Removing applications on computers with Self Service through Jamf

jyespicer
New Contributor

I'm wanting to be able to remove the VPN programs when installed through JAMF/Self Service.
I have a script that runs currently and it works alright.
I'm wanting to know if there is a better way of doing it?

6bf64ac0ad8f45bd91592b3204735f85

Thanks.

4 REPLIES 4

sdagley
Esteemed Contributor II

@jyespicer Are you intending for your users to manually remove those programs, or are you intending that your users would be prevented from using them? If the latter, a Restricted Software Record for each of this programs with the Delete application option set should do what you want. If you're looking for a tool you can invoke from a Self Service policy, that script should do it.

c0n0r
Contributor

While this removes the applications, it doesn't remove any of the various support files. It would be better to look for uninstall scripts (possibly by the vendors) that include a full list of everything installed. Barring that, you could rip apart their package to determine that information, or in a worst case, use Composer to snapshot the changes that occur on a system as they are installed.

Again, I would personally advocate the Restricted Software method, as it provide for continual enforcement (your script won't stop the software from being installed or ran in between executions of the script, Restricted Software blocks them at all times).

Lastly, if you are setting the script to be executed by policy, you likely don't need "sudo", as JAMF will execute the script as root. Additionally, rather than build the recon into the script, there is a separate maintenance option in the policy where you can set an inventory update to occur at the end of all other operations.

c0n0r
Contributor

If you were to go forward with the script-based delete-just-the-app method, this is the script I would use... primarily because it allows for greater flexibility in modification in the future. It also only attempts action when needed (looks for the file first), and logs any action taken (though the community is somewhat divided on best practices on logging, I used my personal habits here, you can adjust as needed). It also looks in both the global applications folder, and the user's home folder (a find command would be even better, but takes up more resources, and CPU cycles).

Pro-tip, you could even include positional variables $4-$9 in the array at the top, and then define those in the policy. While there are more titles listed here than are supported, you could either clone with script with different variable definitions as a second policy, or you could hybrid the array, with a few hard-coded entries of the more common offenders, and then use positional variables for titles that rotate on or off the list more frequently.

#!/usr/bin/env bash
productTitle='removeVPN'
companyName='yourCompany'
logFolder="/Library/Logs/"
logFile="${logFolder}/${companyName}-${productTitle}.log"
consoleUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')
appBlacklist=(
    'Hotspot Shield.app'
    'Betternet.app'
    'Star VPN.app'
    'VPN Unlimited.app'
    'GoVPN.app'
    'Hotspot VPN.app'
    'SurfPro VPN.app'
    'ThunderbirdVPN.app'
    'Unlimited VPN - Best VPN Proxy & VPN Security.app'
    'VPNFlybird VPN.app'
    'SaferVPN.app'
    'HideMe Mac VPN.app'
    'FlowVPN.app'
    'CyberGhost 5.app'
)
for eachApplication in ${appBlacklist[@]}; do
    [[ -e "/Applications/$eachApplication" ]] && rm -rfv "/Applications/$eachApplication" >> $logFile
    [[ -e "${consoleUser}/Applications/$eachApplication" ]] && rm -rfv "${consoleUser}/Applications/$eachApplication" >> $logFile
done
exit 0

sdagley
Esteemed Contributor II

@jyespicer It looks like those are VPN apps from Apple's App Store, so did you mean these programs installed via the App Store rather than via Self Service? If that's the case, definitely go with the Restricted Software Record to block/delete the apps.