Checkpoint Endpoint VPN Client config profile without Firewall

To give some context here is what I'm trying to accomplish.
I want to create a config profile to push to my mac user's for the Checkpoint Endpoint VPN client without having it install the Checkpoint firewall app.

Whatever package I download from checkpoint (the pkg, the dmg, the zipp) it seems the checkpoint firewall app is bundled into the installer. I've tried going to composer route to run the installation of the endpoint vpn client, then deleting the firewall app but it looks like starting with version 84.30 the plist, configuration files don't push out so I can't replicate that install from the created pkg from composer to other machines.

Checkpoint provides information on how to create a config file to push to users but it still bundles that firewall app in there. https://dl3.checkpoint.com/paid/68/6899355a6a3c45aee11e6fbb4633ce27/Endpoint_Security_for_Mac-MDM_Deployment_Guide.pdf?HashKey=1625763756_e9cb2b2f4a4fb4288fdd80cbce03c7b3&xtn=.pdf

Has anyone figured out a way to remove that firewall app on Big Sur?

Page 1 / 1

I recognize this is a query from the summer, but I'm curious if you found any success? I'm in the exact same boat, and while I included commands to remove the Endpoint application, I now have users who are being tormented by a system extension message that appears every 5 minutes. I've opened a ticket with their support team, but I often find more complete answers here.

Has anyone discovered how to install solely the Checkpoint VPN app, and/or remove the Endpoint application AND the system extension once installed?

Thats the script I use as a postinstall:

#!/bin/sh -x

# EndPointVPNpostinstall.sh

# 

#

# Created by Macweazle on 21.01.21.

# 

EPS_GUI_LAUNCHAGENT_PLIST=/Library/LaunchAgents/com.checkpoint.eps.gui.plist

EPS_GUI_LAUNCHAGENT_SERVICE=com.checkpoint.eps.gui

EPC_SRV_LAUNCHDAEMON_PLIST=/Library/LaunchDaemons/com.checkpoint.epc.service.plist

EPC_UPGRADER_LAUNCHAGENT_PLIST=/Library/LaunchAgents/com.checkpoint.eps.upgrader.plist

EPC_SUPPORT_DIR="/Library/Application Support/Checkpoint/Endpoint Connect"

EPC_CONFIG_DIR="${EPC_SUPPORT_DIR}/.."

EPC_CPFW_KEXT="/Library/Extensions/cpfw.kext"

FW_APP_PLIST=/Library/LaunchAgents/com.checkpoint.fw.app.plist

FW_APP_SERVICE=com.checkpoint.fw.app

FW_APP_NAME="Check Point Firewall.app"

ECHO=/bin/echo

LAUNCHCTL="/bin/launchctl"

GREP="/usr/bin/grep"

SLEEP="/bin/sleep"

CHMOD=/bin/chmod

MKDIR=/bin/mkdir

SED=/usr/bin/sed

PLUTIL=/usr/bin/plutil

CP=/bin/cp

RM=/bin/rm

killall "Check Point Firewall"

/sbin/kextunload ${EPC_CPFW_KEXT}

if [ -e "/System/Library/Extensions/cpfw.kext" ] ; then

#removing kext from previous location if exists

$RM -R /System/Library/Extensions/cpfw.kext

fi



if [ -e "/Library/Extensions/cpfw.kext" ] ; then

$ECHO "removing kext from extension"

$RM -Rf /Library/Extensions/cpfw.kext

fi

$RM -Rf /Applications/Check\\ Point\\ Firewall.app

$RM /Library/LaunchAgents/com.checkpoint.eps.upgrader.plist

$RM -Rf /Library/Application\\ Support/Checkpoint/Endpoint\\ Connect/Check\\ Point\\ Firewall.app

$RM $FW_APP_PLIST

Thats the script I use as a postinstall:

#!/bin/sh -x

# EndPointVPNpostinstall.sh

# 

#

# Created by Macweazle on 21.01.21.

# 

EPS_GUI_LAUNCHAGENT_PLIST=/Library/LaunchAgents/com.checkpoint.eps.gui.plist

EPS_GUI_LAUNCHAGENT_SERVICE=com.checkpoint.eps.gui

EPC_SRV_LAUNCHDAEMON_PLIST=/Library/LaunchDaemons/com.checkpoint.epc.service.plist

EPC_UPGRADER_LAUNCHAGENT_PLIST=/Library/LaunchAgents/com.checkpoint.eps.upgrader.plist

EPC_SUPPORT_DIR="/Library/Application Support/Checkpoint/Endpoint Connect"

EPC_CONFIG_DIR="${EPC_SUPPORT_DIR}/.."

