Removing Cisco AMP version 1.14.0 or newer

@dlondon I'm using the following script on version 1.12. It runs without any prompt to user. I use it as we moved to Cortex. As you can see it is manually removing everything rather than use the uninstaller.

killall AMP for Endpoints Connector
sudo dscl .-delete /Users/cisco-amp-scan-svc
sudo dscl . -delete /Groups/cisco-amp-scan-svc
/bin/launchctl unload /Library/LaunchAgents/com.cisco.amp.agent.plist
sudo /bin/launchctl unload /Library/LaunchDaemons/com.cisco.amp.daemon.plist
sudo /bin/launchctl list com.cisco.amp.daemon
sudo /bin/launchctl unload /Library/LaunchDaemons/com.cisco.amp.updater.plist
sudo /bin/launchctl list com.cisco.amp.updater
sudo /sbin/kextunload -b com.cisco.amp.fileop
sudo /sbin/kextunload -b com.cisco.amp.nke
sudo /usr/sbin/kextstat -l | grep com.cisco.amp
sudo rm -rf "/Applications/Cisco AMP"
sudo rm -rf /Library/Extensions/ampfileop.kext
sudo rm -rf /Library/Extensions/ampnetworkflow.kext
sudo rm -rf "/Library/Application Support/Cisco/AMP for Endpoints Connector"
sudo rm -rf /opt/cisco/amp/
sudo rm -f /Library/Logs/Cisco/amp*
sudo rm -f /var/run/ampdaemon.pid
sudo rm -f /Library/LaunchAgents/com.cisco.amp.agent.plist
sudo rm -f /Library/LaunchDaemons/com.cisco.amp.daemon.plist
sudo rm -f /Library/LaunchDaemons/com.cisco.amp.updater.plist
sudo pkgutil --forget com.cisco.amp.agent
sudo pkgutil --forget com.cisco.amp.daemon
sudo pkgutil --forget com.cisco.amp.kextsigned
sudo pkgutil --forget com.cisco.amp.kextunsigned
sudo pkgutil --forget com.cisco.amp.support
sudo pkgutil --forget com.sourcefire.amp.agent
sudo pkgutil --forget com.sourcefire.amp.daemon
sudo pkgutil --forget com.sourcefire.amp.kextsigned
sudo pkgutil --forget com.sourcefire.amp.kextunsigned
sudo pkgutil --forget com.sourcefire.amp.support
rm -f ~/Library/Preferences/SourceFire-Inc.FireAMPMac.plist
rm -f ~/Library/Preferences/Cisco-Inc.AMP-for-EndpointsConnector.plist

Hi @geoff.widdowson Thanks for the reply but your uninstall routine is for the AMP versions before 1.14.0. Please have a look at the link I put in my initial post. Your method is the manual method they show for pre 1.14.0. I first twigged that there was a bit of a shift when I saw the folder in /Applications had changed name to /Applications/Cisco AMP for Endpoints. The thing that is a big change is the use of System Extensions instead of Kernel Extensions. I think that when their uninstall package is run, the prompt is an extra layer of security - like a "do you really want to delete this file". I tried command line removal of the the two System Extensions using the Mac OS command line tool systemextensionsctl as root

able-004409:~ root# systemextensionsctl uninstall DE8Y96K9QP com.cisco.endpoint.svc.networkextension At this time, this tool cannot be used if System Integrity Protection is enabled. This limitation will be removed in the near future. Please remember to re-enable System Integrity Protection!

That led me as it quite often does to Rich Trouton (thanks @rtrouton ) and his post here: https://derflounder.wordpress.com/2020/09/01/uninstalling-macos-system-extensions/

It looks like this has been known about since the beginning of September.

My test machine is on Mac OS 10.15.7 - fully patched including the supplementary patch.

Came here to say I'm having the same issue on and 11.1 machine.

I'm running into the same issue today. I hope someone finds a solution!

I'm interested in this same process. Following.

