Skip to main content

Hey Jamf Nation,

I'm currently trying to uninstall Cortex XDR from company devices, but I'm encountering an error that says "Uninstaller not found." The uninstaller is located in the folder '/Library/Application Support/PaloAltoNetworks/Traps/bin/'.

Do you have any recommendations or suggestions? Here is my script for the uninstallation:

#!/bin/bash

# Set your master key here

MASTER_KEY="master-key-here"

 

# Path to the uninstaller app

UNINSTALLER_APP="/Library/Application\\ Support/PaloAltoNetworks/Traps/bin"

 

# Check if the uninstaller exists

if [ ! -d "$UNINSTALLER_APP" ]; then

  echo "Uninstaller not found at $UNINSTALLER_APP"

  exit 1

fi

 

# Launch the uninstaller and enter the tamper protection key

osascript <<EOF

tell application "$UNINSTALLER_APP"

activate

end tell

 

delay 2

 

tell application "System Events"

tell process "Cortex XDR Uninstaller"

repeat until exists window 1

delay 1

end repeat

 

set frontmost to true

 

# Enter the tamper protection key

set value of text field 1 of window 1 to "$MASTER_KEY"

click button "Uninstall" of window 1

end tell

end tell

EOF

One thing I noticed was that here:

# Path to the uninstaller app UNINSTALLER_APP="/Library/Application\\ Support/PaloAltoNetworks/Traps/bin"

It might need it to be this instead since you’ve got the path in quotes:

# Path to the uninstaller app UNINSTALLER_APP="/Library/Application Support/PaloAltoNetworks/Traps/bin"

You could just composer your own uninstaller by packaging the binary to put it where it is supposed to be or some type of landing zone like /tmp. Then use your post install script to call the binary from the landing zone location. Make a check-in policy in Jamf and deploy.


Cortex has a K-Base article on their uninstaller workflow - https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.6/Cortex-XDR-Agent-Administrator-Guide/Uninstall-the-Cortex-XDR-Agent-for-Mac

I took that info and wrote a script based on the steps.

#!/bin/sh # Cortex XDR Uninstaller with variable password.sh # # Created by Ed C. on 1/24/25. # ##################### # Pulling from the KBase here # https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.6/Cortex-XDR-Agent-Administrator-Guide/Uninstall-the-Cortex-XDR-Agent-for-Mac ##################### # Using the command here # /Library/Application\\ Support/PaloAltoNetworks/Traps/bin/cortex_xdr_uninstaller_tool --help # Usage: # Get password from stdin: cortex_xdr_uninstaller_tool # Get password from command line: cortex_xdr_uninstaller_tool <password> # Will pass the password as a Jamf parameter for $4 ##################### ##################### # Begin work ##################### XDR_Token=$4 /Library/Application\\ Support/PaloAltoNetworks/Traps/bin/cortex_xdr_uninstaller_tool $XDR_Token # Check if the directory is empty and remove it if it is if [ -d "/Library/Application Support/PaloAltoNetworks" ]; then if [ -z "$(ls -A "/Library/Application Support/PaloAltoNetworks")" ]; then echo "Directory /Library/Application Support/PaloAltoNetworks is empty. Removing it now..." rmdir "/Library/Application Support/PaloAltoNetworks" echo "Directory /Library/Application Support/PaloAltoNetworks has been removed." exit 0 else echo "Directory /Library/Application Support/PaloAltoNetworks is not empty. Exiting with error." exit 1 fi else echo "Directory /Library/Application Support/PaloAltoNetworks does not exist." exit 0 fi exit 0