EPC_CPFW_KEXT="/Library/Extensions/cpfw.kext"

FW_APP_PLIST=/Library/LaunchAgents/com.checkpoint.fw.app.plist

FW_APP_SERVICE=com.checkpoint.fw.app

FW_APP_NAME="Check Point Firewall.app"

ECHO=/bin/echo

LAUNCHCTL="/bin/launchctl"

GREP="/usr/bin/grep"

SLEEP="/bin/sleep"

CHMOD=/bin/chmod

MKDIR=/bin/mkdir

SED=/usr/bin/sed

PLUTIL=/usr/bin/plutil

CP=/bin/cp

RM=/bin/rm

killall "Check Point Firewall"

/sbin/kextunload ${EPC_CPFW_KEXT}

if [ -e "/System/Library/Extensions/cpfw.kext" ] ; then

#removing kext from previous location if exists

$RM -R /System/Library/Extensions/cpfw.kext

fi



if [ -e "/Library/Extensions/cpfw.kext" ] ; then

$ECHO "removing kext from extension"

$RM -Rf /Library/Extensions/cpfw.kext

fi

$RM -Rf /Applications/Check\\ Point\\ Firewall.app

$RM /Library/LaunchAgents/com.checkpoint.eps.upgrader.plist

$RM -Rf /Library/Application\\ Support/Checkpoint/Endpoint\\ Connect/Check\\ Point\\ Firewall.app

$RM $FW_APP_PLIST

Thank you Macweazle that was just what i needed to solve this issue.

Another way to not install the firewall: just copying the pkg & a choices.xml to the machines in question (maybe into /tmp ) and run the installer separately with an appropriate choices.xml file:

#!/bin/sh



/usr/sbin/installer -applyChoiceChangesXML /tmp/Endpoint_choices.xml -pkg /tmp/Endpoint_Security_VPN.pkg -target /

where Endpoint_choices.xml is

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<array>

<dict>

	<key>attributeSetting</key>

	<integer>0</integer>

	<key>choiceAttribute</key>

	<string>selected</string>

	<key>choiceIdentifier</key>

	<string>com.checkpoint.pkg.epc.fw</string>

</dict>

</array>

</plist>

That won't work on older version of Endpoint_VPN, though.

Thats the script I use as a postinstall:

#!/bin/sh -x

# EndPointVPNpostinstall.sh

# 

#

# Created by Macweazle on 21.01.21.

# 

EPS_GUI_LAUNCHAGENT_PLIST=/Library/LaunchAgents/com.checkpoint.eps.gui.plist

EPS_GUI_LAUNCHAGENT_SERVICE=com.checkpoint.eps.gui

EPC_SRV_LAUNCHDAEMON_PLIST=/Library/LaunchDaemons/com.checkpoint.epc.service.plist

EPC_UPGRADER_LAUNCHAGENT_PLIST=/Library/LaunchAgents/com.checkpoint.eps.upgrader.plist

EPC_SUPPORT_DIR="/Library/Application Support/Checkpoint/Endpoint Connect"

EPC_CONFIG_DIR="${EPC_SUPPORT_DIR}/.."

