Jamf Nation Community

SureExclamation · ‎05-11-2020

I started leveraging JAMF to patch Zoom.us which is working great so far. It installs in /Applications, but I am finding many users have it installed in their ~/Applications folder, leaving the older version in place.

I need to remove it from their ~/Applications, but running into challenges.

I am new at bash, but I tried running the script rm -rf ~/Applications/zoom.us.app , but it's not pulling it from logged in user's directory.

I tried, sudo -u $(ls -l /dev/console | awk '{print $3}') rm -rf ~/Applications/zoom.us.app , but these are standard users and getting permission denied messages.

Our mac's are not shared so doing it in currently logged in or all users' ~/Applications directories are fine.

Any help is appreciated, thanks.

shaquir · ‎05-11-2020

Hi @markl ,
Building of the thread Zoom Exploit, I added:

#!/bin/sh
#Removes user downloaded Zoom
if [ -e /Users/*/Applications/zoom.us.app ]; then
rm -rf /Users/*/Applications/zoom.us.app
fi

#Remove .zoomus for all users

if [ -e /Users/*/.zoomus ]; then
rm -rf /Users/*/.zoomus
fi

The final script that I used in my environment was:

#!/bin/sh
# Disable auto-video on Zoom
# For just your local account
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
currentUserHome=$( dscl . read /Users/"$currentUser" NFSHomeDirectory | awk '{print $2}')
prefPath="/Library/Preferences/us.zoom.config.plist"
zoomAppSupportPath="$currentUserHome/Application Support/zoom.us"

#Clear Out existing App Support DB
if [ -e "$zoomAppSupportPath" ]; then
    rm -rf "$zoomAppSupportPath"
fi

# Apply to all users on the machine
# Clear any existing preferences
if [ -e "$prefPath"  ]; then
    rm -rf "$prefPath"
fi

# Apply for all users
defaults write "$prefPath" ZDisableVideo 1
defaults write "$prefPath" MuteVoipWhenJoin 1
chown root:wheel "$prefPath"

# Delete webserver
zoompid=`lsof -ti :19421`
echo "$zoompid"
if [ -z "$zoompid" ] ; then
    echo "zoompid not found"
else
    kill -9 "$zoompid"
fi

if [ -e /Users/*/Applications/zoom.us.app ]; then
rm -rf /Users/*/Applications/zoom.us.app
fi

if [ -e /Applications/zoom.us.app ]; then
rm -rf /Applications/zoom.us.app
fi

if [ -e /Users/*/.zoomus ]; then
rm -rf /Users/*/.zoomus
fi

touch "$currentUserHome/.zoomus"

exit 0

You should also add Zoom to your Restricted Software list.

View solution in original post

shaquir · ‎05-11-2020

Hi @markl ,
Building of the thread Zoom Exploit, I added:

#!/bin/sh
#Removes user downloaded Zoom
if [ -e /Users/*/Applications/zoom.us.app ]; then
rm -rf /Users/*/Applications/zoom.us.app
fi

#Remove .zoomus for all users

if [ -e /Users/*/.zoomus ]; then
rm -rf /Users/*/.zoomus
fi

The final script that I used in my environment was:

#!/bin/sh
# Disable auto-video on Zoom
# For just your local account
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
currentUserHome=$( dscl . read /Users/"$currentUser" NFSHomeDirectory | awk '{print $2}')
prefPath="/Library/Preferences/us.zoom.config.plist"
zoomAppSupportPath="$currentUserHome/Application Support/zoom.us"

#Clear Out existing App Support DB
if [ -e "$zoomAppSupportPath" ]; then
    rm -rf "$zoomAppSupportPath"
fi

# Apply to all users on the machine
# Clear any existing preferences
if [ -e "$prefPath"  ]; then
    rm -rf "$prefPath"
fi

# Apply for all users
defaults write "$prefPath" ZDisableVideo 1
defaults write "$prefPath" MuteVoipWhenJoin 1
chown root:wheel "$prefPath"

# Delete webserver
zoompid=`lsof -ti :19421`
echo "$zoompid"
if [ -z "$zoompid" ] ; then
    echo "zoompid not found"
else
    kill -9 "$zoompid"
fi

if [ -e /Users/*/Applications/zoom.us.app ]; then
rm -rf /Users/*/Applications/zoom.us.app
fi

if [ -e /Applications/zoom.us.app ]; then
rm -rf /Applications/zoom.us.app
fi

if [ -e /Users/*/.zoomus ]; then
rm -rf /Users/*/.zoomus
fi

touch "$currentUserHome/.zoomus"

exit 0

You should also add Zoom to your Restricted Software list.

SureExclamation · ‎05-11-2020

Thanks, I finally figured out rm -rf /Users/*/Applications/zoom.us.app just a few mins ago. Will look over your stuff to build off of of. Thanks again.

PatrickD · ‎05-11-2020

Hey @markl,

You could try the following script deployed via a Jamf Policy.

#!/bin/sh
currentUser=`ls -l /dev/console | awk '{print $3}'`

rm -rf /Users/"$currentUser"/Applications/zoom.us.app

exit

When executing scripts from Jamf " ~ " will refer to the user running the script, which in the case of Jamf is "root".

If you find that there are multiple zoom.us installs in the 1 directory, they will likely be zoom.us, zoom.us1, zoom.us2 and so on. If that is the case, just use the following command in your script.

rm -rf /Users/"$currentUser"/Applications/zoom.us*

Pat

donmontalvo · ‎05-11-2020

We've been using mdfind to find apps that may exist in non-default paths, then going through the search result to remove the ones that are not in the default path.

#!/bin/bash

GOOD_PATH="/Applications/zoom.us.app"
BUNDLE_ID="us.zoom.xos"
SEARCH_FILE="/private/tmp/SearchResults.txt"

function searchCommand()
{
    mdfind kMDItemCFBundleIdentifier="$BUNDLE_ID" | grep -v "$GOOD_PATH" > "$SEARCH_FILE"
}

function removeBad()
{
    xargs -I{} rm -r {} < "$SEARCH_FILE"
}

searchCommand
removeBad

--
https://donmontalvo.com

dan-snelson · ‎05-12-2020

You inspire me, @donmontalvo.

shaquir · ‎05-12-2020

This Remove App From Unapproved Locations.sh is awesome @dan-snelson! Clean workflow @donmontalvo! I'll definitely be utilizing this in the future.

donmontalvo · ‎05-12-2020

@dan-snelson I like it! May I steal it? :):):)

@shaquir wait until @mm2270 chimes in!

@tlarkin also posted similar stuff.

--
https://donmontalvo.com

Jamf Nation Community

Need to remove an .app from users' ~/Applications folder