAgent/Extensions/DLPKext.kext
/sbin/kextunload /usr/local/McAfee/DlpAgent/Extensions/DlpUSB.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/FileCore.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/NWCore.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/FMPSysCore.kext
echo ""
echo "uninstalling system extensions"
if [ -e /Applications/McAfeeSystemExtensions.app ] ; then
McAfeeNetworkExtensionLoaded=$(/usr/bin/systemextensionsctl list | /usr/bin/grep "McAfee Network Extension")
if [[ -n "$McAfeeNetworkExtensionLoaded" ]]; then
# Prepare to update authorization database to allow system extensions to be uninstalled without password prompt.
ManagementDatabaseUpdatePreparation
# Update authorization database with new settings.
UpdateManagementDatabase
# Uninstall the System Extension
/usr/bin/sudo -u $userName /usr/local/McAfee/fmp/AAC/bin/deactivatesystemextension com.mcafee.CMF.networkextension
# Once the system extensions are uninstalled, the relevant settings for the authorization database will be restored from backup to their prior state.
if [[ -n "$UpdatedAuthorizationSettingInstalled" ]]; then
RestoreManagementDatabase
if [[ -n "$OriginalAuthorizationSettingInstalled" ]]; then
echo "com.apple.system-extensions.admin settings in the authorization database successfully restored to $original_setting."
rm -rf "$management_db_original_setting"
rm -rf "$management_db_edited_setting"
rm -rf "$management_db_check_setting"
fi
fi
fi
fi
echo ""
# unload launch items
echo "unloading launch items"
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.McAfeeSafariHost.plist
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.menulet.plist
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.reporter.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.aac.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.ma.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.macmn.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.macompat.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.dxl.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.Eupdate.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.ScanFactory.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.virusscan.fmpcd.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.virusscan.fmpd.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agentMonitor.helper.plist
/usr/bin/killall -c Menulet
/usr/bin/killall -c "McAfee Agent Status Monitor"
/usr/bin/killall -c McAfee\\ Reporter
echo ""
# rm program dirs
echo "removing program dirs"
/bin/rm -rf /usr/local/McAfee/
/bin/rm -rf /opt/McAfee/
/bin/rm -rf /Applications/DataLossPrevention.app/
/bin/rm -rf /Applications/McAfee\\ Endpoint\\ Security\\ for\\ Mac.app/
/bin/rm -rf /Applications/McAfee\\ Endpoint\\ Protection\\ for\\ Mac.app/
/bin/rm -rf /Applications/McAfeeSystemExtensions.app/
/bin/rm -rf /Applications/Utilities/McAfee\\ ePO\\ Remote\\ Provisioning\\ Tool.app/
echo ""
# rm support dirs
echo "removing support dirs"
