Remove McAfee Agent saliently push to client form JSS

sidharth_bhalla
New Contributor II

Hi All,

I'm just now looking how can I remove McAfee Agent(**McAfee Endpoint Protection for Mac.app, McAfee ePO Remote Provisioning Tool.app) and decrypt Machine from JSS to client Machine. There is any policy for this.

12 REPLIES 12

dpertschi
Valued Contributor

Typically you can use:
EPM:

sudo /usr/local/McAfee/uninstall EPM

Agent:

sudo /Library/McAfee/cma/scripts/uninstall.sh

And then pray that your ePO admins don't have a policy running to require a password to run the uninstaller. If so, you can't remotely run the uninstaller, you'll need to tear out the bits and pieces forcefully. There is a script floating around, I forget where though, called RipOffMcafee that will do that.

thoule
Valued Contributor II

Remove McAfee version 4 & 5.

[ -f /usr/local/McAfee/uninstall EPM ] && /usr/local/McAfee/uninstall EPM

[ -f /Library/McAfee/cma/uninstall.sh ] && /Library/McAfee/cma/uninstall.sh

[ -f /Library/McAfee/cma/scripts/uninstall.sh ] && /Library/McAfee/cma/scripts/uninstall.sh

[ -f /Library/McAfee/agent/scripts/uninstall.sh ] && /Library/McAfee/agent/scripts/uninstall.sh

[ -d /Applications/McAfee Endpoint Protection for Mac.app ] && rm -rf /Applications/McAfee Endpoint Protection for Mac.app

[ -d /Applications/McAfee Endpoint Security for Mac.app ] && rm -rf /Applications/McAfee Endpoint Security for Mac.app

[ -d /Library/McAfee ] && rm -rf /Library/McAfee

[ -d /usr/local/McAfee ] && rm -rf /usr/local/McAfee

[ -d /Library/Application Support/McAfee ] && rm -rf /Library/Application Support/McAfee

rm -rf /Library/Preferences/com.mcafee*

launchctl unload /Library/LaunchDaemons/com.mcafee*
rm -rf /Library/LaunchDaemons/com.mcafee*
rm -rf /Library/LaunchAgents/com.mcafee*


killall Menulet
killall McAfee Reporter

mm2270
Legendary Contributor III

FWIW, you can actually send the password required for removing the McAfee EPM components (if required by your EPO admins) in a script, using Jamf script parameters of course.

Here's an example of how with a script we use in a policy

#!/bin/bash

prdVers="$4"
passAV="$5"
avResult=""
avUninstaller1022="/usr/local/McAfee/uninstall"

if [ -e "$avUninstaller1022" ]; then
    echo "McAfee AV 10.2.2 product found. Removing AV..."

    while [ "$avResult" != 0 ]; do
        echo "$passAV" | sudo -S "$avUninstaller1022" "$prdVers"
        removeResult=$?
        if [ $removeResult == 0 ]; then
            echo "McAfee AV 10.2.2 removed."
        fi
    done
else
    echo "McAfee AV product not found. Skipping."
fi

/Library/McAfee/cma/scripts/uninstall.sh

exit 0

You have to pass the product, like "EPM" to $4 and the password to $5.

I believe the one issue with this is that it may end up showing up in the system.log, which you could clear up later if so inclined with a carefully crafted grep/sed command. I will have to go back and check on that, but I know invoking any sudo commands in a script usually end up dropping the entire command that was run after it into the log. It may be the case here as well since it's calling sudo -S

ReuvenCohen
New Contributor

mm2270: The script you provided works great except for the avResult variable. How was that being used to prevent it from running forever?

mjbenn
New Contributor

I found this script called RipOffMcAfee and then modified it to remove some additional extensions and framework for DLP.

McAfee can also cause InTune registration to fail when blocking untrusted certificates.

#!/usr/bin/env bash

## HEADER


## DEFINITIONS


## FUNCTIONS

grabConsoleUserAndHome(){

    # don't assume the home folder is equal to the user's name

    currentUser=""
    homeFolder=""

    currentUser=$(stat -f %Su "/dev/console")
    homeFolder=$(dscl . read "/Users/$currentUser" NFSHomeDirectory | cut -d: -f 2 | sed 's/^ *//'| tr -d '
')

}


removeMcAfee(){

    bolRunARecon=true

    grabConsoleUserAndHome

    ## ARRAYS

    McAfeeKernelExtensions=(
        '/usr/local/McAfee/AntiMalware/Extensions/AVKext.kext'
        '/usr/local/McAfee/AppProtection/Extensions/AppProtection.kext'
        '/usr/local/McAfee/StatefulFirewall/Extensions/SFKext.kext'
        'tocal/McAfee/fmp/Extensions/FMPSysCore.kext'
        '/usr/local/McAfee/fmp/Extensions/FileCore.kext'
        '/usr/local/McAfee/fmp/Extensions/NWCore.kext'
        )

    McAfeeLaunchDaemons=(
        '/Library/LaunchDaemons/com.mcafee.agent.cma.plist'
        '/Library/LaunchDaemons/com.mcafee.ssm.Eupdate.plist'
        '/Library/LaunchDaemons/com.mcafee.ssm.ScanFactory.plist'
        '/Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist'
        '/Library/LaunchDaemons/com.mcafee.virusscan.fmpd.plist'
        '/Library/LaunchDaemons/com.mcafee.agent.ma.plist'
        '/Library/LaunchDaemons/com.mcafee.agent.macmn.plist'
        '/Library/LaunchDaemons/com.mcafee.agent.macompat.plist'
        )

    McAfeeFiles=(
        '/etc/cma.conf'
        '/Library/LaunchDaemons/com.mcafee.agent.cma.plist'
        '/Library/LaunchDaemons/com.mcafee.ssm.Eupdate.plist'
        '/Library/LaunchDaemons/com.mcafee.ssm.ScanFactory.plist'
        '/Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist'
        '/Library/LaunchDaemons/com.mcafee.virusscan.fmpd.plist'
        '/Library/LaunchAgents/com.mcafee.menulet.plist'
        '/Library/LaunchAgents/com.mcafee.reporter.plist'
        '/Library/Preferences/.com.mcafee.StatefulFirewall.license'
        '/Library/Preferences/.com.mcafee.antimalware.license'
        '/Library/Preferences/.com.mcafee.appprotection.license'
        '/Library/Preferences/com.mcafee.ssm.StatefulFirewall.plist'
        '/Library/Preferences/com.mcafee.ssm.antimalware.plist'
        '/Library/Preferences/com.mcafee.ssm.appprotection.plist'
        '/var/log/McAfeeSecurity.log'
        '/private/var/db/receipts/com.mcafee.agent.pkg.bom'
        '/private/var/db/receipts/com.mcafee.agent.pkg.plist'
        '/private/var/db/receipts/com.mcafee.epm.pkg.bom'
        '/private/var/db/receipts/com.mcafee.epm.pkg.plist'
        '/private/var/db/receipts/com.mcafee.mscui.bom'
        '/private/var/db/receipts/com.mcafee.mscui.plist'
        '/private/var/db/receipts/com.mcafee.pkg.StatefulFirewall.bom'
        '/private/var/db/receipts/com.mcafee.pkg.StatefulFirewall.plist'
        '/private/var/db/receipts/com.mcafee.ssm.appp.bom'
        '/private/var/db/receipts/com.mcafee.ssm.appp.plist'
        '/private/var/db/receipts/com.mcafee.ssm.fmp.bom'
        '/private/var/db/receipts/com.mcafee.ssm.fmp.plist'
        '/private/var/db/receipts/com.mcafee.virusscan.bom'
        '/private/var/db/receipts/com.mcafee.virusscan.plist'
        '/etc/cma.conf'
        '/Library/Receipts/cma.pkg'
        )