EPC_CPFW_KEXT="/Library/Extensions/cpfw.kext"

FW_APP_PLIST=/Library/LaunchAgents/com.checkpoint.fw.app.plist

FW_APP_SERVICE=com.checkpoint.fw.app

FW_APP_NAME="Check Point Firewall.app"

ECHO=/bin/echo

LAUNCHCTL="/bin/launchctl"

GREP="/usr/bin/grep"

SLEEP="/bin/sleep"

CHMOD=/bin/chmod

MKDIR=/bin/mkdir

SED=/usr/bin/sed

PLUTIL=/usr/bin/plutil

CP=/bin/cp

RM=/bin/rm

killall "Check Point Firewall"

/sbin/kextunload ${EPC_CPFW_KEXT}

if [ -e "/System/Library/Extensions/cpfw.kext" ] ; then

#removing kext from previous location if exists

$RM -R /System/Library/Extensions/cpfw.kext

fi



if [ -e "/Library/Extensions/cpfw.kext" ] ; then

$ECHO "removing kext from extension"

$RM -Rf /Library/Extensions/cpfw.kext

fi

$RM -Rf /Applications/Check\\ Point\\ Firewall.app

$RM /Library/LaunchAgents/com.checkpoint.eps.upgrader.plist

$RM -Rf /Library/Application\\ Support/Checkpoint/Endpoint\\ Connect/Check\\ Point\\ Firewall.app

$RM $FW_APP_PLIST

Thank you, that works like a charm.

Thats the script I use as a postinstall:

#!/bin/sh -x

# EndPointVPNpostinstall.sh

# 

#

# Created by Macweazle on 21.01.21.

# 

EPS_GUI_LAUNCHAGENT_PLIST=/Library/LaunchAgents/com.checkpoint.eps.gui.plist

EPS_GUI_LAUNCHAGENT_SERVICE=com.checkpoint.eps.gui

EPC_SRV_LAUNCHDAEMON_PLIST=/Library/LaunchDaemons/com.checkpoint.epc.service.plist

EPC_UPGRADER_LAUNCHAGENT_PLIST=/Library/LaunchAgents/com.checkpoint.eps.upgrader.plist

EPC_SUPPORT_DIR="/Library/Application Support/Checkpoint/Endpoint Connect"

EPC_CONFIG_DIR="${EPC_SUPPORT_DIR}/.."

EPC_CPFW_KEXT="/Library/Extensions/cpfw.kext"

FW_APP_PLIST=/Library/LaunchAgents/com.checkpoint.fw.app.plist

FW_APP_SERVICE=com.checkpoint.fw.app

FW_APP_NAME="Check Point Firewall.app"

ECHO=/bin/echo

LAUNCHCTL="/bin/launchctl"

GREP="/usr/bin/grep"

SLEEP="/bin/sleep"

CHMOD=/bin/chmod

MKDIR=/bin/mkdir

SED=/usr/bin/sed

PLUTIL=/usr/bin/plutil

CP=/bin/cp

RM=/bin/rm

killall "Check Point Firewall"

/sbin/kextunload ${EPC_CPFW_KEXT}

if [ -e "/System/Library/Extensions/cpfw.kext" ] ; then

#removing kext from previous location if exists

$RM -R /System/Library/Extensions/cpfw.kext

fi



if [ -e "/Library/Extensions/cpfw.kext" ] ; then

$ECHO "removing kext from extension"

$RM -Rf /Library/Extensions/cpfw.kext

fi

$RM -Rf /Applications/Check\\ Point\\ Firewall.app

$RM /Library/LaunchAgents/com.checkpoint.eps.upgrader.plist

$RM -Rf /Library/Application\\ Support/Checkpoint/Endpoint\\ Connect/Check\\ Point\\ Firewall.app

$RM $FW_APP_PLIST

Hi @Macweazle ,

I have used this script and it worked flawlessly, great script. But somehow checkpoint agent is not taking the configurations deployed through Jamf Pro i.e., IP/Hostname it needs to connect. Any suggestion pl?

Hi @JminD ,

I wonder if you have the package and config profile created using the above link?

Hi @Macweazle ,

Those settings are for the much more versatile Harmony Client (and boy do you have to add config profiles for that one - I think it was 5) . The basic CheckPoint Endpoint VPN is exactly that — basic. It relies on a baby-version of a Windows registry to store its parameters. I certainly haven't found a way, sorry.

Hi @Macweazle

How can i add a Site into a xml so that the VPN Client will populate this site as default after it is installed?

Appreciate any help or advice. Thanks much!

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded