Skip to main content

Hi All,

I'm just now looking how can I remove McAfee Agent(**McAfee Endpoint Protection for Mac.app, McAfee ePO Remote Provisioning Tool.app) and decrypt Machine from JSS to client Machine. There is any policy for this.

Typically you can use:
EPM: 

sudo /usr/local/McAfee/uninstall EPM

Agent:

sudo /Library/McAfee/cma/scripts/uninstall.sh

And then pray that your ePO admins don't have a policy running to require a password to run the uninstaller. If so, you can't remotely run the uninstaller, you'll need to tear out the bits and pieces forcefully. There is a script floating around, I forget where though, called RipOffMcafee that will do that.

Remove McAfee version 4 & 5. 

[ -f /usr/local/McAfee/uninstall EPM ] && /usr/local/McAfee/uninstall EPM

[ -f /Library/McAfee/cma/uninstall.sh ] && /Library/McAfee/cma/uninstall.sh

[ -f /Library/McAfee/cma/scripts/uninstall.sh ] && /Library/McAfee/cma/scripts/uninstall.sh

[ -f /Library/McAfee/agent/scripts/uninstall.sh ] && /Library/McAfee/agent/scripts/uninstall.sh

[ -d /Applications/McAfee Endpoint Protection for Mac.app ] && rm -rf /Applications/McAfee Endpoint Protection for Mac.app

[ -d /Applications/McAfee Endpoint Security for Mac.app ] && rm -rf /Applications/McAfee Endpoint Security for Mac.app

[ -d /Library/McAfee ] && rm -rf /Library/McAfee

[ -d /usr/local/McAfee ] && rm -rf /usr/local/McAfee

[ -d /Library/Application Support/McAfee ] && rm -rf /Library/Application Support/McAfee

rm -rf /Library/Preferences/com.mcafee*

launchctl unload /Library/LaunchDaemons/com.mcafee*
rm -rf /Library/LaunchDaemons/com.mcafee*
rm -rf /Library/LaunchAgents/com.mcafee*


killall Menulet
killall McAfee Reporter

FWIW, you can actually send the password required for removing the McAfee EPM components (if required by your EPO admins) in a script, using Jamf script parameters of course.

Here's an example of how with a script we use in a policy

#!/bin/bash

prdVers="$4"
passAV="$5"
avResult=""
avUninstaller1022="/usr/local/McAfee/uninstall"

if [ -e "$avUninstaller1022" ]; then
    echo "McAfee AV 10.2.2 product found. Removing AV..."

    while [ "$avResult" != 0 ]; do
        echo "$passAV" | sudo -S "$avUninstaller1022" "$prdVers"
        removeResult=$?
        if [ $removeResult == 0 ]; then
            echo "McAfee AV 10.2.2 removed."
        fi
    done
else
    echo "McAfee AV product not found. Skipping."
fi

/Library/McAfee/cma/scripts/uninstall.sh

exit 0

You have to pass the product, like "EPM" to $4 and the password to $5.

I believe the one issue with this is that it may end up showing up in the system.log, which you could clear up later if so inclined with a carefully crafted grep/sed command. I will have to go back and check on that, but I know invoking any sudo commands in a script usually end up dropping the entire command that was run after it into the log. It may be the case here as well since it's calling sudo -S

mm2270: The script you provided works great except for the avResult variable. How was that being used to prevent it from running forever?

I found this script called RipOffMcAfee and then modified it to remove some additional extensions and framework for DLP.

McAfee can also cause InTune registration to fail when blocking untrusted certificates.

#!/usr/bin/env bash

## HEADER


## DEFINITIONS


## FUNCTIONS

grabConsoleUserAndHome(){

    # don't assume the home folder is equal to the user's name

    currentUser=""
    homeFolder=""

    currentUser=$(stat -f %Su "/dev/console")
    homeFolder=$(dscl . read "/Users/$currentUser" NFSHomeDirectory | cut -d: -f 2 | sed 's/^ *//'| tr -d '
')

}


removeMcAfee(){

    bolRunARecon=true

    grabConsoleUserAndHome

    ## ARRAYS

    McAfeeKernelExtensions=(
        '/usr/local/McAfee/AntiMalware/Extensions/AVKext.kext'
        '/usr/local/McAfee/AppProtection/Extensions/AppProtection.kext'
        '/usr/local/McAfee/StatefulFirewall/Extensions/SFKext.kext'
        'tocal/McAfee/fmp/Extensions/FMPSysCore.kext'
        '/usr/local/McAfee/fmp/Extensions/FileCore.kext'
        '/usr/local/McAfee/fmp/Extensions/NWCore.kext'
        )

    McAfeeLaunchDaemons=(
        '/Library/LaunchDaemons/com.mcafee.agent.cma.plist'
        '/Library/LaunchDaemons/com.mcafee.ssm.Eupdate.plist'
        '/Library/LaunchDaemons/com.mcafee.ssm.ScanFactory.plist'
        '/Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist'
        '/Library/LaunchDaemons/com.mcafee.virusscan.fmpd.plist'
        '/Library/LaunchDaemons/com.mcafee.agent.ma.plist'
        '/Library/LaunchDaemons/com.mcafee.agent.macmn.plist'
        '/Library/LaunchDaemons/com.mcafee.agent.macompat.plist'
        )

    McAfeeFiles=(
        '/etc/cma.conf'
        '/Library/LaunchDaemons/com.mcafee.agent.cma.plist'
        '/Library/LaunchDaemons/com.mcafee.ssm.Eupdate.plist'
        '/Library/LaunchDaemons/com.mcafee.ssm.ScanFactory.plist'
        '/Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist'
        '/Library/LaunchDaemons/com.mcafee.virusscan.fmpd.plist'
        '/Library/LaunchAgents/com.mcafee.menulet.plist'
        '/Library/LaunchAgents/com.mcafee.reporter.plist'
        '/Library/Preferences/.com.mcafee.StatefulFirewall.license'
        '/Library/Preferences/.com.mcafee.antimalware.license'
        '/Library/Preferences/.com.mcafee.appprotection.license'
        '/Library/Preferences/com.mcafee.ssm.StatefulFirewall.plist'
        '/Library/Preferences/com.mcafee.ssm.antimalware.plist'
        '/Library/Preferences/com.mcafee.ssm.appprotection.plist'
        '/var/log/McAfeeSecurity.log'
        '/private/var/db/receipts/com.mcafee.agent.pkg.bom'
        '/private/var/db/receipts/com.mcafee.agent.pkg.plist'
        '/private/var/db/receipts/com.mcafee.epm.pkg.bom'
        '/private/var/db/receipts/com.mcafee.epm.pkg.plist'
        '/private/var/db/receipts/com.mcafee.mscui.bom'
        '/private/var/db/receipts/com.mcafee.mscui.plist'
        '/private/var/db/receipts/com.mcafee.pkg.StatefulFirewall.bom'
        '/private/var/db/receipts/com.mcafee.pkg.StatefulFirewall.plist'
        '/private/var/db/receipts/com.mcafee.ssm.appp.bom'
        '/private/var/db/receipts/com.mcafee.ssm.appp.plist'
        '/private/var/db/receipts/com.mcafee.ssm.fmp.bom'
        '/private/var/db/receipts/com.mcafee.ssm.fmp.plist'
        '/private/var/db/receipts/com.mcafee.virusscan.bom'
        '/private/var/db/receipts/com.mcafee.virusscan.plist'
        '/etc/cma.conf'
        '/Library/Receipts/cma.pkg'
        )

    McAfeeFolders=(

        '/Library/McAfee'
        '/Library/StartupItems/cma'
        '/private/etc/cma.d'
        '/private/etc/ma.d'
        '/Library/Application Support/McAfee'
        '/Applications/McAfee Endpoint Protection for Mac.app'
        '/Applications/McAfee Endpoint Security for Mac.app'
        '/Library/Documentation/Help/McAfeeSecurity_AVOnly.help'
        '/Library/Documentation/Help/McAfeeSecurity_ApplicationProtection.help'
        '/Library/Documentation/Help/McAfeeSecurity_Firewall.help'
        '/usr/local/McAfee'
        '/private/var/McAfee'
        '/Applications/McAfeeSystemExtensions.app'
        )   

    if [[ "$currentUser" != "root" ]]; then

        su - $currentUser -c 'launchctl unload /Library/LaunchAgents/com.mcafee.menulet.plist'
        su - $currentUser -c 'launchctl unload /Library/LaunchAgents/com.mcafee.reporter.plist'
        su - $currentUser -c 'killall "McAfee Endpoint Protection for Mac"'
        su - $currentUser -c 'killall "McAfee Endpoint Security for Mac"'
        sleep 5

    fi

    #Stop StartupItems
    /Library/StartupItems/cma/cmamesh forcestop

    #Unload all LaunchDaemons from array McAfeeLaunchDaemons
    for EachFile in "${McAfeeLaunchDaemons[@]}"; do
        [[ -e "$EachFile" ]] && launchctl unload "$EachFile" && echo "Unloading $EachFile"
    done

    #Unload all Kernel Extensions
    for EachFile in "${McAfeeKernelExtensions[@]}"; do
        [[ -e "$EachFile" ]] && kextunload "$EachFile" > /dev/null 2>&1 && echo "Unloading $EachFile" && sleep 5
    done

    #Delete all files from array McAfeeFiles
    for EachFile in "${McAfeeFiles[@]}"; do
        [[ -e "$EachFile" ]] && rm -f "$EachFile" && echo "Deleting $EachFile"
    done

    #Delete all folders from array McAfeeFolders
    for EachFolder in "${McAfeeFolders[@]}"; do
        [[ -e "$EachFolder" ]] && rm -rf "$EachFolder" && echo "Deleting $EachFolder"
    done

    #Delete all LaunchDaemons from array McAfeeLaunchDaemons
    for EachFile in "${McAfeeLaunchDaemons[@]}"; do
        echo $EachFile 
        [[ -e "$EachFile" ]] && rm -f "$EachFile" && echo "Deleting $EachFile"
    done

    #Unload all Kernel Extensions
    for EachFile in "${McAfeeKernelExtensions[@]}"; do
        [[ -e "$EachFile" ]] && rm -rf "$EachFile" > /dev/null 2>&1 && echo "Deleting $EachFile"
    done

    #If above 10.6 forget package receipt
    pltvrsn=`/usr/bin/sw_vers | grep ProductVersion | cut -d: -f2`
    majvrsn=`echo $pltvrsn | cut -d. -f1`
    minvrsn=`echo $pltvrsn | cut -d. -f2`
    if (($majvrsn>=10 && $minvrsn>=6)); then
        echo "Forgetting McAfee Agent package..."
        /usr/sbin/pkgutil --forget comp.nai.cmamac > /dev/null 2>&1 
    fi

    dscl . -delete /Users/mfe

    dscl . -delete /Groups/mfe

    dscl . -delete /Groups/Virex

    killall -c Menulet

}


## BODY

removeMcAfee

#jamf policy -event <Your event name to install new goes here>


## FOOTER
exit 0

love this.

