Checkpoint Endpoint VPN Client config profile without Firewall

JminD
New Contributor II

To give some context here is what I'm trying to accomplish.
I want to create a config profile to push to my mac user's for the Checkpoint Endpoint VPN client without having it install the Checkpoint firewall app.

Whatever package I download from checkpoint (the pkg, the dmg, the zipp) it seems the checkpoint firewall app is bundled into the installer. I've tried going to composer route to run the installation of the endpoint vpn client, then deleting the firewall app but it looks like starting with version 84.30 the plist, configuration files don't push out so I can't replicate that install from the created pkg from composer to other machines.

Checkpoint provides information on how to create a config file to push to users but it still bundles that firewall app in there. https://dl3.checkpoint.com/paid/68/6899355a6a3c45aee11e6fbb4633ce27/Endpoint_Security_for_Mac-MDM_Deployment_Guide.pdf?HashKey=1625763756_e9cb2b2f4a4fb4288fdd80cbce03c7b3&xtn=.pdf

Has anyone figured out a way to remove that firewall app on Big Sur?

5 REPLIES 5

jkunkel
New Contributor II

I recognize this is a query from the summer, but I'm curious if you found any success? I'm in the exact same boat, and while I included commands to remove the Endpoint application, I now have users who are being tormented by a system extension message that appears every 5 minutes. I've opened a ticket with their support team, but I often find more complete answers here.

Has anyone discovered how to install solely the Checkpoint VPN app, and/or remove the Endpoint application AND the system extension once installed?

Macweazle
New Contributor III

Thats the script I use as a postinstall:

#!/bin/sh -x
# EndPointVPNpostinstall.sh
# 
#
# Created by Macweazle on 21.01.21.
# 
EPS_GUI_LAUNCHAGENT_PLIST=/Library/LaunchAgents/com.checkpoint.eps.gui.plist
EPS_GUI_LAUNCHAGENT_SERVICE=com.checkpoint.eps.gui
EPC_SRV_LAUNCHDAEMON_PLIST=/Library/LaunchDaemons/com.checkpoint.epc.service.plist
EPC_UPGRADER_LAUNCHAGENT_PLIST=/Library/LaunchAgents/com.checkpoint.eps.upgrader.plist
EPC_SUPPORT_DIR="/Library/Application Support/Checkpoint/Endpoint Connect"
EPC_CONFIG_DIR="${EPC_SUPPORT_DIR}/.."
EPC_CPFW_KEXT="/Library/Extensions/cpfw.kext"
FW_APP_PLIST=/Library/LaunchAgents/com.checkpoint.fw.app.plist
FW_APP_SERVICE=com.checkpoint.fw.app
FW_APP_NAME="Check Point Firewall.app"
ECHO=/bin/echo
LAUNCHCTL="/bin/launchctl"
GREP="/usr/bin/grep"
SLEEP="/bin/sleep"
CHMOD=/bin/chmod
MKDIR=/bin/mkdir
SED=/usr/bin/sed
PLUTIL=/usr/bin/plutil
CP=/bin/cp
RM=/bin/rm
killall "Check Point Firewall"
/sbin/kextunload ${EPC_CPFW_KEXT}
if [ -e "/System/Library/Extensions/cpfw.kext" ] ; then
#removing kext from previous location if exists
$RM -R /System/Library/Extensions/cpfw.kext
fi

if [ -e "/Library/Extensions/cpfw.kext" ] ; then
$ECHO "removing kext from extension"
$RM -Rf /Library/Extensions/cpfw.kext
fi
$RM -Rf /Applications/Check\ Point\ Firewall.app
$RM /Library/LaunchAgents/com.checkpoint.eps.upgrader.plist
$RM -Rf /Library/Application\ Support/Checkpoint/Endpoint\ Connect/Check\ Point\ Firewall.app
$RM $FW_APP_PLIST

Thank you Macweazle that was just what i needed to solve this issue.

StefanT
New Contributor II

Thank you, that works like a charm.

Macweazle
New Contributor III

Another way to not install the firewall: just copying the pkg & a choices.xml to the machines in question (maybe into /tmp ) and run the installer separately with an appropriate choices.xml file:

 

#!/bin/sh

/usr/sbin/installer -applyChoiceChangesXML /tmp/Endpoint_choices.xml -pkg /tmp/Endpoint_Security_VPN.pkg -target /

 

 where Endpoint_choices.xml is

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
	<key>attributeSetting</key>
	<integer>0</integer>
	<key>choiceAttribute</key>
	<string>selected</string>
	<key>choiceIdentifier</key>
	<string>com.checkpoint.pkg.epc.fw</string>
</dict>
</array>
</plist>

 

That won't work on older version of Endpoint_VPN, though.