Skip to main content

When I try and remove Cisco AMP version 1.14.0 or newer the way I would with pre 1.14.0 version by running the uninstaller package in /Applications/Cisco AMP (now moved to /Applications/Cisco AMP for Endpoints) the user gets prompted for admin credentials. I've even tried running as root on the command line like I did before:



/usr/sbin/installer -verbose -pkg /Applications/Cisco AMP for Endpoints/Uninstall AMP for Endpoints Connector.pkg -target /


but it still prompts.



I've also looked at the steps listed here https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/216232-manual-uninstall-procedure-for-amp-for-e.html
to manually uninstall but again there are some steps which produce the prompts:



/Applications/Cisco AMP for Endpoints/AMP for Endpoints Service.app/Contents/MacOS/AMP for Endpoints Service deactivate endpoint_security
Enter password when prompted.
For macOS versions 10.15.5 and newer:
/Applications/Cisco AMP for Endpoints/AMP for Endpoints Service.app/Contents/MacOS/AMP for Endpoints Service deactivate content_filter
Enter password when prompted.


I think it's trying to deactivate some System Extensions



Anyone know how to do that without the prompts as root (i.e. via script run by jamf)?

@dlondon
I'm using the following script on version 1.12. It runs without any prompt to user. I use it as we moved to Cortex. As you can see it is manually removing everything rather than use the uninstaller.



killall AMP for Endpoints Connector
sudo dscl .-delete /Users/cisco-amp-scan-svc
sudo dscl . -delete /Groups/cisco-amp-scan-svc
/bin/launchctl unload /Library/LaunchAgents/com.cisco.amp.agent.plist
sudo /bin/launchctl unload /Library/LaunchDaemons/com.cisco.amp.daemon.plist
sudo /bin/launchctl list com.cisco.amp.daemon
sudo /bin/launchctl unload /Library/LaunchDaemons/com.cisco.amp.updater.plist
sudo /bin/launchctl list com.cisco.amp.updater
sudo /sbin/kextunload -b com.cisco.amp.fileop
sudo /sbin/kextunload -b com.cisco.amp.nke
sudo /usr/sbin/kextstat -l | grep com.cisco.amp
sudo rm -rf "/Applications/Cisco AMP"
sudo rm -rf /Library/Extensions/ampfileop.kext
sudo rm -rf /Library/Extensions/ampnetworkflow.kext
sudo rm -rf "/Library/Application Support/Cisco/AMP for Endpoints Connector"
sudo rm -rf /opt/cisco/amp/
sudo rm -f /Library/Logs/Cisco/amp*
sudo rm -f /var/run/ampdaemon.pid
sudo rm -f /Library/LaunchAgents/com.cisco.amp.agent.plist
sudo rm -f /Library/LaunchDaemons/com.cisco.amp.daemon.plist
sudo rm -f /Library/LaunchDaemons/com.cisco.amp.updater.plist
sudo pkgutil --forget com.cisco.amp.agent
sudo pkgutil --forget com.cisco.amp.daemon
sudo pkgutil --forget com.cisco.amp.kextsigned
sudo pkgutil --forget com.cisco.amp.kextunsigned
sudo pkgutil --forget com.cisco.amp.support
sudo pkgutil --forget com.sourcefire.amp.agent
sudo pkgutil --forget com.sourcefire.amp.daemon
sudo pkgutil --forget com.sourcefire.amp.kextsigned
sudo pkgutil --forget com.sourcefire.amp.kextunsigned
sudo pkgutil --forget com.sourcefire.amp.support
rm -f ~/Library/Preferences/SourceFire-Inc.FireAMPMac.plist
rm -f ~/Library/Preferences/Cisco-Inc.AMP-for-EndpointsConnector.plist

Hi @geoff.widdowson Thanks for the reply but your uninstall routine is for the AMP versions before 1.14.0. Please have a look at the link I put in my initial post. Your method is the manual method they show for pre 1.14.0. I first twigged that there was a bit of a shift when I saw the folder in /Applications had changed name to /Applications/Cisco AMP for Endpoints. The thing that is a big change is the use of System Extensions instead of Kernel Extensions. I think that when their uninstall package is run, the prompt is an extra layer of security - like a "do you really want to delete this file". I tried command line removal of the the two System Extensions using the Mac OS command line tool systemextensionsctl as root



able-004409:~ root# systemextensionsctl uninstall DE8Y96K9QP com.cisco.endpoint.svc.networkextension
At this time, this tool cannot be used if System Integrity Protection is enabled.
This limitation will be removed in the near future.
Please remember to re-enable System Integrity Protection!


That led me as it quite often does to Rich Trouton (thanks @rtrouton ) and his post here: https://derflounder.wordpress.com/2020/09/01/uninstalling-macos-system-extensions/



It looks like this has been known about since the beginning of September.



My test machine is on Mac OS 10.15.7 - fully patched including the supplementary patch.

Came here to say I'm having the same issue on and 11.1 machine.

I'm running into the same issue today. I hope someone finds a solution!

I'm interested in this same process. Following.

Tossing my hat in the ring as another AMP customer that wants to silently uninstall. (So I can then turn around and reinstall with another Jamf policy) Pushing the uninstaller .pkg used to work like a charm, not anymore. Both it & scripted removal trigger end user authentication prompts.



If I can't do this to clear faulted clients anymore, my guys that support our users are going to be not very happy.

This is an Apple issue as they require user authentication to remove a System Extension. Raise this with Apple.

So we've just done this painfully but managed to do it...(I'll post the theory)




  1. Any machines below macOS 10.15 can automatically uninstall AMP by invoking the Uninstaller via script (no sys extension) - Silent no additional helpers etc required


  2. Any machines above 10.15 (sys extensions) will require an additional jamfHelper to alerts the User they need to remove AMP.




When they click OK it launches the uninstaller and then the user completes the removal themselves.



The script that contains the helper also contains another script that makes the user a temporary admin (which gives them the rights to remove AMP from the machine) at the end of the script run if they weren't a admin before it'll return them back to a Standard user.

@Sachin_Parmar Any chance you will share the script with us? Our entire org is on Big Sur and our small group of Jamf admins are at (myself included) are stuck at the moment. Doesn't help that no one has Mac admin experience so we have been learning in a trail by fire method and its brutal.

@dlondon @user-NTKbCXOtlH




  • Devices running AMP 1.14 on lower than macOS 10.15 (not less than or equal)



#!/bin/sh

#Remove Cisco AMP

sudo installer -pkg /Applications/Cisco AMP/Uninstall AMP for Endpoints Connector.pkg -target /


- Devices running AMP 1.14 on macOS 10.15 or Higher
Uses this as a pre-req - https://github.com/kc9wwh/MakeMeAdminPy/blob/master/grantTempAdmin.py



#!/bin/bash

sudo /usr/local/bin/jamf policy -event temporaryAdmin #elevate user if they're not admin users temporarily



jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" 

messageToDisplay="We've detected that you're running Cisco AMP for Endpoints on your machine. 

Due to a current Apple macOS limitation we're unable to proactively and automatically remove Cisco AMP for Endpoints from your machine, which means this needs to be removed manually by yourself.



Clicking OK, will launch the uninstaller for Cisco AMP for Endpoints.

During this process you'll be prompted to provide your mac username and password a couple of times.



