Cisco Umbrella uninstaller

rhooper
Contributor III

Hey guys,
Something is really messed up for us with our Cisco instance.
I have attempted to find anything and everything I can on this in JAMF Nation, but no luck so far.
I pushed a Cisco Umbrella / Open DNS to all out MacBook Airs with 10.15.7, Then created a "restricted software" policy to block the uninstaller, the SCG was added to exclude certain vintage devices. Well it did not exclude those devices. The SCG does have all of them listed so we are really stumped by this one.
I did go in and disabled the blocking policy, but it still does not allow the uninstaller app to run even after sitting all day. I have run policy and also recon. but that did not seem to help either.
If I run the uninstaller as root does it bypass the restricted software policy?
A policy was created that installs the app, but it is still blocked and it does not run the app, just installs the app.
Is there a method to run the un-installer in a script?

Still this leaves me wondering why I cannot disable the uninstaller app block and allow it to run. Are blocks persistent?

As always any help is appreciated.

11 REPLIES 11

walt
Contributor III

do you have the umbrella module on your Mac?

if so, open /opt/cisco/anyconnect/bin/ and locate the umbrella_uninstall.sh file, open in something like BBEDIT, create a new script in jamf and copy/paste the contents of the umbrella_uninstall.sh script in the jamf script. Assign to the devices you want and that should uninstall umbrella.

I suggested this method as trying to call out the local uninstall script may prompt for user permissions and you can see a bit more data through the policy.

dmote
New Contributor II

Hi Walt,

I tried your method. Created a new script from copy/paste of the umbrella_uninstall.sh file, created new policy with it and scoped it to my one test mac. Ran the policy. Details shows it ran, has "exit code 0", but says "Script result: Uninstalling Cisco AnyConnect Umbrella Roaming Security Module...
Successfully removed Cisco AnyConnect Umbrella Roaming Security Module from the system."

The mac still has the OpenDNS Roaming Client folder, the menu bar icon, and is still blocking sites in a browser.

Thoughts?

Maybe I did something wrong?

rhooper
Contributor III

Thanks @walt , I found that by running

!/bin/bash - (the lb sign not showing up in this)

/Applications/OpenDNS Roaming Client/rcuninstall

We are able to run the script as root and it does in fact remove the applications for Cisco Umbrella Roaming Client.
Now To figure out why the applications went to the devices on the exclusions list and figure out why. And when a restricted software title is lifted, does it not allow it to run?

Any help in figuring this out would be awesome.

dmote
New Contributor II

Hi rhooper,

I'm pretty new to all this so not sure how to understand what your script is intended to be, any way you can re-enter it? or is the site messing up the formatting?

Thanks!

rhooper
Contributor III

Sorry @dmote 
I thought the script was there.
The uninstaller is based on the premise that the rcuninstaller (Umbrella Uninstaller) is on the system. If it is running this in a script works great 

/Applications/OpenDNS\ Roaming\ Client/rcuninstall

After that script has been run a Reset DNS script is run.

#!/bin/bash

NetworkServices=`networksetup -listallnetworkservices`

if [[ $NetworkServices =~ "Wi-Fi" ]];then
networksetup -setdnsservers Wi-Fi empty
echo "Reset DNS Servers for Wi-Fi"
fi

if [[ $NetworkServices =~ "Ethernet" ]];then
serviceName=`networksetup -listallnetworkservices | grep "Ethernet" -m 1`
networksetup -setdnsservers "$serviceName" empty
echo "Reset DNS Servers for $serviceName"
fi

if [[ $NetworkServices =~ "LAN" ]];then
serviceName=`networksetup -listallnetworkservices | grep "LAN" -m 1`
networksetup -setdnsservers "$serviceName" empty
echo "Reset DNS Servers for $serviceName"
fi

 

If the uninstalled is not there then a script to reinstall the entire OpenDNS package needs to be run again. Which is as simple as creating a smart group that parses Applications for the Roaming Client uninstalled.app (name may vary), then having the package reinstall on the devices it is not present on.

 

I hope this helps.

dmote
New Contributor II

Thanks!

So do I add the /Applications/OpenDNS\ Roaming\ Client/rcuninstall part to a Files & Processes Payload?

The Reset DNS script part, would i create that as a new script, add it as a Script Payload, and make sure it's set to "After"?

dmote
New Contributor II

So I made the policy, put the /Applications/OpenDNS\ Roaming\ Client/rcuninstall part to a Files & Processes Payload, created a script for the Reset DNS and added it from the Scripts Payload and set it to After.

Not sure it is 100% correct but it worked!

Thanks!

rhooper
Contributor III

The script works well BUT there needs to be some sort of parser to see if the app is actually installed or not. If not then the script should end without throwing an error.
How can this be done? Can it be done?

mojo21221
Contributor II

We use Umbrella and have had a pretty good experience with it. side note are you domain joined using mobile accounts? Or Enterprise Connect? Anyway... We use Extension Attribute to determine if the app is installed.

#!/bin/bash
umb="/Applications/OpenDNS Roaming Client/UmbrellaMenu.app"
if [ -d "$umb" ]; then
    echo "<result>Yes</result>"
else
    echo "<result>No</result>"
fi

That said you can scope around that. If you are concerned about your users running the uninstaller. One thing you can do is move it to a hidden protected folder after the app is installed. Then call the uninstaller as a one liner from a jamf policy. Also we prefer to utilize Self Service for the uninstall and re-install. Make sure you run a recon and it wouldnt hurt to have the machine restart at completion of the uninstall.

As for the restricted software feature of jamf. It has always been buggy. Perhaps look into something like https://github.com/erikberglund/AppBlocker

sdagley
Honored Contributor III

@mojo21221 The biggest issue I've seen with Jamf Pro's Restricted Software configurations is the chance of their being applied seems to depend on if there are African or European swallows migrating in your vicinity. Having a Launch Daemon that does a periodic jamf manage helps ensure that the latest restrictions are applied.

mojo21221
Contributor II

@sdagley Ahhh... It would grip it by the husk...