Tossing my hat in the ring as another AMP customer that wants to silently uninstall. (So I can then turn around and reinstall with another Jamf policy) Pushing the uninstaller .pkg used to work like a charm, not anymore. Both it & scripted removal trigger end user authentication prompts.

If I can't do this to clear faulted clients anymore, my guys that support our users are going to be not very happy.

This is an Apple issue as they require user authentication to remove a System Extension. Raise this with Apple.

So we've just done this painfully but managed to do it...(I'll post the theory)

1. Any machines below macOS 10.15 can automatically uninstall AMP by invoking the Uninstaller via script (no sys extension) - Silent no additional helpers etc required

2. Any machines above 10.15 (sys extensions) will require an additional jamfHelper to alerts the User they need to remove AMP.

When they click OK it launches the uninstaller and then the user completes the removal themselves.

The script that contains the helper also contains another script that makes the user a temporary admin (which gives them the rights to remove AMP from the machine) at the end of the script run if they weren't a admin before it'll return them back to a Standard user.

@Sachin_Parmar Any chance you will share the script with us? Our entire org is on Big Sur and our small group of Jamf admins are at (myself included) are stuck at the moment. Doesn't help that no one has Mac admin experience so we have been learning in a trail by fire method and its brutal.

@dlondon @user-NTKbCXOtlH

• Devices running AMP 1.14 on lower than macOS 10.15 (not less than or equal)

#!/bin/sh
#Remove Cisco AMP
sudo installer -pkg /Applications/Cisco AMP/Uninstall AMP for Endpoints Connector.pkg -target /

- Devices running AMP 1.14 on macOS 10.15 or Higher
Uses this as a pre-req - https://github.com/kc9wwh/MakeMeAdminPy/blob/master/grantTempAdmin.py

#!/bin/bash
sudo /usr/local/bin/jamf policy -event temporaryAdmin #elevate user if they're not admin users temporarily

jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" 
messageToDisplay="We've detected that you're running Cisco AMP for Endpoints on your machine. 
Due to a current Apple macOS limitation we're unable to proactively and automatically remove Cisco AMP for Endpoints from your machine, which means this needs to be removed manually by yourself.

Clicking OK, will launch the uninstaller for Cisco AMP for Endpoints.
During this process you'll be prompted to provide your mac username and password a couple of times.

If you have any questions please message [Slack channel #XXXXXXXXX]" #AMEND NOTIFICATION WHERE NEEDED

result=$("$jamfHelper" -windowType utility -description "$messageToDisplay" -button1 "OK" -icon '/tmp/CAMPLogo.png')
count=$((count))

    if [[ $result == 0 ]]; then
        open "/Applications/Cisco AMP for Endpoints/Uninstall AMP for Endpoints Connector.pkg"
    fi

    rm '/tmp/CAMPLogo.png'

    until [ ! -f "/Applications/Cisco AMP for Endpoints/acknowledgement.txt" ]
    do
        sleep 2
        ((count=count+1))
        echo "Sleeping"
        echo $count
        if [ $count == 180 ]; then
            exit 1
        fi
    done

exit 0

Credit - @brenden.rea & @david.anderson

The counter below is to give the user enough time to do the uninstall if they do it in the time frame then we return exit 0 or if they completely ignore it we return a exit 1 (fail) and have 4 x retries on jamf policy. We also have a seperate PKG which just puts the logo in /tmp/.

I would caveat this entire process and say it's also worth throughly communicating this properly with the business to make them aware it was coming so when the pop up did appear they weren't caught off guard.

Just to update here, We got help from one of our vendors (ManageEngine-Endpoint Central) who managed to prepare a script for silent uninstallation of Cisco AMP to any of the latest macOS, simply works like a charm.  Hope this helps you as well.

Hey bg_194,

just a real quick question without testing this script...
Is it really silent? I see parts where it says

#Enter password when prompted. Note that this step cannot be executed remotely as the local user 

We wanna get rid of Cisco AMP for multiple Devices and need a real silent option for this.


Thank you!