    McAfeeFolders=(

        '/Library/McAfee'
        '/Library/StartupItems/cma'
        '/private/etc/cma.d'
        '/private/etc/ma.d'
        '/Library/Application Support/McAfee'
        '/Applications/McAfee Endpoint Protection for Mac.app'
        '/Applications/McAfee Endpoint Security for Mac.app'
        '/Library/Documentation/Help/McAfeeSecurity_AVOnly.help'
        '/Library/Documentation/Help/McAfeeSecurity_ApplicationProtection.help'
        '/Library/Documentation/Help/McAfeeSecurity_Firewall.help'
        '/usr/local/McAfee'
        '/private/var/McAfee'
        '/Applications/McAfeeSystemExtensions.app'
        )   

    if [[ "$currentUser" != "root" ]]; then

        su - $currentUser -c 'launchctl unload /Library/LaunchAgents/com.mcafee.menulet.plist'
        su - $currentUser -c 'launchctl unload /Library/LaunchAgents/com.mcafee.reporter.plist'
        su - $currentUser -c 'killall "McAfee Endpoint Protection for Mac"'
        su - $currentUser -c 'killall "McAfee Endpoint Security for Mac"'
        sleep 5

    fi

    #Stop StartupItems
    /Library/StartupItems/cma/cmamesh forcestop

    #Unload all LaunchDaemons from array McAfeeLaunchDaemons
    for EachFile in "${McAfeeLaunchDaemons[@]}"; do
        [[ -e "$EachFile" ]] && launchctl unload "$EachFile" && echo "Unloading $EachFile"
    done

    #Unload all Kernel Extensions
    for EachFile in "${McAfeeKernelExtensions[@]}"; do
        [[ -e "$EachFile" ]] && kextunload "$EachFile" > /dev/null 2>&1 && echo "Unloading $EachFile" && sleep 5
    done

    #Delete all files from array McAfeeFiles
    for EachFile in "${McAfeeFiles[@]}"; do
        [[ -e "$EachFile" ]] && rm -f "$EachFile" && echo "Deleting $EachFile"
    done

    #Delete all folders from array McAfeeFolders
    for EachFolder in "${McAfeeFolders[@]}"; do
        [[ -e "$EachFolder" ]] && rm -rf "$EachFolder" && echo "Deleting $EachFolder"
    done

    #Delete all LaunchDaemons from array McAfeeLaunchDaemons
    for EachFile in "${McAfeeLaunchDaemons[@]}"; do
        echo $EachFile 
        [[ -e "$EachFile" ]] && rm -f "$EachFile" && echo "Deleting $EachFile"
    done

    #Unload all Kernel Extensions
    for EachFile in "${McAfeeKernelExtensions[@]}"; do
        [[ -e "$EachFile" ]] && rm -rf "$EachFile" > /dev/null 2>&1 && echo "Deleting $EachFile"
    done

    #If above 10.6 forget package receipt
    pltvrsn=`/usr/bin/sw_vers | grep ProductVersion | cut -d: -f2`
    majvrsn=`echo $pltvrsn | cut -d. -f1`
    minvrsn=`echo $pltvrsn | cut -d. -f2`
    if (($majvrsn>=10 && $minvrsn>=6)); then
        echo "Forgetting McAfee Agent package..."
        /usr/sbin/pkgutil --forget comp.nai.cmamac > /dev/null 2>&1 
    fi

    dscl . -delete /Users/mfe

    dscl . -delete /Groups/mfe

    dscl . -delete /Groups/Virex

    killall -c Menulet

}


## BODY

removeMcAfee

#jamf policy -event <Your event name to install new goes here>


## FOOTER
exit 0

CommandShiftK
New Contributor III

love this.

sdagley
Esteemed Contributor II

You'll find the latest RipOffMcAfee script pinned in the #mcafee channel of the MacAdmins Slack. The script posted above looks like it was based on an older version, so here's the current one (v2.2):

#!/bin/sh
## RipOff-McAfee.sh
## version 2.0
## 
## Author: Adam Scheblein, McAfee IT
## E-Mail: adam_scheblein@mcafee.com
##
## version 2.1 mods by Steve Dagley <@sdagley Jamf Nation/Twitter/MacAdmins Slack>
##  Updated launchctl calls to use bootout instead of unload
##  Remove Privileged HelperTool added with ENS 10.7.1
##  Kill McAfee Agent Status Monitor when unloading launch items
##
## version 2.2 mods by Adam Scheblein
##  Removes system extension 
##  Kill McAfee Reporter when unloading launch items
##
# This script has been verified to work on McAfee Endpoint Security 10 for Mac.
# It supports uninstalls through ENSM 10.7.5, and removes all McProducts.
#get current user name and ID
userName=$(/bin/echo 'show State:/Users/ConsoleUser' | /usr/sbin/scutil | /usr/bin/awk '/Name / { print $3 }')
currentUserID=$(/usr/bin/id -u "$userName")
# stop running processes
echo "stopping running processes"
/usr/local/McAfee/DlpAgent/bin/DlpAgentControl.sh mastop
/usr/local/McAfee/AntiMalware/VSControl mastop
/usr/local/McAfee/StatefulFirewall/bin/StatefullFirewallControl mastop
/usr/local/McAfee/WebProtection/bin/WPControl mastop
/usr/local/McAfee/atp/bin/ATPControl mastop
/usr/local/McAfee/FRP/bin/FRPControl mastop
/usr/local/McAfee/Mar/MarControl stop
/usr/local/McAfee/mvedr/MVEDRControl stop
/usr/local/McAfee/Mcp/bin/mcpcontrol.sh mastop
/usr/local/McAfee/MNE/bin/MNEControl mastop
/usr/local/McAfee/fmp/bin/fmp stop
/opt/McAfee/dx/bin/dxlservice stop
/Library/McAfee/agent/bin/maconfig -stop
echo ""
# unload kexts
echo "unloading kexts"
/sbin/kextunload /Library/Application Support/McAfee/AntiMalware/AVKext.kext
/sbin/kextunload /Library/Application Support/McAfee/FMP/mfeaac.kext
/sbin/kextunload /Library/Application Support/McAfee/FMP/FileCore.kext
/sbin/kextunload /Library/Application Support/McAfee/FMP/FMPSysCore.kext
/sbin/kextunload /Library/Application Support/McAfee/StatefulFirewall/SFKext.kext
/sbin/kextunload /usr/local/McAfee/AntiMalware/Extensions/AVKext.kext
/sbin/kextunload /usr/local/McAfee/StatefulFirewall/Extensions/SFKext.kext
/sbin/kextunload /usr/local/McAfee/Mcp/MCPDriver.kext
/sbin/kextunload /usr/local/McAfee/DlpAgent/Extensions/DLPKext.kext
/sbin/kextunload /usr/local/McAfee/DlpAgent/Extensions/DlpUSB.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/FileCore.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/NWCore.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/FMPSysCore.kext
echo ""
echo "uninstalling system extensions"
if [ -e /Applications/McAfeeSystemExtensions.app ] ; then
    /usr/bin/sudo -u $userName /usr/local/McAfee/fmp/AAC/bin/deactivatesystemextension com.mcafee.CMF.networkextension
fi
# unload launch items
echo "unloading launch items"
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.McAfeeSafariHost.plist
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.menulet.plist
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.reporter.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.aac.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.ma.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.macmn.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.macompat.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.dxl.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.Eupdate.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.ScanFactory.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.virusscan.fmpcd.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.virusscan.fmpd.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agentMonitor.helper.plist
/usr/bin/killall -c Menulet
/usr/bin/killall -c "McAfee Agent Status Monitor"
/usr/bin/killall -c McAfee Reporter
echo ""
# rm program dirs
echo "removing program dirs"
/bin/rm -rf /usr/local/McAfee/
/bin/rm -rf /opt/McAfee/
/bin/rm -rf /Applications/DataLossPrevention.app/
/bin/rm -rf /Applications/McAfee Endpoint Security for Mac.app/
/bin/rm -rf /Applications/McAfee Endpoint Protection for Mac.app/
/bin/rm -rf /Applications/McAfeeSystemExtensions.app/
/bin/rm -rf /Applications/Utilities/McAfee ePO Remote Provisioning Tool.app/
echo ""
# rm support dirs
echo "removing support dirs"
/bin/rm -rf /Users/Shared/.mcafee
/bin/rm -rf /Library/Application Support/McAfee/
/bin/rm -rf /Library/Documentation/Help/McAfeeSecurity*
/bin/rm -rf /Library/Frameworks/AVEngine.framework/
/bin/rm -rf /Library/Frameworks/VirusScanPreferences.framework/
/bin/rm -rf /Library/Internet Plug-Ins/Web Control.plugin/
/bin/rm -rf /Library/McAfee/
/bin/rm -rf /Quarantine/
echo ""
# rm prefs/launch items
echo "removing prefs and launch items"
/bin/rm -f /Library/Preferences/com.mcafee*
/bin/rm -f /Library/Preferences/.com.mcafee*
/bin/rm -f /Library/LaunchDaemons/com.mcafee*
/bin/rm -f /Library/LaunchAgents/com.mcafee*
/bin/rm -rf /Library/StartupItems/cma/
/bin/rm -f /private/etc/cma.conf
/bin/rm -rf /private/etc/cma.d/
/bin/rm -rf /private/etc/ma.d/
/bin/rm -f /private/etc/init.d/dx
/bin/rm -rf /private/var/McAfee/
/bin/rm -rf /private/var/tmp/.msgbus/
/bin/rm -rf /Users/$userName/Library/Containers/com.McAfee*
/bin/rm -rf /Users/$userName/Library/Application Scripts/com.McAfee*
/bin/rm -rf /Users/$userName/Library/Group Containers/group.com.Mcafee*
/bin/rm -rf /Users/$userName/Library/Preferences/com.mcafee*
/bin/rm -f /Library/Google/Chrome/NativeMessagingHosts/siteadvisor.mcafee.chrome.extension.json
/bin/rm -f /Library/PrivilegedHelperTools/com.mcafee.agentMonitor.helper
echo ""
# rm logs
echo "removing logs"
/bin/rm -f /Library/Logs/Native Encryption.log
/bin/rm -f /Library/Logs/FRP.log
/bin/rm -f /private/var/log/McAfeeSecurity.log*
/bin/rm -f /private/var/log/mcupdater*
/bin/rm -f /private/var/log/MFEdx*
echo ""
# forget receipts
echo "forgetting receipts"
/usr/sbin/pkgutil --forget com.mcafee.dxl
/usr/sbin/pkgutil --forget com.mcafee.mscui
/usr/sbin/pkgutil --forget com.mcafee.mar
/usr/sbin/pkgutil --forget com.mcafee.mvedr
/usr/sbin/pkgutil --forget com.mcafee.pkg.FRP
/usr/sbin/pkgutil --forget com.mcafee.pkg.MNE
/usr/sbin/pkgutil --forget com.mcafee.pkg.StatefulFirewall
/usr/sbin/pkgutil --forget com.mcafee.pkg.utility
/usr/sbin/pkgutil --forget com.mcafee.pkg.WebProtection
/usr/sbin/pkgutil --forget com.mcafee.ssm.atp
/usr/sbin/pkgutil --forget com.mcafee.ssm.fmp
/usr/sbin/pkgutil --forget com.mcafee.ssm.mcp
/usr/sbin/pkgutil --forget com.mcafee.ssm.dlp
/usr/sbin/pkgutil --forget com.mcafee.virusscan
/usr/sbin/pkgutil --forget comp.nai.cmamac
echo ""
# remove users/groups
echo "removing user and groups"
/usr/bin/dscl . delete /Users/mfe
/usr/bin/dscl . delete /Groups/mfe
/usr/bin/dscl . delete /Groups/Virex
echo ""
##mcafee support article: KB88461
#cd  /usr/local/
#rm –rf McAfee/
#cd /Library/Application Support/
#rm –rf McAfee/
#cd /Library/LaunchDaemons/
#rm –rf com.mcafee.*
#cd /Library/LaunchAgents/
#rm –rf com.mcafee.*
#cd /Library/Preferences/
#rm –rf com.mcafee.*
exit 0

CommandShiftK
New Contributor III

sweet! thanks for this

sdagley
Esteemed Contributor II

The RipOff-McAfee script has been updated to use the method @rtrouton documented for suppressing the user authorization prompt when removing a System Extension on macOS Catalina, Big Sur, and Monterey:

 

#!/bin/bash
## RipOff-McAfee.sh
## version 2.3
## 
## Author: Adam Scheblein, McAfee IT
## E-Mail: adam_scheblein@mcafee.com
##
## version 2.1 mods by Steve Dagley <@sdagley Jamf Nation/Twitter/MacAdmins Slack>
## 	Updated launchctl calls to use bootout instead of unload
##	Remove Privileged HelperTool added with ENS 10.7.1
##	Kill McAfee Agent Status Monitor when unloading launch items
##
## version 2.2 mods by Adam Scheblein
##  Removes system extension 
##  Kill McAfee Reporter when unloading launch items
##
## version 2.3 mods by Steve Dagley <@sdagley Jamf Nation/Twitter/MacAdmins Slack>
##	If McAfee Network Extension is loaded remove it without prompting for user approval
##		Uses method documented by @rtrouten's post:
##		https://derflounder.wordpress.com/2021/10/26/silently-uninstalling-system-extensions-on-macos-monterey-and-earlier/

# Temp plist files used for import and export from authorization database.
management_db_original_setting="$(mktemp).plist"
management_db_edited_setting="$(mktemp).plist"
management_db_check_setting="$(mktemp).plist"

# Expected settings from management database for com.apple.system-extensions.admin
original_setting="authenticate-admin-nonshared"
updated_setting="allow"

ManagementDatabaseUpdatePreparation() {
# Create temp plist files
touch "$management_db_original_setting"
touch "$management_db_edited_setting"
touch "$management_db_check_setting"

# Create backup of the original com.apple.system-extensions.admin settings from the management database
/usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_original_setting"

# Create copy of the original com.apple.system-extensions.admin settings from the management database for editing.
/usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_edited_setting"
}

UpdateManagementDatabase() {
if [[ -r "$management_db_edited_setting" ]] && [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_edited_setting") = "$original_setting" ]]; then
   /usr/libexec/PlistBuddy -c "Set rule:0 $updated_setting" "$management_db_edited_setting"
   if [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_edited_setting" ) = "$updated_setting" ]]; then
      echo "Edited $management_db_edited_setting is set to allow system extensions to be uninstalled without password prompt."
      echo "Now importing setting into authorization database."
      /usr/bin/security authorizationdb write com.apple.system-extensions.admin < "$management_db_edited_setting"
      if [[ $? -eq 0 ]]; then
         echo "Updated setting successfully imported."
         UpdatedAuthorizationSettingInstalled="true"
      fi
    else
      echo "Failed to update $management_db_edited_setting file with the correct setting to allow system extension uninstallation without prompting for admin credentials."
    fi
fi
}

RestoreManagementDatabase() {
/usr/bin/security authorizationdb read com.apple.system-extensions.admin > "$management_db_check_setting"
if [[ ! $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_check_setting") = "$original_setting" ]]; then
   if [[ -r "$management_db_original_setting" ]] && [[ $(/usr/libexec/PlistBuddy -c "Print rule:0" "$management_db_original_setting") = "$original_setting" ]]; then
      echo "Restoring original settings to allow system extension uninstallation only after prompting for admin credentials."
      echo "Now importing setting into authorization database."
      /usr/bin/security authorizationdb write com.apple.system-extensions.admin < "$management_db_original_setting"
            if [[ $? -eq 0 ]]; then
         echo "Original setting successfully imported."
         OriginalAuthorizationSettingInstalled=1
      fi

    else
      echo "Failed to update the authorization database with the correct setting to allow system extension uninstallation only after prompting for admin credentials."
    fi
fi
}

# This script has been verified to work on McAfee Endpoint Security 10 for Mac.
# It supports uninstalls through ENSM 10.7.5, and removes all McProducts.
#get current user name and ID
userName=$(/bin/echo 'show State:/Users/ConsoleUser' | /usr/sbin/scutil | /usr/bin/awk '/Name / { print $3 }')

# stop running processes
echo "stopping running processes"
/usr/local/McAfee/DlpAgent/bin/DlpAgentControl.sh mastop
/usr/local/McAfee/AntiMalware/VSControl mastop
/usr/local/McAfee/StatefulFirewall/bin/StatefullFirewallControl mastop
/usr/local/McAfee/WebProtection/bin/WPControl mastop
/usr/local/McAfee/atp/bin/ATPControl mastop
/usr/local/McAfee/FRP/bin/FRPControl mastop
/usr/local/McAfee/Mar/MarControl stop
/usr/local/McAfee/mvedr/MVEDRControl stop
/usr/local/McAfee/Mcp/bin/mcpcontrol.sh mastop
/usr/local/McAfee/MNE/bin/MNEControl mastop
/usr/local/McAfee/fmp/bin/fmp stop
/opt/McAfee/dx/bin/dxlservice stop
/Library/McAfee/agent/bin/maconfig -stop
echo ""

# unload kexts
echo "unloading kexts"
/sbin/kextunload /Library/Application\ Support/McAfee/AntiMalware/AVKext.kext
/sbin/kextunload /Library/Application\ Support/McAfee/FMP/mfeaac.kext
/sbin/kextunload /Library/Application\ Support/McAfee/FMP/FileCore.kext
/sbin/kextunload /Library/Application\ Support/McAfee/FMP/FMPSysCore.kext
/sbin/kextunload /Library/Application\ Support/McAfee/StatefulFirewall/SFKext.kext
/sbin/kextunload /usr/local/McAfee/AntiMalware/Extensions/AVKext.kext
/sbin/kextunload /usr/local/McAfee/StatefulFirewall/Extensions/SFKext.kext
/sbin/kextunload /usr/local/McAfee/Mcp/MCPDriver.kext
/sbin/kextunload /usr/local/McAfee/DlpAgent/Extensions/DLPKext.kext
/sbin/kextunload /usr/local/McAfee/DlpAgent/Extensions/DlpUSB.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/FileCore.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/NWCore.kext
/sbin/kextunload /usr/local/McAfee/fmp/Extensions/FMPSysCore.kext
echo ""

echo "uninstalling system extensions"
if [ -e /Applications/McAfeeSystemExtensions.app ] ; then
	McAfeeNetworkExtensionLoaded=$(/usr/bin/systemextensionsctl list | /usr/bin/grep "McAfee Network Extension")
	
	if [[ -n "$McAfeeNetworkExtensionLoaded" ]]; then

		# Prepare to update authorization database to allow system extensions to be uninstalled without password prompt.
		ManagementDatabaseUpdatePreparation
	
		# Update authorization database with new settings.
		UpdateManagementDatabase
		
		# Uninstall the System Extension
		/usr/bin/sudo -u $userName /usr/local/McAfee/fmp/AAC/bin/deactivatesystemextension com.mcafee.CMF.networkextension
		
		# Once the system extensions are uninstalled, the relevant settings for the authorization database will be restored from backup to their prior state.
		if [[ -n "$UpdatedAuthorizationSettingInstalled" ]]; then 
			RestoreManagementDatabase
	
			if [[ -n "$OriginalAuthorizationSettingInstalled" ]]; then
				echo "com.apple.system-extensions.admin settings in the authorization database successfully restored to $original_setting."
				rm -rf "$management_db_original_setting"
				rm -rf "$management_db_edited_setting"
				rm -rf "$management_db_check_setting"
			fi
	
		fi
	fi
fi
echo ""

# unload launch items
echo "unloading launch items"
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.McAfeeSafariHost.plist
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.menulet.plist
/bin/launchctl bootout system /Library/LaunchAgents/com.mcafee.reporter.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.aac.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.ma.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.macmn.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agent.macompat.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.dxl.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.Eupdate.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.ScanFactory.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.virusscan.fmpcd.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.virusscan.fmpd.plist
/bin/launchctl bootout system /Library/LaunchDaemons/com.mcafee.agentMonitor.helper.plist
/usr/bin/killall -c Menulet
/usr/bin/killall -c "McAfee Agent Status Monitor"
/usr/bin/killall -c McAfee\ Reporter
echo ""

# rm program dirs
echo "removing program dirs"
/bin/rm -rf /usr/local/McAfee/
/bin/rm -rf /opt/McAfee/
/bin/rm -rf /Applications/DataLossPrevention.app/
/bin/rm -rf /Applications/McAfee\ Endpoint\ Security\ for\ Mac.app/
/bin/rm -rf /Applications/McAfee\ Endpoint\ Protection\ for\ Mac.app/
/bin/rm -rf /Applications/McAfeeSystemExtensions.app/
/bin/rm -rf /Applications/Utilities/McAfee\ ePO\ Remote\ Provisioning\ Tool.app/
echo ""

# rm support dirs
echo "removing support dirs"
/bin/rm -rf /Users/Shared/.mcafee
/bin/rm -rf /Library/Application\ Support/McAfee/
/bin/rm -rf /Library/Documentation/Help/McAfeeSecurity*
/bin/rm -rf /Library/Frameworks/AVEngine.framework/
/bin/rm -rf /Library/Frameworks/VirusScanPreferences.framework/
/bin/rm -rf /Library/Internet\ Plug-Ins/Web\ Control.plugin/
/bin/rm -rf /Library/McAfee/
/bin/rm -rf /Quarantine/
echo ""

# rm prefs/launch items
echo "removing prefs and launch items"
/bin/rm -f /Library/Preferences/com.mcafee*
/bin/rm -f /Library/Preferences/.com.mcafee*
/bin/rm -f /Library/LaunchDaemons/com.mcafee*
/bin/rm -f /Library/LaunchAgents/com.mcafee*
/bin/rm -rf /Library/StartupItems/cma/
/bin/rm -f /private/etc/cma.conf
/bin/rm -rf /private/etc/cma.d/
/bin/rm -rf /private/etc/ma.d/
/bin/rm -f /private/etc/init.d/dx
/bin/rm -rf /private/var/McAfee/
/bin/rm -rf /private/var/tmp/.msgbus/
/bin/rm -rf /Users/$userName/Library/Containers/com.McAfee*
/bin/rm -rf /Users/$userName/Library/Application\ Scripts/com.McAfee*
/bin/rm -rf /Users/$userName/Library/Group\ Containers/group.com.Mcafee*
/bin/rm -rf /Users/$userName/Library/Preferences/com.mcafee*
/bin/rm -f /Library/Google/Chrome/NativeMessagingHosts/siteadvisor.mcafee.chrome.extension.json
/bin/rm -f /Library/PrivilegedHelperTools/com.mcafee.agentMonitor.helper
echo ""

# rm logs
echo "removing logs"
/bin/rm -f /Library/Logs/Native\ Encryption.log
/bin/rm -f /Library/Logs/FRP.log
/bin/rm -f /private/var/log/McAfeeSecurity.log*
/bin/rm -f /private/var/log/mcupdater*
/bin/rm -f /private/var/log/MFEdx*
echo ""

# forget receipts
echo "forgetting receipts"
/usr/sbin/pkgutil --forget com.mcafee.dxl
/usr/sbin/pkgutil --forget com.mcafee.mscui
/usr/sbin/pkgutil --forget com.mcafee.mar
/usr/sbin/pkgutil --forget com.mcafee.mvedr
/usr/sbin/pkgutil --forget com.mcafee.pkg.FRP
/usr/sbin/pkgutil --forget com.mcafee.pkg.MNE
/usr/sbin/pkgutil --forget com.mcafee.pkg.StatefulFirewall
/usr/sbin/pkgutil --forget com.mcafee.pkg.utility
/usr/sbin/pkgutil --forget com.mcafee.pkg.WebProtection
/usr/sbin/pkgutil --forget com.mcafee.ssm.atp
/usr/sbin/pkgutil --forget com.mcafee.ssm.fmp
/usr/sbin/pkgutil --forget com.mcafee.ssm.mcp
/usr/sbin/pkgutil --forget com.mcafee.ssm.dlp
/usr/sbin/pkgutil --forget com.mcafee.virusscan
/usr/sbin/pkgutil --forget comp.nai.cmamac
echo ""

# remove users/groups
echo "removing user and groups"
/usr/bin/dscl . delete /Users/mfe
/usr/bin/dscl . delete /Groups/mfe
/usr/bin/dscl . delete /Groups/Virex
echo ""

##mcafee support article: KB88461
#cd  /usr/local/
#rm –rf McAfee/
#cd /Library/Application\ Support/
#rm –rf McAfee/
#cd /Library/LaunchDaemons/
#rm –rf com.mcafee.*
#cd /Library/LaunchAgents/
#rm –rf com.mcafee.*
#cd /Library/Preferences/
#rm –rf com.mcafee.*

exit 0

Hi @sdagley 

Thanks for the script. Is this script still valid or any changes required.

Looking forward for your replay.

sdagley
Esteemed Contributor II

@smkarthickraja Yes, it's still working.

smkarthickraja
New Contributor II

Thanks :)