/bin/rm -rf /Users/Shared/.mcafee
/bin/rm -rf /Library/Application\\ Support/McAfee/
/bin/rm -rf /Library/Documentation/Help/McAfeeSecurity*
/bin/rm -rf /Library/Frameworks/AVEngine.framework/
/bin/rm -rf /Library/Frameworks/VirusScanPreferences.framework/
/bin/rm -rf /Library/Internet\\ Plug-Ins/Web\\ Control.plugin/
/bin/rm -rf /Library/McAfee/
/bin/rm -rf /Quarantine/
echo ""
# rm prefs/launch items
echo "removing prefs and launch items"
/bin/rm -f /Library/Preferences/com.mcafee*
/bin/rm -f /Library/Preferences/.com.mcafee*
/bin/rm -f /Library/LaunchDaemons/com.mcafee*
/bin/rm -f /Library/LaunchAgents/com.mcafee*
/bin/rm -rf /Library/StartupItems/cma/
/bin/rm -f /private/etc/cma.conf
/bin/rm -rf /private/etc/cma.d/
/bin/rm -rf /private/etc/ma.d/
/bin/rm -f /private/etc/init.d/dx
/bin/rm -rf /private/var/McAfee/
/bin/rm -rf /private/var/tmp/.msgbus/
/bin/rm -rf /Users/$userName/Library/Containers/com.McAfee*
/bin/rm -rf /Users/$userName/Library/Application\\ Scripts/com.McAfee*
/bin/rm -rf /Users/$userName/Library/Group\\ Containers/group.com.Mcafee*
/bin/rm -rf /Users/$userName/Library/Preferences/com.mcafee*
/bin/rm -f /Library/Google/Chrome/NativeMessagingHosts/siteadvisor.mcafee.chrome.extension.json
/bin/rm -f /Library/PrivilegedHelperTools/com.mcafee.agentMonitor.helper
echo ""
# rm logs
echo "removing logs"
/bin/rm -f /Library/Logs/Native\\ Encryption.log
/bin/rm -f /Library/Logs/FRP.log
/bin/rm -f /private/var/log/McAfeeSecurity.log*
/bin/rm -f /private/var/log/mcupdater*
/bin/rm -f /private/var/log/MFEdx*
echo ""
# forget receipts
echo "forgetting receipts"
/usr/sbin/pkgutil --forget com.mcafee.dxl
/usr/sbin/pkgutil --forget com.mcafee.mscui
/usr/sbin/pkgutil --forget com.mcafee.mar
/usr/sbin/pkgutil --forget com.mcafee.mvedr
/usr/sbin/pkgutil --forget com.mcafee.pkg.FRP
/usr/sbin/pkgutil --forget com.mcafee.pkg.MNE
/usr/sbin/pkgutil --forget com.mcafee.pkg.StatefulFirewall
/usr/sbin/pkgutil --forget com.mcafee.pkg.utility
/usr/sbin/pkgutil --forget com.mcafee.pkg.WebProtection
/usr/sbin/pkgutil --forget com.mcafee.ssm.atp
/usr/sbin/pkgutil --forget com.mcafee.ssm.fmp
/usr/sbin/pkgutil --forget com.mcafee.ssm.mcp
/usr/sbin/pkgutil --forget com.mcafee.ssm.dlp
/usr/sbin/pkgutil --forget com.mcafee.virusscan
/usr/sbin/pkgutil --forget comp.nai.cmamac
echo ""
# remove users/groups
echo "removing user and groups"
/usr/bin/dscl . delete /Users/mfe
/usr/bin/dscl . delete /Groups/mfe
/usr/bin/dscl . delete /Groups/Virex
echo ""
##mcafee support article: KB88461
#cd /usr/local/
#rm –rf McAfee/
#cd /Library/Application\\ Support/
#rm –rf McAfee/
#cd /Library/LaunchDaemons/
#rm –rf com.mcafee.*
#cd /Library/LaunchAgents/
#rm –rf com.mcafee.*
#cd /Library/Preferences/
#rm –rf com.mcafee.*
exit 0
The RipOff-McAfee script has been updated to use the method @rich.trouton documented for suppressing the user authorization prompt when removing a System Extension on macOS Catalina, Big Sur, and Monterey:
#!/bin/bash
## RipOff-McAfee.sh
## version 2.3
##
## Author: Adam Scheblein, McAfee IT
## E-Mail: adam_scheblein@mcafee.com
##
## version 2.1 mods by Steve Dagley <@sdagley Jamf Nation/Twitter/MacAdmins Slack>
## Updated launchctl calls to use bootout instead of unload
## Remove Privileged HelperTool added with ENS 10.7.1
## Kill McAfee Agent Status Monitor when unloading launch items
##
## version 2.2 mods by Adam Scheblein
## Removes system extension
## Kill McAfee Reporter when unloading launch items
##
## version 2.3 mods by Steve Dagley <@sdagley Jamf Nation/Twitter/MacAdmins Slack>
## If McAfee Network Extension is loaded remove it without prompting for user approval
## Uses method documented by @rtrouten's post:
## https://derflounder.wordpress.com/2021/10/26/silently-uninstalling-system-extensions-on-macos-monterey-and-earlier/
# Temp plist files used for import and export from authorization database.
management_db_original_setting="$(mktemp).plist"
management_db_edited_setting="$(mktemp).plist"
management_db_check_setting="$(mktemp).plist"
# Expected settings from management database for com.apple.system-extensions.admin
original_setting="authenticate-admin-nonshared"
updated_setting="allow"
ManagementDatabaseUpdatePreparation() {
# Create temp plist files
touch "$management_db_original_setting"
touch "$management_db_edited_setting"
touch "$management_db_check_setting"
# Create backup of the original com.apple.system-extensions.admin settings from the management database
/usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_original_setting"
# Create copy of the original com.apple.system-extensions.admin settings from the management database for editing.
/usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_edited_setting"
}
UpdateManagementDatabase() {
if [[ -r "$management_db_edited_setting" ]] && [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_edited_setting") = "$original_setting" ]]; then
/usr/libexec/PlistBuddy -c "Set rule:0 $updated_setting" "$management_db_edited_setting"
if [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_edited_setting" ) = "$updated_setting" ]]; then
echo "Edited $management_db_edited_setting is set to allow system extensions to be uninstalled without password prompt."
echo "Now importing setting into authorization database."
/usr/bin/security authorizationdb write com.apple.system-extensions.admin < "$management_db_edited_setting"
if [[ $? -eq 0 ]]; then
echo "Updated setting successfully imported."
UpdatedAuthorizationSettingInstalled="true"
fi
else
echo "Failed to update $management_db_edited_setting file with the correct setting to allow system extension uninstallation without prompting for admin credentials."
fi
fi
}
RestoreManagementDatabase() {
/usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_check_setting"
if [[ ! $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_check_setting") = "$original_setting" ]]; then
if [[ -r "$management_db_original_setting" ]] && [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_original_setting") = "$original_setting" ]]; then
echo "Restoring original settings to allow system extension uninstallation only after prompting for admin credentials."
echo "Now importing setting into authorization database."
/usr/bin/security authorizationdb write com.apple.system-extensions.admin < "$management_db_original_setting"
if [[ $? -eq 0 ]]; then
echo "Original setting successfully imported."
OriginalAuthorizationSettingInstalled=1
fi
else
echo "Failed to update the authorization database with the correct setting to allow system extension uninstallation only after prompting for admin credentials."
fi
fi
}
# This script has been verified to work on McAfee Endpoint Security 10 for Mac.
# It supports uninstalls through ENSM 10.7.5, and removes all McProducts.
#get current user name and ID
userName=$(/bin/echo 'show State:/Users/ConsoleUser' | /usr/sbin/scutil | /usr/bin/awk '/Name / { print $3 }')
# stop running processes
echo "stopping running processes"
/usr/local/McAfee/DlpAgent/bin/DlpAgentControl.sh mastop
/usr/local/McAfee/AntiMalware/VSControl mastop
/usr/local/McAfee/StatefulFirewall/bin/StatefullFirewallControl mastop
/usr/local/McAfee/WebProtection/bin/WPControl mastop
/usr/local/McAfee/atp/bin/ATPControl mastop
/usr/local/McAfee/FRP/bin/FRPControl mastop
/usr/local/McAfee/Mar/MarControl stop
/usr/local/McAfee/mvedr/MVEDRControl stop
/usr/local/McAfee/Mcp/bin/mcpcontrol.sh mastop
/usr/local/McAfee/MNE/bin/MNEControl mastop
/usr/local/McAfee/fmp/bin/fmp stop
/opt/McAfee/dx/bin/dxlservice stop
/Library/McAfee/agent/bin/maconfig -stop
echo ""
# unload kexts
echo "unloading kexts"
/sbin/kextunload /Library/Application\\ Support/McAfee/AntiMalware/AVKext.kext
/sbin/kextunload /Library/Application\\ Support/McAfee/FMP/mfeaac.kext
/sbin/kextunload /Library/Application\\ Support/McAfee/FMP/FileCore.kext
/sbin/kextunload /Library/Application\\ Support/McAfee/FMP/FMPSysCore.kext
/sbin/kextunload /Library/Application\\ Support/McAfee/StatefulFirewall/SFKext.kext
/sbin/kextunload /usr/local/McAfee/AntiMalware/Extensions/AVKext.kext
/sbin/kextunload /usr/local/McAfee/StatefulFirewall/Extensions/SFKext.kext
/sbin/kextunload /usr/local/McAfee/Mcp/MCPDriver.kext
/sbin/kextunload /usr/local/McAfee/DlpAgent/Extensions/DLPKext.kext
/sbin/kextunload /usr/local/McAfee/DlpAgent/Extensions/DlpUSB.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/FileCore.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/NWCore.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/FMPSysCore.kext
echo ""
echo "uninstalling system extensions"
if [ -e /Applications/McAfeeSystemExtensions.app ] ; then
McAfeeNetworkExtensionLoaded=$(/usr/bin/systemextensionsctl list | /usr/bin/grep "McAfee Network Extension")
if [[ -n "$McAfeeNetworkExtensionLoaded" ]]; then
# Prepare to update authorization database to allow system extensions to be uninstalled without password prompt.
ManagementDatabaseUpdatePreparation
# Update authorization database with new settings.
UpdateManagementDatabase
# Uninstall the System Extension
/usr/bin/sudo -u $userName /usr/local/McAfee/fmp/AAC/bin/deactivatesystemextension com.mcafee.CMF.networkextension
# Once the system extensions are uninstalled, the relevant settings for the authorization database will be restored from backup to their prior state.
if [[ -n "$UpdatedAuthorizationSettingInstalled" ]]; then
RestoreManagementDatabase
if [[ -n "$OriginalAuthorizationSettingInstalled" ]]; then
echo "com.apple.system-extensions.admin settings in the authorization database successfully restored to $original_setting."
rm -rf "$management_db_original_setting"
rm -rf "$management_db_edited_setting"
rm -rf "$management_db_check_setting"
fi
fi
fi
fi
echo ""
# unload launch items
echo "unloading launch items"
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.McAfeeSafariHost.plist
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.menulet.plist
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.reporter.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.aac.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.ma.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.macmn.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.macompat.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.dxl.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.Eupdate.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.ScanFactory.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.virusscan.fmpcd.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.virusscan.fmpd.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agentMonitor.helper.plist