You'll find the latest RipOffMcAfee script pinned in the #mcafee channel of the MacAdmins Slack. The script posted above looks like it was based on an older version, so here's the current one (v2.2):

#!/bin/sh
## RipOff-McAfee.sh
## version 2.0
## 
## Author: Adam Scheblein, McAfee IT
## E-Mail: adam_scheblein@mcafee.com
##
## version 2.1 mods by Steve Dagley <@sdagley Jamf Nation/Twitter/MacAdmins Slack>
##  Updated launchctl calls to use bootout instead of unload
##  Remove Privileged HelperTool added with ENS 10.7.1
##  Kill McAfee Agent Status Monitor when unloading launch items
##
## version 2.2 mods by Adam Scheblein
##  Removes system extension 
##  Kill McAfee Reporter when unloading launch items
##
# This script has been verified to work on McAfee Endpoint Security 10 for Mac.
# It supports uninstalls through ENSM 10.7.5, and removes all McProducts.
#get current user name and ID
userName=$(/bin/echo 'show State:/Users/ConsoleUser' | /usr/sbin/scutil | /usr/bin/awk '/Name / { print $3 }')
currentUserID=$(/usr/bin/id -u "$userName")
# stop running processes
echo "stopping running processes"
/usr/local/McAfee/DlpAgent/bin/DlpAgentControl.sh mastop
/usr/local/McAfee/AntiMalware/VSControl mastop
/usr/local/McAfee/StatefulFirewall/bin/StatefullFirewallControl mastop
/usr/local/McAfee/WebProtection/bin/WPControl mastop
/usr/local/McAfee/atp/bin/ATPControl mastop
/usr/local/McAfee/FRP/bin/FRPControl mastop
/usr/local/McAfee/Mar/MarControl stop
/usr/local/McAfee/mvedr/MVEDRControl stop
/usr/local/McAfee/Mcp/bin/mcpcontrol.sh mastop
/usr/local/McAfee/MNE/bin/MNEControl mastop
/usr/local/McAfee/fmp/bin/fmp stop
/opt/McAfee/dx/bin/dxlservice stop
/Library/McAfee/agent/bin/maconfig -stop
echo ""
# unload kexts
echo "unloading kexts"
/sbin/kextunload /Library/Application Support/McAfee/AntiMalware/AVKext.kext
/sbin/kextunload /Library/Application Support/McAfee/FMP/mfeaac.kext
/sbin/kextunload /Library/Application Support/McAfee/FMP/FileCore.kext
/sbin/kextunload /Library/Application Support/McAfee/FMP/FMPSysCore.kext
/sbin/kextunload /Library/Application Support/McAfee/StatefulFirewall/SFKext.kext
/sbin/kextunload /usr/local/McAfee/AntiMalware/Extensions/AVKext.kext
/sbin/kextunload /usr/local/McAfee/StatefulFirewall/Extensions/SFKext.kext
/sbin/kextunload /usr/local/McAfee/Mcp/MCPDriver.kext
/sbin/kextunload /usr/local/McAfee/DlpAgent/Extensions/DLPKext.kext
/sbin/kextunload /usr/local/McAfee/DlpAgent/Extensions/DlpUSB.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/FileCore.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/NWCore.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/FMPSysCore.kext
echo ""
echo "uninstalling system extensions"
if [ -e /Applications/McAfeeSystemExtensions.app ] ; then
    /usr/bin/sudo -u $userName /usr/local/McAfee/fmp/AAC/bin/deactivatesystemextension com.mcafee.CMF.networkextension
fi
# unload launch items
echo "unloading launch items"
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.McAfeeSafariHost.plist
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.menulet.plist
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.reporter.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.aac.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.ma.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.macmn.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.macompat.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.dxl.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.Eupdate.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.ScanFactory.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.virusscan.fmpcd.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.virusscan.fmpd.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agentMonitor.helper.plist
