Skip to main content
Solved

Uninstalling VMware Carbon Black EDR Without User Prompts

  • July 11, 2023
  • 4 replies
  • 101 views
JDaher
Forum|alt.badge.img+9

Hello friends,

I need to uninstall Carbon Black on all company devices. The app bundle includes a shell script to uninstall it, so I thought I could run a command with the Files & Processes payload of a policy. It looks like this:

sh /Applications/VMware\\ Carbon\\ Black\\ EDR.app/Contents/Resources/sensoruninst.sh
It works, but the user gets prompted to approve deleting the system extensions. 
 
I tried copying the sensoruninst.sh and pasting it into a script in Jamf, then adding the script to a policy. That does not work, returning this message:
VMware Carbon Black EDR Uninstaller Copyright 2016-2021 VMware, Inc. All rights reserved Uninstalls the VMware Carbon Black EDR sensor. Must be run as root. Options: -d [ d ] Keep local sensor data.
 
Maybe what I want to do is not possible but I thought I'd check here. Do any of you know if it's possible to uninstall this thing without user intervention? Any insight and suggestions are welcome. 
 
Thank you 
 
 

Best answer by sdagley

@JDaher You could remove the Configuration Profile that allows the Carbon Black System Extension to run which should then allow the uninstall script to run. I don't know what that would to to a running instance of Carbon Black though, so may be better to re-deploy the Configuration Profile with the extension set to be removable.

Another option would be to use the technique documented in https://derflounder.wordpress.com/2021/10/26/silently-uninstalling-system-extensions-on-macos-monterey-and-earlier/ 

    4 replies

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • Answer
    • July 11, 2023

    @JDaher You could remove the Configuration Profile that allows the Carbon Black System Extension to run which should then allow the uninstall script to run. I don't know what that would to to a running instance of Carbon Black though, so may be better to re-deploy the Configuration Profile with the extension set to be removable.

    Another option would be to use the technique documented in https://derflounder.wordpress.com/2021/10/26/silently-uninstalling-system-extensions-on-macos-monterey-and-earlier/ 

    JDaher
    Forum|alt.badge.img+9
    • JDaher
    • Author
    • Contributor
    • July 11, 2023

    @JDaher You could remove the Configuration Profile that allows the Carbon Black System Extension to run which should then allow the uninstall script to run. I don't know what that would to to a running instance of Carbon Black though, so may be better to re-deploy the Configuration Profile with the extension set to be removable.

    Another option would be to use the technique documented in https://derflounder.wordpress.com/2021/10/26/silently-uninstalling-system-extensions-on-macos-monterey-and-earlier/ 


    Thank you @sdagley. It looks like removing the configuration profile before uninstalling gets rid of the prompt. However, after it uninstalls and I run systemextensionsctl list the Carbon Black extension is still listed, although it says it's uninstalling. Don't know if it will eventually disappear from the list, or if it even matters:

    com.carbonblack.es-loader.es-extension (7.2.1.16597/7.2.1.16597) es-extension [uninstalling]

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • July 12, 2023

    Thank you @sdagley. It looks like removing the configuration profile before uninstalling gets rid of the prompt. However, after it uninstalls and I run systemextensionsctl list the Carbon Black extension is still listed, although it says it's uninstalling. Don't know if it will eventually disappear from the list, or if it even matters:

    com.carbonblack.es-loader.es-extension (7.2.1.16597/7.2.1.16597) es-extension [uninstalling]


    @JDaher Rebooting should allow the extension to fully removed

    JDaher
    Forum|alt.badge.img+9
    • JDaher
    • Author
    • Contributor
    • July 14, 2023

    @JDaher Rebooting should allow the extension to fully removed


    @sdagley It doesn't get removed, even after a few reboots it stays listed as uninstalling. But your other suggestion worked very well: to re-deploy the Configuration Profile with the extension set to be removable. No prompts for the user and the extension does uninstall after a reboot. Thank you so much, I really appreciate the assist. 

    Terms & ConditionsCookie settingsAccessibility statement