Checkpoint Endpoint VPN Client config profile without Firewall

JminD
New Contributor II

To give some context here is what I'm trying to accomplish.
I want to create a config profile to push to my mac user's for the Checkpoint Endpoint VPN client without having it install the Checkpoint firewall app.

Whatever package I download from checkpoint (the pkg, the dmg, the zipp) it seems the checkpoint firewall app is bundled into the installer. I've tried going to composer route to run the installation of the endpoint vpn client, then deleting the firewall app but it looks like starting with version 84.30 the plist, configuration files don't push out so I can't replicate that install from the created pkg from composer to other machines.

Checkpoint provides information on how to create a config file to push to users but it still bundles that firewall app in there. https://dl3.checkpoint.com/paid/68/6899355a6a3c45aee11e6fbb4633ce27/Endpoint_Security_for_Mac-MDM_Deployment_Guide.pdf?HashKey=1625763756_e9cb2b2f4a4fb4288fdd80cbce03c7b3&xtn=.pdf

Has anyone figured out a way to remove that firewall app on Big Sur?

9 REPLIES 9

jkunkel
New Contributor II

I recognize this is a query from the summer, but I'm curious if you found any success? I'm in the exact same boat, and while I included commands to remove the Endpoint application, I now have users who are being tormented by a system extension message that appears every 5 minutes. I've opened a ticket with their support team, but I often find more complete answers here.

Has anyone discovered how to install solely the Checkpoint VPN app, and/or remove the Endpoint application AND the system extension once installed?

Macweazle
New Contributor III

Thats the script I use as a postinstall:

#!/bin/sh -x
# EndPointVPNpostinstall.sh
# 
#
# Created by Macweazle on 21.01.21.
# 
EPS_GUI_LAUNCHAGENT_PLIST=/Library/LaunchAgents/com.checkpoint.eps.gui.plist
EPS_GUI_LAUNCHAGENT_SERVICE=com.checkpoint.eps.gui
EPC_SRV_LAUNCHDAEMON_PLIST=/Library/LaunchDaemons/com.checkpoint.epc.service.plist
EPC_UPGRADER_LAUNCHAGENT_PLIST=/Library/LaunchAgents/com.checkpoint.eps.upgrader.plist
EPC_SUPPORT_DIR="/Library/Application Support/Checkpoint/Endpoint Connect"
EPC_CONFIG_DIR="${EPC_SUPPORT_DIR}/.."
EPC_CPFW_KEXT="/Library/Extensions/cpfw.kext"
FW_APP_PLIST=/Library/LaunchAgents/com.checkpoint.fw.app.plist
FW_APP_SERVICE=com.checkpoint.fw.app
FW_APP_NAME="Check Point Firewall.app"
ECHO=/bin/echo
LAUNCHCTL="/bin/launchctl"
GREP="/usr/bin/grep"
SLEEP="/bin/sleep"
CHMOD=/bin/chmod
MKDIR=/bin/mkdir
SED=/usr/bin/sed
PLUTIL=/usr/bin/plutil
CP=/bin/cp
RM=/bin/rm
killall "Check Point Firewall"
/sbin/kextunload ${EPC_CPFW_KEXT}
if [ -e "/System/Library/Extensions/cpfw.kext" ] ; then
#removing kext from previous location if exists
$RM -R /System/Library/Extensions/cpfw.kext
fi

if [ -e "/Library/Extensions/cpfw.kext" ] ; then
$ECHO "removing kext from extension"
$RM -Rf /Library/Extensions/cpfw.kext
fi
$RM -Rf /Applications/Check\ Point\ Firewall.app
$RM /Library/LaunchAgents/com.checkpoint.eps.upgrader.plist
$RM -Rf /Library/Application\ Support/Checkpoint/Endpoint\ Connect/Check\ Point\ Firewall.app
$RM $FW_APP_PLIST

Thank you Macweazle that was just what i needed to solve this issue.

StefanT
New Contributor III

Thank you, that works like a charm.

Hi @Macweazle ,

 

I have used this script and it worked flawlessly, great script. But somehow checkpoint agent is not taking the configurations deployed through Jamf Pro i.e., IP/Hostname it needs to connect. Any suggestion pl? 

Technical Architect

Those settings are for the much more versatile Harmony Client (and boy do you have to add config profiles for that one - I think it was 5) . The basic CheckPoint Endpoint VPN is exactly that — basic. It relies on a baby-version of a Windows registry to store its parameters. I certainly haven't found a way, sorry. 

Macweazle
New Contributor III

Another way to not install the firewall: just copying the pkg & a choices.xml to the machines in question (maybe into /tmp ) and run the installer separately with an appropriate choices.xml file:

 

#!/bin/sh

/usr/sbin/installer -applyChoiceChangesXML /tmp/Endpoint_choices.xml -pkg /tmp/Endpoint_Security_VPN.pkg -target /

 

 where Endpoint_choices.xml is

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
	<key>attributeSetting</key>
	<integer>0</integer>
	<key>choiceAttribute</key>
	<string>selected</string>
	<key>choiceIdentifier</key>
	<string>com.checkpoint.pkg.epc.fw</string>
</dict>
</array>
</plist>

 

That won't work on older version of Endpoint_VPN, though.

PiyushVerma
New Contributor III

Hi @JminD ,

 

I wonder if you have the package and config profile created using the above link?

Technical Architect

Keith_L
New Contributor III

Hi @Macweazle 

 

How can i add a Site into a xml so that the VPN Client will populate this site as default after it is installed?

Appreciate any help or advice. Thanks much!