/usr/bin/killall -c Menulet
/usr/bin/killall -c "McAfee Agent Status Monitor"
/usr/bin/killall -c McAfee\\ Reporter
echo ""
# rm program dirs
echo "removing program dirs"
/bin/rm -rf /usr/local/McAfee/
/bin/rm -rf /opt/McAfee/
/bin/rm -rf /Applications/DataLossPrevention.app/
/bin/rm -rf /Applications/McAfee\\ Endpoint\\ Security\\ for\\ Mac.app/
/bin/rm -rf /Applications/McAfee\\ Endpoint\\ Protection\\ for\\ Mac.app/
/bin/rm -rf /Applications/McAfeeSystemExtensions.app/
/bin/rm -rf /Applications/Utilities/McAfee\\ ePO\\ Remote\\ Provisioning\\ Tool.app/
echo ""
# rm support dirs
echo "removing support dirs"
/bin/rm -rf /Users/Shared/.mcafee
/bin/rm -rf /Library/Application\\ Support/McAfee/
/bin/rm -rf /Library/Documentation/Help/McAfeeSecurity*
/bin/rm -rf /Library/Frameworks/AVEngine.framework/
/bin/rm -rf /Library/Frameworks/VirusScanPreferences.framework/
/bin/rm -rf /Library/Internet\\ Plug-Ins/Web\\ Control.plugin/
/bin/rm -rf /Library/McAfee/
/bin/rm -rf /Quarantine/
echo ""
# rm prefs/launch items
echo "removing prefs and launch items"
/bin/rm -f /Library/Preferences/com.mcafee*
/bin/rm -f /Library/Preferences/.com.mcafee*
/bin/rm -f /Library/LaunchDaemons/com.mcafee*
/bin/rm -f /Library/LaunchAgents/com.mcafee*
/bin/rm -rf /Library/StartupItems/cma/
/bin/rm -f /private/etc/cma.conf
/bin/rm -rf /private/etc/cma.d/
/bin/rm -rf /private/etc/ma.d/
/bin/rm -f /private/etc/init.d/dx
/bin/rm -rf /private/var/McAfee/
/bin/rm -rf /private/var/tmp/.msgbus/
/bin/rm -rf /Users/$userName/Library/Containers/com.McAfee*
/bin/rm -rf /Users/$userName/Library/Application\\ Scripts/com.McAfee*
/bin/rm -rf /Users/$userName/Library/Group\\ Containers/group.com.Mcafee*
/bin/rm -rf /Users/$userName/Library/Preferences/com.mcafee*
/bin/rm -f /Library/Google/Chrome/NativeMessagingHosts/siteadvisor.mcafee.chrome.extension.json
/bin/rm -f /Library/PrivilegedHelperTools/com.mcafee.agentMonitor.helper
echo ""
# rm logs
echo "removing logs"
/bin/rm -f /Library/Logs/Native\\ Encryption.log
/bin/rm -f /Library/Logs/FRP.log
/bin/rm -f /private/var/log/McAfeeSecurity.log*
/bin/rm -f /private/var/log/mcupdater*
/bin/rm -f /private/var/log/MFEdx*
echo ""
# forget receipts
echo "forgetting receipts"
/usr/sbin/pkgutil --forget com.mcafee.dxl
/usr/sbin/pkgutil --forget com.mcafee.mscui
/usr/sbin/pkgutil --forget com.mcafee.mar
/usr/sbin/pkgutil --forget com.mcafee.mvedr
/usr/sbin/pkgutil --forget com.mcafee.pkg.FRP
/usr/sbin/pkgutil --forget com.mcafee.pkg.MNE
/usr/sbin/pkgutil --forget com.mcafee.pkg.StatefulFirewall
/usr/sbin/pkgutil --forget com.mcafee.pkg.utility
/usr/sbin/pkgutil --forget com.mcafee.pkg.WebProtection
/usr/sbin/pkgutil --forget com.mcafee.ssm.atp
/usr/sbin/pkgutil --forget com.mcafee.ssm.fmp
/usr/sbin/pkgutil --forget com.mcafee.ssm.mcp
/usr/sbin/pkgutil --forget com.mcafee.ssm.dlp
/usr/sbin/pkgutil --forget com.mcafee.virusscan
/usr/sbin/pkgutil --forget comp.nai.cmamac
echo ""
# remove users/groups
echo "removing user and groups"
/usr/bin/dscl . delete /Users/mfe
/usr/bin/dscl . delete /Groups/mfe
/usr/bin/dscl . delete /Groups/Virex
echo ""
##mcafee support article: KB88461
#cd /usr/local/
#rm –rf McAfee/
#cd /Library/Application\\ Support/
#rm –rf McAfee/
#cd /Library/LaunchDaemons/
#rm –rf com.mcafee.*
#cd /Library/LaunchAgents/
#rm –rf com.mcafee.*
#cd /Library/Preferences/
#rm –rf com.mcafee.*
exit 0Hi @sdagley
Thanks for the script. Is this script still valid or any changes required.
Looking forward for your replay.
Hi @sdagley
Thanks for the script. Is this script still valid or any changes required.
Looking forward for your replay.
@smkarthickraja Yes, it's still working.
Thanks :)
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.