How to SILENTLY uninstall Global Protect?

AlexQualtrics
New Contributor

I have worked through paloalto's official support document which explains how to create a jamf policy to uninstall Global Protect. It say that the script will run with "superuser authority". However, it still prompts the user to authenticate for the removal of the extension. Is there any way to get around this prompt on the user side?

3 REPLIES 3

sdagley
Esteemed Contributor II

@AlexQualtrics Here is a script that can be run via Jamf Pro which uses a technique documented by @rtrouton to authorize removal of a System Extension without prompting the user, and it has been tested up to macOS Ventura 13.4

#!/bin/bash
#
# Wrapper for GlobalProtect uninstaller script that uses method documented by @rtrouten
# to remove a System Extension without trigger a prompt for user authentication
# 	https://derflounder.wordpress.com/2021/10/26/silently-uninstalling-system-extensions-on-macos-monterey-and-earlier/

GPUninstaller="/Applications/GlobalProtect.app/Contents/Resources/uninstall_gp.sh"

if [ ! -e "$GPUninstaller" ]; then
	echo "GlobalProtect uninstaller not found, exiting uninstall script"
	exit 1
fi

# Temp plist files used for import and export from authorization database.
management_db_original_setting="$(mktemp).plist"
management_db_edited_setting="$(mktemp).plist"
management_db_check_setting="$(mktemp).plist"

# Expected settings from management database for com.apple.system-extensions.admin
original_setting="authenticate-admin-nonshared"
updated_setting="allow"

ManagementDatabaseUpdatePreparation() {
# Create temp plist files
touch "$management_db_original_setting"
touch "$management_db_edited_setting"
touch "$management_db_check_setting"

# Create backup of the original com.apple.system-extensions.admin settings from the management database
/usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_original_setting"

# Create copy of the original com.apple.system-extensions.admin settings from the management database for editing.
/usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_edited_setting"
}

UpdateManagementDatabase() {
if [[ -r "$management_db_edited_setting" ]] && [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_edited_setting") = "$original_setting" ]]; then
   /usr/libexec/PlistBuddy -c "Set rule:0 $updated_setting" "$management_db_edited_setting"
   if [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_edited_setting" ) = "$updated_setting" ]]; then
      echo "Edited $management_db_edited_setting is set to allow system extensions to be uninstalled without password prompt."
      echo "Now importing setting into authorization database."
      /usr/bin/security authorizationdb write com.apple.system-extensions.admin < "$management_db_edited_setting"
      if [[ $? -eq 0 ]]; then
         echo "Updated setting successfully imported."
         UpdatedAuthorizationSettingInstalled="true"
      fi
    else
      echo "Failed to update $management_db_edited_setting file with the correct setting to allow system extension uninstallation without prompting for admin credentials."
    fi
fi
}

RestoreManagementDatabase() {
/usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_check_setting"
if [[ ! $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_check_setting") = "$original_setting" ]]; then
   if [[ -r "$management_db_original_setting" ]] && [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_original_setting") = "$original_setting" ]]; then
      echo "Restoring original settings to allow system extension uninstallation only after prompting for admin credentials."
      echo "Now importing setting into authorization database."
      /usr/bin/security authorizationdb write com.apple.system-extensions.admin < "$management_db_original_setting"
            if [[ $? -eq 0 ]]; then
         echo "Original setting successfully imported."
         OriginalAuthorizationSettingInstalled=1
      fi

    else
      echo "Failed to update the authorization database with the correct setting to allow system extension uninstallation only after prompting for admin credentials."
    fi
fi
}

# Prepare to update authorization database to allow system extensions to be uninstalled without password prompt.
ManagementDatabaseUpdatePreparation

# Update authorization database with new settings.
UpdateManagementDatabase

# Run the GlobalProtect uninstaller
"$GPUninstaller"
uninstallResult=$?

# Once the system extensions are uninstalled, the relevant settings for the authorization database will be restored from backup to their prior state.
if [[ -n "$UpdatedAuthorizationSettingInstalled" ]]; then 
	RestoreManagementDatabase

	if [[ -n "$OriginalAuthorizationSettingInstalled" ]]; then
		echo "com.apple.system-extensions.admin settings in the authorization database successfully restored to $original_setting."
		rm -rf "$management_db_original_setting"
		rm -rf "$management_db_edited_setting"
		rm -rf "$management_db_check_setting"
	fi

fi

exit $uninstallResult

Great find. Thanks!
Alex Hass
Analyst, Information Technology

253.777.2932


daniel_behan
Contributor III

You can mark Palo Alto as a Removable System Extension as outlined below.  Then running this command should be silent.

/Applications/GlobalProtect.app/Contents/Resources/uninstall_gp.sh

 

Screenshot 2023-05-25 at 9.52.22 AM.png