Posted on 11-18-2021 10:37 AM
Sadly Apple continue to make life harder for us Mac admins. 😢
I currently need to uninstall Sophos Anti-Virus from every Mac so I can then replace it with an alternative. (This is because Sophos still have not released a fully native Apple Silicon version.)
It would be easy to use a script to run the Sophos uninstall command, bypassing the anti Tamper measures of Sophos is also easy. The problem is an Apple one.
Sophos correctly uses System Extensions. For macOS Big Sur there seems to be only two working approaches that let you uninstall System Extensions. Either you can turn off SIP and do whatever you want, or the only other method - and clearly the one Apple want you to use is to drag the application that contains the System Extensions to the Bin. This then triggers an OS dialog asking for user approval to remove the contained system extensions. If you otherwise uninstall Sophos, or drag the wrong thing, or use a script to delete items, the System Extensions do not get uninstalled and will remain forever more.
As mentioned this is not Sophos' fault and affects any other software using System Extensions. As one example article on this topic see - https://grahamrpugh.com/2021/04/06/delete-system-extension-command-line.html
In theory the systemextensionsctl tool has an uninstall option and this indeed did work in Catalina but it does not if SIP is enabled on macOS Big Sur.
So, what I am trying to do is write a shell script that uses osascript to 'tell' the Finder to move the required applications to the Bin. In fact before I get that far I wisely decided to do a much simpler and safer test which was to have a shell script which uses osascript and tells the Finder to open a new Finder window.
#!/bin/sh
osascript <<EOF
tell application "Finder"
activate
make new Finder window
end tell
EOF
This script itself seems fine but I am hitting a problem with it resulting in
Running script Test osascript...
Script exit code: 1
Script result: 37:59: execution error: Not authorised to send Apple events to Finder. (-1743)
I have created a PPPC profile in Jamf Pro to allow Jamf itself as per https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles and /usr/bin/osascript and Terminal.app permissions to send Apple Events to the Finder. Attached is an example of this PPPC.
So why is this still failing?
Note: The intent is that the final script tells the Finder to move the offending files to the Bin, which will trigger the Apple dialogs asking the user to approve this, this uninstalls the System Extensions, and I will then in the same script complete the rest of uninstalling Sophos and then trigger a reboot. After the reboot the replacement Anti-Virus tool will be installed.
Posted on 11-18-2021 01:37 PM
@jelockwood Scripts running from the Jamf binary run as root, and you need to run an AppleScript as the user. A good article on how to do that is Running a Command as another User
As an alternative to your AppleScript, it turns out it _is_ possible to remove a System Extension on Mac without prompting the user. @rtrouton documented it in this blog post: https://derflounder.wordpress.com/2021/10/26/silently-uninstalling-system-extensions-on-macos-monter...
Posted on 11-19-2021 03:11 AM
Hi your information all makes sense, I am first trying the simple Finder control script - this time running 'as user'. Unfortunately I am still getting the same error
35:57: execution error: Not authorised to send Apple events to Finder. (-1743)
Here is the current code in the script
export PATH=/usr/bin:/bin:/usr/sbin:/sbin
# get the currently logged in user
currentUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name <li-emoji id="lia_confused-face" title=":confused_face:"></li-emoji> { print $3 }' )
# global check if there is a user logged in
if [ -z "$currentUser" -o "$currentUser" = "loginwindow" ]; then
echo "no user logged in, cannot proceed"
exit 1
fi
# now we know a user is logged in
# get the current user's UID
uid=$(id -u "$currentUser")
# main code starts here
# run script as user
if [ "$currentUser" != "loginwindow" ]; then
launchctl asuser "$uid" sudo -u "$currentUser" /usr/bin/osascript <<-EOF
tell application "Finder"
activate
make new Finder window
end tell
EOF
else
echo "no user logged in"
# uncomment the exit command
# to make the function exit with an error when no user is logged in
# exit 1
fi
I tried the same script on a Mac running a much older version of macOS and it works. It is failing under macOS 11.6.1 Big Sur.
I do have the following two profiles deployed to the test Big Sur Mac, in theory these should allow Jamf and Terminal and OSAScript to send Apple Events.
https://drive.google.com/file/d/1Kb2r7ZQyYEHJqdzredHD-isrsozrvfBy/view?usp=sharing
https://drive.google.com/file/d/15h4E9BN1n_lJpUYFsxUIH4h7-hxc0Jxo/view?usp=sharing
11-19-2021 05:06 AM - edited 11-19-2021 05:08 AM
@jelockwood The sudo -u is redundant if you're using launchctl asuser
Posted on 11-19-2021 07:52 AM
@sda
True, but the article you pointed me to suggested using both as a way to bullet proof the command. (For the benefit of others this is sudo -u runs as a specified user.)
This also does not answer the issue of not being able to get it to have permission to send an apple event. 😥
11-18-2021 01:39 PM - edited 11-18-2021 01:40 PM
This did if for me.
#!/bin/bash
rm -R "/Library/Sophos Anti-Virus/product-info.plist"
"/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer" --force_remove
Posted on 11-18-2021 03:26 PM
@sdagley Thank you for the pointer to Richard's article. I had seen and read an earlier article by him on this topic but I had not seen this much newer one. I will look into it further and do more testing.
@Hugonaut Yes, I had found this command here in the Jamf Community and already tried it. My admittedly brief testing suggests it does uninstall Sophos but leaves the System Extensions installed and running. This would be consistent with the article by Graham Pugh I linked to in my original message. Again I shall be doing more testing.
Based on the miserable failure still of Sophos to provide a native Apple Silicon version I don't hold out a lot of hope that Sophos have added the official mechanism for removing System Extensions as per the newer Richard Troughton article linked to by @sdagley It is however good news that Microsoft apparently have. I am actually moving to Microsoft Defender and we are going to try it for a month or so which their licensing terms makes possible as it is a monthly subscription linked to our existing Office365 subscription.
Posted on 05-20-2022 01:46 AM
Have you tried calling Finder by id instead of by name in your script?
So
tell application id "com.apple.finder"
... instead of ...
tell application "Finder"