Uninstall Cortex XDR

Question

Hey Jamf Nation,
I'm currently trying to uninstall Cortex XDR from company devices, but I'm encountering an error that says "Uninstaller not found." The uninstaller is located in the folder '/Library/Application Support/PaloAltoNetworks/Traps/bin/'.
Do you have any recommendations or suggestions? Here is my script for the uninstallation:
#!/bin/bash
# Set your master key here
MASTER_KEY="master-key-here"
 
# Path to the uninstaller app
UNINSTALLER_APP="/Library/Application\ Support/PaloAltoNetworks/Traps/bin"
 
# Check if the uninstaller exists
if [ ! -d "$UNINSTALLER_APP" ]; then
  echo "Uninstaller not found at $UNINSTALLER_APP"
  exit 1
fi
 
# Launch the uninstaller and enter the tamper protection key
osascript <<EOF
tell application "$UNINSTALLER_APP"
 activate
end tell
 
delay 2
 
tell application "System Events"
 tell process "Cortex XDR Uninstaller"
 repeat until exists window 1
 delay 1
 end repeat
 
 set frontmost to true
 
 # Enter the tamper protection key
 set value of text field 1 of window 1 to "$MASTER_KEY"
 click button "Uninstall" of window 1
 end tell
end tell
EOF

easyedc · Accepted Answer

Cortex has a K-Base article on their uninstaller workflow - https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.6/Cortex-XDR-Agent-Administrator-Guide/Uninstall-the-Cortex-XDR-Agent-for-Mac

I took that info and wrote a script based on the steps.

#!/bin/sh

#  Cortex XDR Uninstaller with variable password.sh
#
#  Created by Ed C. on 1/24/25.
#
#####################
#   Pulling from the KBase here
#   https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.6/Cortex-XDR-Agent-Administrator-Guide/Uninstall-the-Cortex-XDR-Agent-for-Mac
#####################
#   Using the command here
#   /Library/Application\\ Support/PaloAltoNetworks/Traps/bin/cortex_xdr_uninstaller_tool --help
#   Usage:
#   Get password from stdin: cortex_xdr_uninstaller_tool
#   Get password from command line: cortex_xdr_uninstaller_tool <password>
#   Will pass the password as a Jamf parameter for $4
#####################

#####################
#   Begin work
#####################

XDR_Token=$4
/Library/Application\\ Support/PaloAltoNetworks/Traps/bin/cortex_xdr_uninstaller_tool $XDR_Token

# Check if the directory is empty and remove it if it is
if [ -d "/Library/Application Support/PaloAltoNetworks" ]; then
    if [ -z "$(ls -A "/Library/Application Support/PaloAltoNetworks")" ]; then
        echo "Directory /Library/Application Support/PaloAltoNetworks is empty. Removing it now..."
        rmdir "/Library/Application Support/PaloAltoNetworks"
        echo "Directory /Library/Application Support/PaloAltoNetworks has been removed."
        exit 0
    else
        echo "Directory /Library/Application Support/PaloAltoNetworks is not empty. Exiting with error."
        exit 1
    fi
else
    echo "Directory /Library/Application Support/PaloAltoNetworks does not exist."
    exit 0
fi

exit 0

john_sherrod · Answer

One thing I noticed was that here:# Path to the uninstaller appUNINSTALLER_APP="/Library/Application\ Support/PaloAltoNetworks/Traps/bin"It might need it to be this instead since you’ve got the path in quotes:# Path to the uninstaller appUNINSTALLER_APP="/Library/Application Support/PaloAltoNetworks/Traps/bin"

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded