Help

Checkpoint Endpoint VPN Client config profile without Firewall

JminD
New Contributor II

Posted on ‎07-08-2021 08:12 AM

To give some context here is what I'm trying to accomplish.
I want to create a config profile to push to my mac user's for the Checkpoint Endpoint VPN client without having it install the Checkpoint firewall app.

Whatever package I download from checkpoint (the pkg, the dmg, the zipp) it seems the checkpoint firewall app is bundled into the installer. I've tried going to composer route to run the installation of the endpoint vpn client, then deleting the firewall app but it looks like starting with version 84.30 the plist, configuration files don't push out so I can't replicate that install from the created pkg from composer to other machines.

Checkpoint provides information on how to create a config file to push to users but it still bundles that firewall app in there. https://dl3.checkpoint.com/paid/68/6899355a6a3c45aee11e6fbb4633ce27/Endpoint_Security_for_Mac-MDM_Deployment_Guide.pdf?HashKey=1625763756_e9cb2b2f4a4fb4288fdd80cbce03c7b3&xtn=.pdf

Has anyone figured out a way to remove that firewall app on Big Sur?

0 Kudos
Reply
9 REPLIES 9

jkunkel
New Contributor II

Posted on ‎12-03-2021 08:51 AM

I recognize this is a query from the summer, but I'm curious if you found any success? I'm in the exact same boat, and while I included commands to remove the Endpoint application, I now have users who are being tormented by a system extension message that appears every 5 minutes. I've opened a ticket with their support team, but I often find more complete answers here.

Has anyone discovered how to install solely the Checkpoint VPN app, and/or remove the Endpoint application AND the system extension once installed?

0 Kudos
Reply

Macweazle
New Contributor III

Posted on ‎02-09-2022 01:50 AM

Thats the script I use as a postinstall:

#!/bin/sh -x
# EndPointVPNpostinstall.sh
# 
#
# Created by Macweazle on 21.01.21.
# 
EPS_GUI_LAUNCHAGENT_PLIST=/Library/LaunchAgents/com.checkpoint.eps.gui.plist
EPS_GUI_LAUNCHAGENT_SERVICE=com.checkpoint.eps.gui
EPC_SRV_LAUNCHDAEMON_PLIST=/Library/LaunchDaemons/com.checkpoint.epc.service.plist
EPC_UPGRADER_LAUNCHAGENT_PLIST=/Library/LaunchAgents/com.checkpoint.eps.upgrader.plist
EPC_SUPPORT_DIR="/Library/Application Support/Checkpoint/Endpoint Connect"
EPC_CONFIG_DIR="${EPC_SUPPORT_DIR}/.."
EPC_CPFW_KEXT="/Library/Extensions/cpfw.kext"
FW_APP_PLIST=/Library/LaunchAgents/com.checkpoint.fw.app.plist
FW_APP_SERVICE=com.checkpoint.fw.app
FW_APP_NAME="Check Point Firewall.app"
ECHO=/bin/echo
LAUNCHCTL="/bin/launchctl"
GREP="/usr/bin/grep"
SLEEP="/bin/sleep"
CHMOD=/bin/chmod
MKDIR=/bin/mkdir
SED=/usr/bin/sed
PLUTIL=/usr/bin/plutil
CP=/bin/cp
RM=/bin/rm
killall "Check Point Firewall"
/sbin/kextunload ${EPC_CPFW_KEXT}
if [ -e "/System/Library/Extensions/cpfw.kext" ] ; then
#removing kext from previous location if exists
$RM -R /System/Library/Extensions/cpfw.kext
fi

if [ -e "/Library/Extensions/cpfw.kext" ] ; then
$ECHO "removing kext from extension"
$RM -Rf /Library/Extensions/cpfw.kext
fi
$RM -Rf /Applications/Check\ Point\ Firewall.app
$RM /Library/LaunchAgents/com.checkpoint.eps.upgrader.plist
$RM -Rf /Library/Application\ Support/Checkpoint/Endpoint\ Connect/Check\ Point\ Firewall.app
$RM $FW_APP_PLIST
Reply

Uniarts_SE
New Contributor II
In response to Macweazle

Posted on ‎03-30-2022 04:44 AM

Thank you Macweazle that was just what i needed to solve this issue.

0 Kudos
Reply

StefanT
New Contributor III
In response to Macweazle

Posted on ‎03-31-2022 11:12 AM

Thank you, that works like a charm.

0 Kudos
Reply

PiyushVerma
New Contributor III
In response to Macweazle

Posted on ‎04-26-2023 11:12 PM

Hi @Macweazle ,

 

I have used this script and it worked flawlessly, great script. But somehow checkpoint agent is not taking the configurations deployed through Jamf Pro i.e., IP/Hostname it needs to connect. Any suggestion pl? 

Technical Architect
0 Kudos
Reply

Macweazle
New Contributor III
In response to PiyushVerma

Posted on ‎04-27-2023 06:32 AM

Those settings are for the much more versatile Harmony Client (and boy do you have to add config profiles for that one - I think it was 5) . The basic CheckPoint Endpoint VPN is exactly that — basic. It relies on a baby-version of a Windows registry to store its parameters. I certainly haven't found a way, sorry. 

0 Kudos
Reply

Macweazle
New Contributor III

Posted on ‎03-30-2022 09:25 AM

Another way to not install the firewall: just copying the pkg & a choices.xml to the machines in question (maybe into /tmp ) and run the installer separately with an appropriate choices.xml file:

 

#!/bin/sh

/usr/sbin/installer -applyChoiceChangesXML /tmp/Endpoint_choices.xml -pkg /tmp/Endpoint_Security_VPN.pkg -target /

 

 where Endpoint_choices.xml is

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
	<key>attributeSetting</key>
	<integer>0</integer>
	<key>choiceAttribute</key>
	<string>selected</string>
	<key>choiceIdentifier</key>
	<string>com.checkpoint.pkg.epc.fw</string>
</dict>
</array>
</plist>

 

That won't work on older version of Endpoint_VPN, though.

Reply

PiyushVerma
New Contributor III

Posted on ‎04-26-2023 11:14 PM

Hi @JminD ,

 

I wonder if you have the package and config profile created using the above link?

Technical Architect
0 Kudos
Reply

Keith_L
New Contributor III

Posted on ‎08-13-2023 08:42 PM

Hi @Macweazle 

 

How can i add a Site into a xml so that the VPN Client will populate this site as default after it is installed?

Appreciate any help or advice. Thanks much!

0 Kudos
Reply