If you have any questions please message [Slack channel #XXXXXXXXX]" #AMEND NOTIFICATION WHERE NEEDED



result=$("$jamfHelper" -windowType utility -description "$messageToDisplay" -button1 "OK" -icon '/tmp/CAMPLogo.png')

count=$((count))



    if [[ $result == 0 ]]; then

        open "/Applications/Cisco AMP for Endpoints/Uninstall AMP for Endpoints Connector.pkg"

    fi



    rm '/tmp/CAMPLogo.png'



    until [ ! -f "/Applications/Cisco AMP for Endpoints/acknowledgement.txt" ]

    do

        sleep 2

        ((count=count+1))

        echo "Sleeping"

        echo $count

        if [ $count == 180 ]; then

            exit 1

        fi

    done



exit 0


Credit - @brenden.rea & @david.anderson



The counter below is to give the user enough time to do the uninstall if they do it in the time frame then we return exit 0 or if they completely ignore it we return a exit 1 (fail) and have 4 x retries on jamf policy. We also have a seperate PKG which just puts the logo in /tmp/.



I would caveat this entire process and say it's also worth throughly communicating this properly with the business to make them aware it was coming so when the pop up did appear they weren't caught off guard.

Just to update here, We got help from one of our vendors (ManageEngine-Endpoint Central) who managed to prepare a script for silent uninstallation of Cisco AMP to any of the latest macOS, simply works like a charm.  Hope this helps you as well.

#!/bin/bash
uninstallCiscoAMP() {
#The uninstall procedure for Mac connector versions 1.18.0 and newer varies depending on the version of macOS being used.

#To manually uninstall Mac connector, run the following commands:

#/bin/launchctl unload /Library/LaunchAgents/com.cisco.amp.agent.plist
#If this does not stop the menulet, click on it and select Quit Secure Endpoint connector.
currentUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name 😕 { print $3 }' )
uid=$(id -u "$currentUser")
/bin/launchctl asuser "$uid" sudo -u "$currentUser" /bin/launchctl unload /Library/LaunchAgents/com.cisco.amp.agent.plist


sudo /bin/launchctl unload /Library/LaunchDaemons/com.cisco.amp.daemon.plist
sudo /bin/launchctl list com.cisco.amp.daemon
#This should yield the message: Could not find service.
sudo /bin/launchctl unload /Library/LaunchDaemons/com.cisco.amp.updater.plist
sudo /bin/launchct list com.cisco.amp.updater
#This should yield the message: Could not find service "com.cisco.amp.updater" in domain for system.
#For macOS versions 10.15 and older:
sudo /sbin/kextunload -b com.cisco.amp.fileop
#For macOS versions 10.15 and older:
sudo /sbin/kextunload -b com.cisco.amp.nke
#For macOS versions 10.15 and older:
sudo /usr/sbin/kextstat -l | grep com.cisco.amp
#This should yield an empty list.
#For macOS versions 11 and newer:

/Applications/Cisco\\ Secure\\ Endpoint/Secure\\ Endpoint\\ Service.app/Contents/MacOS/Secure\\ Endpoint\\ Service deactivate endpoint_security
#Enter password when prompted. Note that this step cannot be executed remotely as the local user is required to enter the password.
#For macOS versions 11 and newer:

/Applications/Cisco\\ Secure\\ Endpoint/Secure\\ Endpoint\\ Service.app/Contents/MacOS/Secure\\ Endpoint\\ Service deactivate content_filter
#Enter password when prompted. Note that this step cannot be executed remotely as the local user is required to enter the password.
#For macOS versions 11 and newer:
systemextensionsctl list | grep com.cisco.endpoint.svc
#All system extensions for com.cisco.endpoint.svc.networkextension and com.cisco.endpoint.svc.securityextension should be listed with "[terminated waiting to uninstall on reboot]."
#For macOS versions 10.15 and older:
sudo rm -rf "/Applications/Cisco Secure Endpoint"
#For macOS versions 10.15 and older:
sudo rm -rf /Library/Extensions/ampfileop.kext
#For macOS versions 10.15 and older:
sudo rm -rf /Library/Extensions/ampnetworkflow.kext
sudo rm -rf "/Library/Application Support/Cisco/Secure Endpoint"
sudo rm -rf /opt/cisco/amp/
sudo rm -f /Library/Logs/Cisco/amp*
sudo rm -f /var/run/ampdaemon.pid
sudo rm -f /Library/LaunchAgents/com.cisco.amp.agent.plist
sudo rm -f /Library/LaunchDaemons/com.cisco.amp.daemon.plist
sudo rm -f /Library/LaunchDaemons/com.cisco.amp.updater.plist
sudo pkgutil --forget com.cisco.amp.agent
sudo pkgutil --forget com.cisco.amp.daemon
sudo pkgutil --forget com.cisco.amp.kextsigned
sudo pkgutil --forget com.cisco.amp.kextunsigned
sudo pkgutil --forget com.cisco.amp.support
sudo pkgutil --forget com.sourcefire.amp.agent
sudo pkgutil --forget com.sourcefire.amp.daemon
sudo pkgutil --forget com.sourcefire.amp.kextsigned
sudo pkgutil --forget com.sourcefire.amp.kextunsigned
sudo pkgutil --forget com.sourcefire.amp.support
#For each user, remove the following directory if it exists:
rm -f ~/Library/Preferences/SourceFire-Inc.FireAMP-Mac.plist
#For each user, remove the following directory if it exists:
rm -f ~/Library/Preferences/Cisco-Inc.AMP-for-Endpoints-Connector.plist
}


doNotPromptForSysExt() {
security -v authorizationdb write com.apple.system-extensions.admin is-root
}

restoreDoNotPromptForSysExt() {
security -v authorizationdb write com.apple.system-extensions.admin authenticate-admin-nonshared
}

removingBasedOnObservation() {
echo "Removing Based on Oberservation"
sudo rm -rf "/Library/Application Support/Cisco"
sudo rm -f "/Library/LaunchDaemons/com.cisco.amp.orbitalupdater.plist"
echo "Done."
}

echo "Do Not Prompt Sys Ext"
doNotPromptForSysExt
echo "Do Not Prompt Sys Ext Done"
echo "Uninstall Cisco AMP"
uninstallCiscoAMP
echo "End of Uninstall Cisco AMP"
echo "Restore Do Not Prompt Sys Ext"
restoreDoNotPromptForSysExt
echo "Restore Do Not Prompt Sys Ext Done"
removingBasedOnObservation

exit 0

  

Just to update here, We got help from one of our vendors (ManageEngine-Endpoint Central) who managed to prepare a script for silent uninstallation of Cisco AMP to any of the latest macOS, simply works like a charm.  Hope this helps you as well.

#!/bin/bash
uninstallCiscoAMP() {
#The uninstall procedure for Mac connector versions 1.18.0 and newer varies depending on the version of macOS being used.

#To manually uninstall Mac connector, run the following commands:

#/bin/launchctl unload /Library/LaunchAgents/com.cisco.amp.agent.plist
#If this does not stop the menulet, click on it and select Quit Secure Endpoint connector.
currentUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name 😕 { print $3 }' )
uid=$(id -u "$currentUser")
/bin/launchctl asuser "$uid" sudo -u "$currentUser" /bin/launchctl unload /Library/LaunchAgents/com.cisco.amp.agent.plist


sudo /bin/launchctl unload /Library/LaunchDaemons/com.cisco.amp.daemon.plist
sudo /bin/launchctl list com.cisco.amp.daemon
#This should yield the message: Could not find service.
sudo /bin/launchctl unload /Library/LaunchDaemons/com.cisco.amp.updater.plist
sudo /bin/launchct list com.cisco.amp.updater
#This should yield the message: Could not find service "com.cisco.amp.updater" in domain for system.
#For macOS versions 10.15 and older:
sudo /sbin/kextunload -b com.cisco.amp.fileop
#For macOS versions 10.15 and older:
sudo /sbin/kextunload -b com.cisco.amp.nke
#For macOS versions 10.15 and older:
sudo /usr/sbin/kextstat -l | grep com.cisco.amp
#This should yield an empty list.
#For macOS versions 11 and newer:

/Applications/Cisco\\ Secure\\ Endpoint/Secure\\ Endpoint\\ Service.app/Contents/MacOS/Secure\\ Endpoint\\ Service deactivate endpoint_security
#Enter password when prompted. Note that this step cannot be executed remotely as the local user is required to enter the password.
#For macOS versions 11 and newer:

/Applications/Cisco\\ Secure\\ Endpoint/Secure\\ Endpoint\\ Service.app/Contents/MacOS/Secure\\ Endpoint\\ Service deactivate content_filter
#Enter password when prompted. Note that this step cannot be executed remotely as the local user is required to enter the password.
#For macOS versions 11 and newer:
systemextensionsctl list | grep com.cisco.endpoint.svc
#All system extensions for com.cisco.endpoint.svc.networkextension and com.cisco.endpoint.svc.securityextension should be listed with "[terminated waiting to uninstall on reboot]."
#For macOS versions 10.15 and older:
sudo rm -rf "/Applications/Cisco Secure Endpoint"
#For macOS versions 10.15 and older:
sudo rm -rf /Library/Extensions/ampfileop.kext
#For macOS versions 10.15 and older:
sudo rm -rf /Library/Extensions/ampnetworkflow.kext
sudo rm -rf "/Library/Application Support/Cisco/Secure Endpoint"
sudo rm -rf /opt/cisco/amp/
sudo rm -f /Library/Logs/Cisco/amp*
sudo rm -f /var/run/ampdaemon.pid
sudo rm -f /Library/LaunchAgents/com.cisco.amp.agent.plist
sudo rm -f /Library/LaunchDaemons/com.cisco.amp.daemon.plist
sudo rm -f /Library/LaunchDaemons/com.cisco.amp.updater.plist
sudo pkgutil --forget com.cisco.amp.agent
sudo pkgutil --forget com.cisco.amp.daemon
sudo pkgutil --forget com.cisco.amp.kextsigned
sudo pkgutil --forget com.cisco.amp.kextunsigned
sudo pkgutil --forget com.cisco.amp.support
sudo pkgutil --forget com.sourcefire.amp.agent
sudo pkgutil --forget com.sourcefire.amp.daemon
sudo pkgutil --forget com.sourcefire.amp.kextsigned
sudo pkgutil --forget com.sourcefire.amp.kextunsigned
sudo pkgutil --forget com.sourcefire.amp.support
#For each user, remove the following directory if it exists:
rm -f ~/Library/Preferences/SourceFire-Inc.FireAMP-Mac.plist
#For each user, remove the following directory if it exists:
rm -f ~/Library/Preferences/Cisco-Inc.AMP-for-Endpoints-Connector.plist
}


doNotPromptForSysExt() {
security -v authorizationdb write com.apple.system-extensions.admin is-root
}

restoreDoNotPromptForSysExt() {
security -v authorizationdb write com.apple.system-extensions.admin authenticate-admin-nonshared
}

removingBasedOnObservation() {
echo "Removing Based on Oberservation"
sudo rm -rf "/Library/Application Support/Cisco"
sudo rm -f "/Library/LaunchDaemons/com.cisco.amp.orbitalupdater.plist"
echo "Done."
}

echo "Do Not Prompt Sys Ext"
doNotPromptForSysExt
echo "Do Not Prompt Sys Ext Done"
echo "Uninstall Cisco AMP"
uninstallCiscoAMP
echo "End of Uninstall Cisco AMP"
echo "Restore Do Not Prompt Sys Ext"
restoreDoNotPromptForSysExt
echo "Restore Do Not Prompt Sys Ext Done"
removingBasedOnObservation

exit 0

  


Hey bg_194,

just a real quick question without testing this script...
Is it really silent? I see parts where it says


#Enter password when prompted. Note that this step cannot be executed remotely as the local user

We wanna get rid of Cisco AMP for multiple Devices and need a real silent option for this.


Thank you!


 

Reply


Terms & ConditionsCookie settings