/usr/bin/killall -c Menulet
/usr/bin/killall -c "McAfee Agent Status Monitor"
/usr/bin/killall -c McAfee Reporter
echo ""
# rm program dirs
echo "removing program dirs"
/bin/rm -rf /usr/local/McAfee/
/bin/rm -rf /opt/McAfee/
/bin/rm -rf /Applications/DataLossPrevention.app/
/bin/rm -rf /Applications/McAfee Endpoint Security for Mac.app/
/bin/rm -rf /Applications/McAfee Endpoint Protection for Mac.app/
/bin/rm -rf /Applications/McAfeeSystemExtensions.app/
/bin/rm -rf /Applications/Utilities/McAfee ePO Remote Provisioning Tool.app/
echo ""
# rm support dirs
echo "removing support dirs"
/bin/rm -rf /Users/Shared/.mcafee
/bin/rm -rf /Library/Application Support/McAfee/
/bin/rm -rf /Library/Documentation/Help/McAfeeSecurity*
/bin/rm -rf /Library/Frameworks/AVEngine.framework/
/bin/rm -rf /Library/Frameworks/VirusScanPreferences.framework/
/bin/rm -rf /Library/Internet Plug-Ins/Web Control.plugin/
/bin/rm -rf /Library/McAfee/
/bin/rm -rf /Quarantine/
echo ""
# rm prefs/launch items
echo "removing prefs and launch items"
/bin/rm -f /Library/Preferences/com.mcafee*
/bin/rm -f /Library/Preferences/.com.mcafee*
/bin/rm -f /Library/LaunchDaemons/com.mcafee*
/bin/rm -f /Library/LaunchAgents/com.mcafee*
/bin/rm -rf /Library/StartupItems/cma/
/bin/rm -f /private/etc/cma.conf
/bin/rm -rf /private/etc/cma.d/
/bin/rm -rf /private/etc/ma.d/
/bin/rm -f /private/etc/init.d/dx
/bin/rm -rf /private/var/McAfee/
/bin/rm -rf /private/var/tmp/.msgbus/
/bin/rm -rf /Users/$userName/Library/Containers/com.McAfee*
/bin/rm -rf /Users/$userName/Library/Application Scripts/com.McAfee*
/bin/rm -rf /Users/$userName/Library/Group Containers/group.com.Mcafee*
/bin/rm -rf /Users/$userName/Library/Preferences/com.mcafee*
/bin/rm -f /Library/Google/Chrome/NativeMessagingHosts/siteadvisor.mcafee.chrome.extension.json
/bin/rm -f /Library/PrivilegedHelperTools/com.mcafee.agentMonitor.helper
echo ""
# rm logs
echo "removing logs"
/bin/rm -f /Library/Logs/Native Encryption.log
/bin/rm -f /Library/Logs/FRP.log
/bin/rm -f /private/var/log/McAfeeSecurity.log*
/bin/rm -f /private/var/log/mcupdater*
/bin/rm -f /private/var/log/MFEdx*
echo ""
# forget receipts
echo "forgetting receipts"
/usr/sbin/pkgutil --forget com.mcafee.dxl
/usr/sbin/pkgutil --forget com.mcafee.mscui
/usr/sbin/pkgutil --forget com.mcafee.mar
/usr/sbin/pkgutil --forget com.mcafee.mvedr
/usr/sbin/pkgutil --forget com.mcafee.pkg.FRP
/usr/sbin/pkgutil --forget com.mcafee.pkg.MNE
/usr/sbin/pkgutil --forget com.mcafee.pkg.StatefulFirewall
/usr/sbin/pkgutil --forget com.mcafee.pkg.utility
/usr/sbin/pkgutil --forget com.mcafee.pkg.WebProtection
/usr/sbin/pkgutil --forget com.mcafee.ssm.atp
/usr/sbin/pkgutil --forget com.mcafee.ssm.fmp
/usr/sbin/pkgutil --forget com.mcafee.ssm.mcp
/usr/sbin/pkgutil --forget com.mcafee.ssm.dlp
/usr/sbin/pkgutil --forget com.mcafee.virusscan
/usr/sbin/pkgutil --forget comp.nai.cmamac
echo ""
# remove users/groups
echo "removing user and groups"
/usr/bin/dscl . delete /Users/mfe
/usr/bin/dscl . delete /Groups/mfe
/usr/bin/dscl . delete /Groups/Virex
echo ""
##mcafee support article: KB88461
#cd  /usr/local/
#rm –rf McAfee/
#cd /Library/Application Support/
#rm –rf McAfee/
#cd /Library/LaunchDaemons/
#rm –rf com.mcafee.*
#cd /Library/LaunchAgents/
#rm –rf com.mcafee.*
#cd /Library/Preferences/
#rm –rf com.mcafee.*
exit 0

sweet! thanks for this

The RipOff-McAfee script has been updated to use the method @rich.trouton documented for suppressing the user authorization prompt when removing a System Extension on macOS Catalina, Big Sur, and Monterey:

 

#!/bin/bash ## RipOff-McAfee.sh ## version 2.3 ## ## Author: Adam Scheblein, McAfee IT ## E-Mail: adam_scheblein@mcafee.com ## ## version 2.1 mods by Steve Dagley <@sdagley Jamf Nation/Twitter/MacAdmins Slack> ## Updated launchctl calls to use bootout instead of unload ## Remove Privileged HelperTool added with ENS 10.7.1 ## Kill McAfee Agent Status Monitor when unloading launch items ## ## version 2.2 mods by Adam Scheblein ## Removes system extension ## Kill McAfee Reporter when unloading launch items ## ## version 2.3 mods by Steve Dagley <@sdagley Jamf Nation/Twitter/MacAdmins Slack> ## If McAfee Network Extension is loaded remove it without prompting for user approval ## Uses method documented by @rtrouten's post: ## https://derflounder.wordpress.com/2021/10/26/silently-uninstalling-system-extensions-on-macos-monterey-and-earlier/ # Temp plist files used for import and export from authorization database. management_db_original_setting="$(mktemp).plist" management_db_edited_setting="$(mktemp).plist" management_db_check_setting="$(mktemp).plist" # Expected settings from management database for com.apple.system-extensions.admin original_setting="authenticate-admin-nonshared" updated_setting="allow" ManagementDatabaseUpdatePreparation() { # Create temp plist files touch "$management_db_original_setting" touch "$management_db_edited_setting" touch "$management_db_check_setting" # Create backup of the original com.apple.system-extensions.admin settings from the management database /usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_original_setting" # Create copy of the original com.apple.system-extensions.admin settings from the management database for editing. /usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_edited_setting" } UpdateManagementDatabase() { if [[ -r "$management_db_edited_setting" ]] && [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_edited_setting") = "$original_setting" ]]; then /usr/libexec/PlistBuddy -c "Set rule:0 $updated_setting" "$management_db_edited_setting" if [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_edited_setting" ) = "$updated_setting" ]]; then echo "Edited $management_db_edited_setting is set to allow system extensions to be uninstalled without password prompt." echo "Now importing setting into authorization database." /usr/bin/security authorizationdb write com.apple.system-extensions.admin < "$management_db_edited_setting" if [[ $? -eq 0 ]]; then echo "Updated setting successfully imported." UpdatedAuthorizationSettingInstalled="true" fi else echo "Failed to update $management_db_edited_setting file with the correct setting to allow system extension uninstallation without prompting for admin credentials." fi fi } RestoreManagementDatabase() { /usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_check_setting" if [[ ! $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_check_setting") = "$original_setting" ]]; then if [[ -r "$management_db_original_setting" ]] && [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_original_setting") = "$original_setting" ]]; then echo "Restoring original settings to allow system extension uninstallation only after prompting for admin credentials." echo "Now importing setting into authorization database." /usr/bin/security authorizationdb write com.apple.system-extensions.admin < "$management_db_original_setting" if [[ $? -eq 0 ]]; then echo "Original setting successfully imported." OriginalAuthorizationSettingInstalled=1 fi else echo "Failed to update the authorization database with the correct setting to allow system extension uninstallation only after prompting for admin credentials." fi fi } # This script has been verified to work on McAfee Endpoint Security 10 for Mac. # It supports uninstalls through ENSM 10.7.5, and removes all McProducts. #get current user name and ID userName=$(/bin/echo 'show State:/Users/ConsoleUser' | /usr/sbin/scutil | /usr/bin/awk '/Name / { print $3 }') # stop running processes echo "stopping running processes" /usr/local/McAfee/DlpAgent/bin/DlpAgentControl.sh mastop /usr/local/McAfee/AntiMalware/VSControl mastop /usr/local/McAfee/StatefulFirewall/bin/StatefullFirewallControl mastop /usr/local/McAfee/WebProtection/bin/WPControl mastop /usr/local/McAfee/atp/bin/ATPControl mastop /usr/local/McAfee/FRP/bin/FRPControl mastop /usr/local/McAfee/Mar/MarControl stop /usr/local/McAfee/mvedr/MVEDRControl stop /usr/local/McAfee/Mcp/bin/mcpcontrol.sh mastop /usr/local/McAfee/MNE/bin/MNEControl mastop /usr/local/McAfee/fmp/bin/fmp stop /opt/McAfee/dx/bin/dxlservice stop /Library/McAfee/agent/bin/maconfig -stop echo "" # unload kexts echo "unloading kexts" /sbin/kextunload /Library/Application\\ Support/McAfee/AntiMalware/AVKext.kext /sbin/kextunload /Library/Application\\ Support/McAfee/FMP/mfeaac.kext /sbin/kextunload /Library/Application\\ Support/McAfee/FMP/FileCore.kext /sbin/kextunload /Library/Application\\ Support/McAfee/FMP/FMPSysCore.kext /sbin/kextunload /Library/Application\\ Support/McAfee/StatefulFirewall/SFKext.kext /sbin/kextunload /usr/local/McAfee/AntiMalware/Extensions/AVKext.kext /sbin/kextunload /usr/local/McAfee/StatefulFirewall/Extensions/SFKext.kext /sbin/kextunload /usr/local/McAfee/Mcp/MCPDriver.kext /sbin/kextunload /usr/local/McAfee/DlpAgent/Extensions/DLPKext.kext /sbin/kextunload /usr/local/McAfee/DlpAgent/Extensions/DlpUSB.kext /sbin/kextunload /usr/local/McAfee/fmp/Extensions/FileCore.kext /sbin/kextunload /usr/local/McAfee/fmp/Extensions/NWCore.kext /sbin/kextunload /usr/local/McAfee/fmp/Extensions/FMPSysCore.kext echo "" echo "uninstalling system extensions" if [ -e /Applications/McAfeeSystemExtensions.app ] ; then McAfeeNetworkExtensionLoaded=$(/usr/bin/systemextensionsctl list | /usr/bin/grep "McAfee Network Extension") if [[ -n "$McAfeeNetworkExtensionLoaded" ]]; then # Prepare to update authorization database to allow system extensions to be uninstalled without password prompt. ManagementDatabaseUpdatePreparation # Update authorization database with new settings. UpdateManagementDatabase # Uninstall the System Extension /usr/bin/sudo -u $userName /usr/local/McAfee/fmp/AAC/bin/deactivatesystemextension com.mcafee.CMF.networkextension # Once the system extensions are uninstalled, the relevant settings for the authorization database will be restored from backup to their prior state. if [[ -n "$UpdatedAuthorizationSettingInstalled" ]]; then RestoreManagementDatabase if [[ -n "$OriginalAuthorizationSettingInstalled" ]]; then echo "com.apple.system-extensions.admin settings in the authorization database successfully restored to $original_setting." rm -rf "$management_db_original_setting" rm -rf "$management_db_edited_setting" rm -rf "$management_db_check_setting" fi fi fi fi echo "" # unload launch items echo "unloading launch items" /bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.McAfeeSafariHost.plist /bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.menulet.plist /bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.reporter.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.aac.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.ma.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.macmn.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.macompat.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.dxl.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.Eupdate.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.ScanFactory.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.virusscan.fmpcd.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.virusscan.fmpd.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agentMonitor.helper.plist /usr/bin/killall -c Menulet /usr/bin/killall -c "McAfee Agent Status Monitor" /usr/bin/killall -c McAfee\\ Reporter echo "" # rm program dirs echo "removing program dirs" /bin/rm -rf /usr/local/McAfee/ /bin/rm -rf /opt/McAfee/ /bin/rm -rf /Applications/DataLossPrevention.app/ /bin/rm -rf /Applications/McAfee\\ Endpoint\\ Security\\ for\\ Mac.app/ /bin/rm -rf /Applications/McAfee\\ Endpoint\\ Protection\\ for\\ Mac.app/ /bin/rm -rf /Applications/McAfeeSystemExtensions.app/ /bin/rm -rf /Applications/Utilities/McAfee\\ ePO\\ Remote\\ Provisioning\\ Tool.app/ echo "" # rm support dirs echo "removing support dirs" /bin/rm -rf /Users/Shared/.mcafee /bin/rm -rf /Library/Application\\ Support/McAfee/ /bin/rm -rf /Library/Documentation/Help/McAfeeSecurity* /bin/rm -rf /Library/Frameworks/AVEngine.framework/ /bin/rm -rf /Library/Frameworks/VirusScanPreferences.framework/ /bin/rm -rf /Library/Internet\\ Plug-Ins/Web\\ Control.plugin/ /bin/rm -rf /Library/McAfee/ /bin/rm -rf /Quarantine/ echo "" # rm prefs/launch items echo "removing prefs and launch items" /bin/rm -f /Library/Preferences/com.mcafee* /bin/rm -f /Library/Preferences/.com.mcafee* /bin/rm -f /Library/LaunchDaemons/com.mcafee* /bin/rm -f /Library/LaunchAgents/com.mcafee* /bin/rm -rf /Library/StartupItems/cma/ /bin/rm -f /private/etc/cma.conf /bin/rm -rf /private/etc/cma.d/ /bin/rm -rf /private/etc/ma.d/ /bin/rm -f /private/etc/init.d/dx /bin/rm -rf /private/var/McAfee/ /bin/rm -rf /private/var/tmp/.msgbus/ /bin/rm -rf /Users/$userName/Library/Containers/com.McAfee* /bin/rm -rf /Users/$userName/Library/Application\\ Scripts/com.McAfee* /bin/rm -rf /Users/$userName/Library/Group\\ Containers/group.com.Mcafee* /bin/rm -rf /Users/$userName/Library/Preferences/com.mcafee* /bin/rm -f /Library/Google/Chrome/NativeMessagingHosts/siteadvisor.mcafee.chrome.extension.json /bin/rm -f /Library/PrivilegedHelperTools/com.mcafee.agentMonitor.helper echo "" # rm logs echo "removing logs" /bin/rm -f /Library/Logs/Native\\ Encryption.log /bin/rm -f /Library/Logs/FRP.log /bin/rm -f /private/var/log/McAfeeSecurity.log* /bin/rm -f /private/var/log/mcupdater* /bin/rm -f /private/var/log/MFEdx* echo "" # forget receipts echo "forgetting receipts" /usr/sbin/pkgutil --forget com.mcafee.dxl /usr/sbin/pkgutil --forget com.mcafee.mscui /usr/sbin/pkgutil --forget com.mcafee.mar /usr/sbin/pkgutil --forget com.mcafee.mvedr /usr/sbin/pkgutil --forget com.mcafee.pkg.FRP /usr/sbin/pkgutil --forget com.mcafee.pkg.MNE /usr/sbin/pkgutil --forget com.mcafee.pkg.StatefulFirewall /usr/sbin/pkgutil --forget com.mcafee.pkg.utility /usr/sbin/pkgutil --forget com.mcafee.pkg.WebProtection /usr/sbin/pkgutil --forget com.mcafee.ssm.atp /usr/sbin/pkgutil --forget com.mcafee.ssm.fmp /usr/sbin/pkgutil --forget com.mcafee.ssm.mcp /usr/sbin/pkgutil --forget com.mcafee.ssm.dlp /usr/sbin/pkgutil --forget com.mcafee.virusscan /usr/sbin/pkgutil --forget comp.nai.cmamac echo "" # remove users/groups echo "removing user and groups" /usr/bin/dscl . delete /Users/mfe /usr/bin/dscl . delete /Groups/mfe /usr/bin/dscl . delete /Groups/Virex echo "" ##mcafee support article: KB88461 #cd /usr/local/ #rm –rf McAfee/ #cd /Library/Application\\ Support/ #rm –rf McAfee/ #cd /Library/LaunchDaemons/ #rm –rf com.mcafee.* #cd /Library/LaunchAgents/ #rm –rf com.mcafee.* #cd /Library/Preferences/ #rm –rf com.mcafee.* exit 0

The RipOff-McAfee script has been updated to use the method @rich.trouton documented for suppressing the user authorization prompt when removing a System Extension on macOS Catalina, Big Sur, and Monterey:

 

#!/bin/bash ## RipOff-McAfee.sh ## version 2.3 ## ## Author: Adam Scheblein, McAfee IT ## E-Mail: adam_scheblein@mcafee.com ## ## version 2.1 mods by Steve Dagley <@sdagley Jamf Nation/Twitter/MacAdmins Slack> ## Updated launchctl calls to use bootout instead of unload ## Remove Privileged HelperTool added with ENS 10.7.1 ## Kill McAfee Agent Status Monitor when unloading launch items ## ## version 2.2 mods by Adam Scheblein ## Removes system extension ## Kill McAfee Reporter when unloading launch items ## ## version 2.3 mods by Steve Dagley <@sdagley Jamf Nation/Twitter/MacAdmins Slack> ## If McAfee Network Extension is loaded remove it without prompting for user approval ## Uses method documented by @rtrouten's post: ## https://derflounder.wordpress.com/2021/10/26/silently-uninstalling-system-extensions-on-macos-monterey-and-earlier/ # Temp plist files used for import and export from authorization database. management_db_original_setting="$(mktemp).plist" management_db_edited_setting="$(mktemp).plist" management_db_check_setting="$(mktemp).plist" # Expected settings from management database for com.apple.system-extensions.admin original_setting="authenticate-admin-nonshared" updated_setting="allow" ManagementDatabaseUpdatePreparation() { # Create temp plist files touch "$management_db_original_setting" touch "$management_db_edited_setting" touch "$management_db_check_setting" # Create backup of the original com.apple.system-extensions.admin settings from the management database /usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_original_setting" # Create copy of the original com.apple.system-extensions.admin settings from the management database for editing. /usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_edited_setting" } UpdateManagementDatabase() { if [[ -r "$management_db_edited_setting" ]] && [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_edited_setting") = "$original_setting" ]]; then /usr/libexec/PlistBuddy -c "Set rule:0 $updated_setting" "$management_db_edited_setting" if [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_edited_setting" ) = "$updated_setting" ]]; then echo "Edited $management_db_edited_setting is set to allow system extensions to be uninstalled without password prompt." echo "Now importing setting into authorization database." /usr/bin/security authorizationdb write com.apple.system-extensions.admin < "$management_db_edited_setting" if [[ $? -eq 0 ]]; then echo "Updated setting successfully imported." UpdatedAuthorizationSettingInstalled="true" fi else echo "Failed to update $management_db_edited_setting file with the correct setting to allow system extension uninstallation without prompting for admin credentials." fi fi } RestoreManagementDatabase() { /usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_check_setting" if [[ ! $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_check_setting") = "$original_setting" ]]; then if [[ -r "$management_db_original_setting" ]] && [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_original_setting") = "$original_setting" ]]; then echo "Restoring original settings to allow system extension uninstallation only after prompting for admin credentials." echo "Now importing setting into authorization database." /usr/bin/security authorizationdb write com.apple.system-extensions.admin < "$management_db_original_setting" if [[ $? -eq 0 ]]; then echo "Original setting successfully imported." OriginalAuthorizationSettingInstalled=1 fi else echo "Failed to update the authorization database with the correct setting to allow system extension uninstallation only after prompting for admin credentials." fi fi } # This script has been verified to work on McAfee Endpoint Security 10 for Mac. # It supports uninstalls through ENSM 10.7.5, and removes all McProducts. #get current user name and ID userName=$(/bin/echo 'show State:/Users/ConsoleUser' | /usr/sbin/scutil | /usr/bin/awk '/Name / { print $3 }') # stop running processes echo "stopping running processes" /usr/local/McAfee/DlpAgent/bin/DlpAgentControl.sh mastop /usr/local/McAfee/AntiMalware/VSControl mastop /usr/local/McAfee/StatefulFirewall/bin/StatefullFirewallControl mastop /usr/local/McAfee/WebProtection/bin/WPControl mastop /usr/local/McAfee/atp/bin/ATPControl mastop /usr/local/McAfee/FRP/bin/FRPControl mastop /usr/local/McAfee/Mar/MarControl stop /usr/local/McAfee/mvedr/MVEDRControl stop /usr/local/McAfee/Mcp/bin/mcpcontrol.sh mastop /usr/local/McAfee/MNE/bin/MNEControl mastop /usr/local/McAfee/fmp/bin/fmp stop /opt/McAfee/dx/bin/dxlservice stop /Library/McAfee/agent/bin/maconfig -stop echo "" # unload kexts echo "unloading kexts" /sbin/kextunload /Library/Application\\ Support/McAfee/AntiMalware/AVKext.kext /sbin/kextunload /Library/Application\\ Support/McAfee/FMP/mfeaac.kext /sbin/kextunload /Library/Application\\ Support/McAfee/FMP/FileCore.kext /sbin/kextunload /Library/Application\\ Support/McAfee/FMP/FMPSysCore.kext /sbin/kextunload /Library/Application\\ Support/McAfee/StatefulFirewall/SFKext.kext /sbin/kextunload /usr/local/McAfee/AntiMalware/Extensions/AVKext.kext /sbin/kextunload /usr/local/McAfee/StatefulFirewall/Extensions/SFKext.kext /sbin/kextunload /usr/local/McAfee/Mcp/MCPDriver.kext /sbin/kextunload /usr/local/McAfee/DlpAgent/Extensions/DLPKext.kext /sbin/kextunload /usr/local/McAfee/DlpAgent/Extensions/DlpUSB.kext /sbin/kextunload /usr/local/McAfee/fmp/Extensions/FileCore.kext /sbin/kextunload /usr/local/McAfee/fmp/Extensions/NWCore.kext /sbin/kextunload /usr/local/McAfee/fmp/Extensions/FMPSysCore.kext echo "" echo "uninstalling system extensions" if [ -e /Applications/McAfeeSystemExtensions.app ] ; then McAfeeNetworkExtensionLoaded=$(/usr/bin/systemextensionsctl list | /usr/bin/grep "McAfee Network Extension") if [[ -n "$McAfeeNetworkExtensionLoaded" ]]; then # Prepare to update authorization database to allow system extensions to be uninstalled without password prompt. ManagementDatabaseUpdatePreparation # Update authorization database with new settings. UpdateManagementDatabase # Uninstall the System Extension /usr/bin/sudo -u $userName /usr/local/McAfee/fmp/AAC/bin/deactivatesystemextension com.mcafee.CMF.networkextension # Once the system extensions are uninstalled, the relevant settings for the authorization database will be restored from backup to their prior state. if [[ -n "$UpdatedAuthorizationSettingInstalled" ]]; then RestoreManagementDatabase if [[ -n "$OriginalAuthorizationSettingInstalled" ]]; then echo "com.apple.system-extensions.admin settings in the authorization database successfully restored to $original_setting." rm -rf "$management_db_original_setting" rm -rf "$management_db_edited_setting" rm -rf "$management_db_check_setting" fi fi fi fi echo "" # unload launch items echo "unloading launch items" /bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.McAfeeSafariHost.plist /bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.menulet.plist /bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.reporter.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.aac.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.ma.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.macmn.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.macompat.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.dxl.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.Eupdate.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.ScanFactory.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.virusscan.fmpcd.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.virusscan.fmpd.plist /bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agentMonitor.helper.plist /usr/bin/killall -c Menulet /usr/bin/killall -c "McAfee Agent Status Monitor" /usr/bin/killall -c McAfee\\ Reporter echo "" # rm program dirs echo "removing program dirs" /bin/rm -rf /usr/local/McAfee/ /bin/rm -rf /opt/McAfee/ /bin/rm -rf /Applications/DataLossPrevention.app/ /bin/rm -rf /Applications/McAfee\\ Endpoint\\ Security\\ for\\ Mac.app/ /bin/rm -rf /Applications/McAfee\\ Endpoint\\ Protection\\ for\\ Mac.app/ /bin/rm -rf /Applications/McAfeeSystemExtensions.app/ /bin/rm -rf /Applications/Utilities/McAfee\\ ePO\\ Remote\\ Provisioning\\ Tool.app/ echo "" # rm support dirs echo "removing support dirs" /bin/rm -rf /Users/Shared/.mcafee /bin/rm -rf /Library/Application\\ Support/McAfee/ /bin/rm -rf /Library/Documentation/Help/McAfeeSecurity* /bin/rm -rf /Library/Frameworks/AVEngine.framework/ /bin/rm -rf /Library/Frameworks/VirusScanPreferences.framework/ /bin/rm -rf /Library/Internet\\ Plug-Ins/Web\\ Control.plugin/ /bin/rm -rf /Library/McAfee/ /bin/rm -rf /Quarantine/ echo "" # rm prefs/launch items echo "removing prefs and launch items" /bin/rm -f /Library/Preferences/com.mcafee* /bin/rm -f /Library/Preferences/.com.mcafee* /bin/rm -f /Library/LaunchDaemons/com.mcafee* /bin/rm -f /Library/LaunchAgents/com.mcafee* /bin/rm -rf /Library/StartupItems/cma/ /bin/rm -f /private/etc/cma.conf /bin/rm -rf /private/etc/cma.d/ /bin/rm -rf /private/etc/ma.d/ /bin/rm -f /private/etc/init.d/dx /bin/rm -rf /private/var/McAfee/ /bin/rm -rf /private/var/tmp/.msgbus/ /bin/rm -rf /Users/$userName/Library/Containers/com.McAfee* /bin/rm -rf /Users/$userName/Library/Application\\ Scripts/com.McAfee* /bin/rm -rf /Users/$userName/Library/Group\\ Containers/group.com.Mcafee* /bin/rm -rf /Users/$userName/Library/Preferences/com.mcafee* /bin/rm -f /Library/Google/Chrome/NativeMessagingHosts/siteadvisor.mcafee.chrome.extension.json /bin/rm -f /Library/PrivilegedHelperTools/com.mcafee.agentMonitor.helper echo "" # rm logs echo "removing logs" /bin/rm -f /Library/Logs/Native\\ Encryption.log /bin/rm -f /Library/Logs/FRP.log /bin/rm -f /private/var/log/McAfeeSecurity.log* /bin/rm -f /private/var/log/mcupdater* /bin/rm -f /private/var/log/MFEdx* echo "" # forget receipts echo "forgetting receipts" /usr/sbin/pkgutil --forget com.mcafee.dxl /usr/sbin/pkgutil --forget com.mcafee.mscui /usr/sbin/pkgutil --forget com.mcafee.mar /usr/sbin/pkgutil --forget com.mcafee.mvedr /usr/sbin/pkgutil --forget com.mcafee.pkg.FRP /usr/sbin/pkgutil --forget com.mcafee.pkg.MNE /usr/sbin/pkgutil --forget com.mcafee.pkg.StatefulFirewall /usr/sbin/pkgutil --forget com.mcafee.pkg.utility /usr/sbin/pkgutil --forget com.mcafee.pkg.WebProtection /usr/sbin/pkgutil --forget com.mcafee.ssm.atp /usr/sbin/pkgutil --forget com.mcafee.ssm.fmp /usr/sbin/pkgutil --forget com.mcafee.ssm.mcp /usr/sbin/pkgutil --forget com.mcafee.ssm.dlp /usr/sbin/pkgutil --forget com.mcafee.virusscan /usr/sbin/pkgutil --forget comp.nai.cmamac echo "" # remove users/groups echo "removing user and groups" /usr/bin/dscl . delete /Users/mfe /usr/bin/dscl . delete /Groups/mfe /usr/bin/dscl . delete /Groups/Virex echo "" ##mcafee support article: KB88461 #cd /usr/local/ #rm –rf McAfee/ #cd /Library/Application\\ Support/ #rm –rf McAfee/ #cd /Library/LaunchDaemons/ #rm –rf com.mcafee.* #cd /Library/LaunchAgents/ #rm –rf com.mcafee.* #cd /Library/Preferences/ #rm –rf com.mcafee.* exit 0

Hi @sdagley 

Thanks for the script. Is this script still valid or any changes required.

Looking forward for your replay.

Hi @sdagley 

Thanks for the script. Is this script still valid or any changes required.

Looking forward for your replay.


@smkarthickraja Yes, it's still working.

Thanks :)

Terms & ConditionsCookie settingsAccessibility statement