Jamf Nation Community

howie_isaacks · ‎06-09-2023

I need to script the uninstall of CrowdStrike on Macs. While deploying CrowdStrike this past week, I realized that we may need to push out a policy or make one available in Self Service to uninstall the software. The uninstall command to do this is:

sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --MANAGMENT TOKEN

This command would work perfectly in a script. The issue we have ran into is that using this command sometimes fails. We have not yet gotten a solution from CrowdStrike. The other command that will uninstall the software is:

sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall -t

Upon entering that command, we are prompted to enter the management token. The prompt is:

Falcon Management Token:

I remember several years ago working with some scripts that would respond to password prompts and enter the password needed. Unfortunately, I didn't write those scripts and I don't have them on hand to modify. Does anyone know how to script this so that the management token can be entered by the script when prompted? I'm going to try a few things today but I wanted to post this here to find out if anyone can point me in the right direction. If the first command that includes the token would work reliably, this would be easy to write. The most reliable command is the second one that results in us being prompted to enter the management token.

talkingmoose · ‎06-09-2023

I think you're wanting something like an expect script. Here's something that may point you in the right direction.

https://stackoverflow.com/questions/48385156/trying-to-use-expect-in-mac-script

howie_isaacks · ‎06-09-2023

Thanks! I read about using expect but I didn't find a good example of it.

sdagley · ‎06-09-2023

@howie_isaacks You can set the sensor to maintenance mode in your CrowdStrike console to allow the uninstall command to run without requiring a token.

howie_isaacks · ‎06-09-2023

Interesting. I wonder why our CrowdStrike rep didn't mention this when we told him about the uninstall command being inconsistent and not working reliably.

AVmcclint · ‎06-09-2023

Take a look at this thread: https://community.jamf.com/t5/jamf-pro/crowdstrike-uninstall-script/m-p/233560

I put a script in there that has worked for me a few times. The reason for the failures had nothing to do with the script - the crowd strike installation on the Macs was so fubar'd that nothing could uninstall it.

sdagley · ‎06-09-2023

I should have mentioned this in my previous post, but since I can no longer edit it here's a new post...

If you're deploying CrowdStrike in your environment and haven't already seen @franton 's https://richard-purves.com/2022/05/03/downloading-crowdstrike-via-api-for-fun-and-profit/ blog post do yourself a favor and go take a look at it.

He also has a GitHub repo of scripts that utilize the CrowdStrike API (https://github.com/franton/Crowdstrike-API-Scripts) including one that uses the API to get automatically get a maintenance token from the CrowdStrike console to remove the agent from a Mac: uninstall-csf.sh (your API access account will require appropriate permissions).

howie_isaacks · ‎06-16-2023

Thanks! I will look at this. I lost focus on this all week because I'm not trying to make sense out of an Xcode project built by the person who previously had my job.

franton · ‎06-09-2023

Flattery will get you everywhere sir, but yes I have this in our IT self service and it's totally automatic.

howie_isaacks · ‎06-16-2023

After a quick look at your script, it actually answered my initial question. I had found some script examples that use expect but I couldn't find any that fit a use case that I would normally have. Great stuff! Thanks!

mojo21221 · ‎06-20-2023

I have had success with unscoping the the Config profiles that are associated with Crowdstrike then running the uninstall.sh script. We are very new to testing, but it seems like it was easier than getting a mgmt token...
Full process create a static group (Crowdstrike Removal)
Scope said group to the exclusions for the 3-4 Config profiles
Create a policy that runs the uninstall.sh then restarts the mac. Make it available is Self Service. (Scoped it to Crowdstrike Removal)

Usage:

Add machine to static group.

Instruct user to run removal policy from SS.

techdawg · ‎10-04-2023

I am late to the party, but I was googling around to figure out what can be done to a similar issue we are having and stumbled on this post. I may have what you are asking for.

We require maintenance token's for uninstalls as we do not want to disable BIOS Visibility on Crowdstrike to enable Bulk Maintenance Token which would make uninstalls on mac's easier. With that said, we needed something that would prompt the user to enter the maintenance token that’s provided by the IT team and then uninstall CS from the machine. We managed to put together this little Jamf Script. So far it’s working, but we have not done any extensive testing as of yet. Hopefully it may help whoever needs it or at least gets them pointed in the right direction.

#!/bin/bash

## prompts user to enter maintenance token

MAINTOKEN=`/usr/bin/osascript <<'EOT'
tell application "System Events"
activate
set MAINTOKEN to text returned of (display dialog "MAINTENANCE TOKEN" default answer "")
end tell
EOT`

echo MAINTOKEN

## uninstalls CS from machine

expect <<- DONE
spawn /Applications/Falcon.app/Contents/Resources/falconctl uninstall -t
expect "Falcon Maintenance Token:"
send -- "$MAINTOKEN"
send -- "\r"
expect eof
DONE

## kills any CS running processes if any remains

killall -m 'falcon*'
killall -m 'Falcon*'

Jamf Nation Community

I need help writing a script that will input a management token when prompted.