Posted on 12-21-2020 02:28 PM
Hey guys,
Something is really messed up for us with our Cisco instance.
I have attempted to find anything and everything I can on this in JAMF Nation, but no luck so far.
I pushed a Cisco Umbrella / Open DNS to all out MacBook Airs with 10.15.7, Then created a "restricted software" policy to block the uninstaller, the SCG was added to exclude certain vintage devices. Well it did not exclude those devices. The SCG does have all of them listed so we are really stumped by this one.
I did go in and disabled the blocking policy, but it still does not allow the uninstaller app to run even after sitting all day. I have run policy and also recon. but that did not seem to help either.
If I run the uninstaller as root does it bypass the restricted software policy?
A policy was created that installs the app, but it is still blocked and it does not run the app, just installs the app.
Is there a method to run the un-installer in a script?
Still this leaves me wondering why I cannot disable the uninstaller app block and allow it to run. Are blocks persistent?
As always any help is appreciated.
Posted on 12-21-2020 08:21 PM
do you have the umbrella module on your Mac?
if so, open /opt/cisco/anyconnect/bin/ and locate the umbrella_uninstall.sh file, open in something like BBEDIT, create a new script in jamf and copy/paste the contents of the umbrella_uninstall.sh script in the jamf script. Assign to the devices you want and that should uninstall umbrella.
I suggested this method as trying to call out the local uninstall script may prompt for user permissions and you can see a bit more data through the policy.
Posted on 06-09-2022 10:59 AM
Hi Walt,
I tried your method. Created a new script from copy/paste of the umbrella_uninstall.sh file, created new policy with it and scoped it to my one test mac. Ran the policy. Details shows it ran, has "exit code 0", but says "Script result: Uninstalling Cisco AnyConnect Umbrella Roaming Security Module...
Successfully removed Cisco AnyConnect Umbrella Roaming Security Module from the system."
The mac still has the OpenDNS Roaming Client folder, the menu bar icon, and is still blocking sites in a browser.
Thoughts?
Maybe I did something wrong?
Posted on 01-23-2024 11:50 PM
This worked absolutely perfectly for us and we've also since moved the vpn_uninstall and anyconnect_unistall into this workflow method.
Posted on 12-22-2020 08:10 AM
Thanks @walt , I found that by running
/Applications/OpenDNS Roaming Client/rcuninstall
We are able to run the script as root and it does in fact remove the applications for Cisco Umbrella Roaming Client.
Now To figure out why the applications went to the devices on the exclusions list and figure out why. And when a restricted software title is lifted, does it not allow it to run?
Any help in figuring this out would be awesome.
Posted on 06-09-2022 08:25 AM
Hi rhooper,
I'm pretty new to all this so not sure how to understand what your script is intended to be, any way you can re-enter it? or is the site messing up the formatting?
Thanks!
Posted on 06-09-2022 09:44 AM
Sorry @dmote
I thought the script was there.
The uninstaller is based on the premise that the rcuninstaller (Umbrella Uninstaller) is on the system. If it is running this in a script works great
/Applications/OpenDNS\ Roaming\ Client/rcuninstall
After that script has been run a Reset DNS script is run.
#!/bin/bash
NetworkServices=`networksetup -listallnetworkservices`
if [[ $NetworkServices =~ "Wi-Fi" ]];then
networksetup -setdnsservers Wi-Fi empty
echo "Reset DNS Servers for Wi-Fi"
fi
if [[ $NetworkServices =~ "Ethernet" ]];then
serviceName=`networksetup -listallnetworkservices | grep "Ethernet" -m 1`
networksetup -setdnsservers "$serviceName" empty
echo "Reset DNS Servers for $serviceName"
fi
if [[ $NetworkServices =~ "LAN" ]];then
serviceName=`networksetup -listallnetworkservices | grep "LAN" -m 1`
networksetup -setdnsservers "$serviceName" empty
echo "Reset DNS Servers for $serviceName"
fi
If the uninstalled is not there then a script to reinstall the entire OpenDNS package needs to be run again. Which is as simple as creating a smart group that parses Applications for the Roaming Client uninstalled.app (name may vary), then having the package reinstall on the devices it is not present on.
I hope this helps.
Posted on 06-09-2022 11:10 AM
Thanks!
So do I add the /Applications/OpenDNS\ Roaming\ Client/rcuninstall part to a Files & Processes Payload?
The Reset DNS script part, would i create that as a new script, add it as a Script Payload, and make sure it's set to "After"?
Posted on 06-09-2022 12:37 PM
So I made the policy, put the /Applications/OpenDNS\ Roaming\ Client/rcuninstall part to a Files & Processes Payload, created a script for the Reset DNS and added it from the Scripts Payload and set it to After.
Not sure it is 100% correct but it worked!
Thanks!
Posted on 08-26-2024 01:02 PM
I just stumbled onto this. Thanks. Im preparing to remove Umbrella in favor of another product (and it's been deprecated etc).
In my (early) testing, All I needed to do was run the Cisco rcunintall binary from Jamf in a script payload or a Files and Processes payload, and it appears to work - without the need to run additional DNS reset scripts. Any comments on the need to run additional scripts?
Posted on 12-22-2020 10:56 AM
The script works well BUT there needs to be some sort of parser to see if the app is actually installed or not.
If not then the script should end without throwing an error.
How can this be done? Can it be done?
Posted on 12-22-2020 12:14 PM
We use Umbrella and have had a pretty good experience with it. side note are you domain joined using mobile accounts? Or Enterprise Connect? Anyway... We use Extension Attribute to determine if the app is installed.
#!/bin/bash
umb="/Applications/OpenDNS Roaming Client/UmbrellaMenu.app"
if [ -d "$umb" ]; then
echo "<result>Yes</result>"
else
echo "<result>No</result>"
fi
That said you can scope around that. If you are concerned about your users running the uninstaller. One thing you can do is move it to a hidden protected folder after the app is installed. Then call the uninstaller as a one liner from a jamf policy. Also we prefer to utilize Self Service for the uninstall and re-install. Make sure you run a recon and it wouldnt hurt to have the machine restart at completion of the uninstall.
As for the restricted software feature of jamf. It has always been buggy. Perhaps look into something like https://github.com/erikberglund/AppBlocker
Posted on 12-22-2020 12:36 PM
@mojo21221 The biggest issue I've seen with Jamf Pro's Restricted Software configurations is the chance of their being applied seems to depend on if there are African or European swallows migrating in your vicinity. Having a Launch Daemon that does a periodic jamf manage
helps ensure that the latest restrictions are applied.
Posted on 12-23-2020 07:19 AM
@sdagley Ahhh... It would grip it by the husk...