Removing Cisco AMP version 1.14.0 or newer

dlondon
Valued Contributor

When I try and remove Cisco AMP version 1.14.0 or newer the way I would with pre 1.14.0 version by running the uninstaller package in /Applications/Cisco AMP (now moved to /Applications/Cisco AMP for Endpoints) the user gets prompted for admin credentials. I've even tried running as root on the command line like I did before:

/usr/sbin/installer -verbose -pkg /Applications/Cisco AMP for Endpoints/Uninstall AMP for Endpoints Connector.pkg -target /

but it still prompts.

I've also looked at the steps listed here https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/216232-manual-uninstall-procedure-... to manually uninstall but again there are some steps which produce the prompts:

/Applications/Cisco AMP for Endpoints/AMP for Endpoints Service.app/Contents/MacOS/AMP for Endpoints Service deactivate endpoint_security Enter password when prompted. For macOS versions 10.15.5 and newer: /Applications/Cisco AMP for Endpoints/AMP for Endpoints Service.app/Contents/MacOS/AMP for Endpoints Service deactivate content_filter Enter password when prompted.

I think it's trying to deactivate some System Extensions

Anyone know how to do that without the prompts as root (i.e. via script run by jamf)?

10 REPLIES 10

geoff_widdowson
Contributor

@dlondon I'm using the following script on version 1.12. It runs without any prompt to user. I use it as we moved to Cortex. As you can see it is manually removing everything rather than use the uninstaller.

killall AMP for Endpoints Connector
sudo dscl .-delete /Users/cisco-amp-scan-svc
sudo dscl . -delete /Groups/cisco-amp-scan-svc
/bin/launchctl unload /Library/LaunchAgents/com.cisco.amp.agent.plist
sudo /bin/launchctl unload /Library/LaunchDaemons/com.cisco.amp.daemon.plist
sudo /bin/launchctl list com.cisco.amp.daemon
sudo /bin/launchctl unload /Library/LaunchDaemons/com.cisco.amp.updater.plist
sudo /bin/launchctl list com.cisco.amp.updater
sudo /sbin/kextunload -b com.cisco.amp.fileop
sudo /sbin/kextunload -b com.cisco.amp.nke
sudo /usr/sbin/kextstat -l | grep com.cisco.amp
sudo rm -rf "/Applications/Cisco AMP"
sudo rm -rf /Library/Extensions/ampfileop.kext
sudo rm -rf /Library/Extensions/ampnetworkflow.kext
sudo rm -rf "/Library/Application Support/Cisco/AMP for Endpoints Connector"
sudo rm -rf /opt/cisco/amp/
sudo rm -f /Library/Logs/Cisco/amp*
sudo rm -f /var/run/ampdaemon.pid
sudo rm -f /Library/LaunchAgents/com.cisco.amp.agent.plist
sudo rm -f /Library/LaunchDaemons/com.cisco.amp.daemon.plist
sudo rm -f /Library/LaunchDaemons/com.cisco.amp.updater.plist
sudo pkgutil --forget com.cisco.amp.agent
sudo pkgutil --forget com.cisco.amp.daemon
sudo pkgutil --forget com.cisco.amp.kextsigned
sudo pkgutil --forget com.cisco.amp.kextunsigned
sudo pkgutil --forget com.cisco.amp.support
sudo pkgutil --forget com.sourcefire.amp.agent
sudo pkgutil --forget com.sourcefire.amp.daemon
sudo pkgutil --forget com.sourcefire.amp.kextsigned
sudo pkgutil --forget com.sourcefire.amp.kextunsigned
sudo pkgutil --forget com.sourcefire.amp.support
rm -f ~/Library/Preferences/SourceFire-Inc.FireAMPMac.plist
rm -f ~/Library/Preferences/Cisco-Inc.AMP-for-EndpointsConnector.plist

dlondon
Valued Contributor

Hi @geoff.widdowson Thanks for the reply but your uninstall routine is for the AMP versions before 1.14.0. Please have a look at the link I put in my initial post. Your method is the manual method they show for pre 1.14.0. I first twigged that there was a bit of a shift when I saw the folder in /Applications had changed name to /Applications/Cisco AMP for Endpoints. The thing that is a big change is the use of System Extensions instead of Kernel Extensions. I think that when their uninstall package is run, the prompt is an extra layer of security - like a "do you really want to delete this file". I tried command line removal of the the two System Extensions using the Mac OS command line tool systemextensionsctl as root

able-004409:~ root# systemextensionsctl uninstall DE8Y96K9QP com.cisco.endpoint.svc.networkextension At this time, this tool cannot be used if System Integrity Protection is enabled. This limitation will be removed in the near future. Please remember to re-enable System Integrity Protection!

That led me as it quite often does to Rich Trouton (thanks @rtrouton ) and his post here: https://derflounder.wordpress.com/2020/09/01/uninstalling-macos-system-extensions/

It looks like this has been known about since the beginning of September.

My test machine is on Mac OS 10.15.7 - fully patched including the supplementary patch.

gkempenich
New Contributor

Came here to say I'm having the same issue on and 11.1 machine.

hodgesji
Contributor

I'm running into the same issue today. I hope someone finds a solution!

krichar1
New Contributor

I'm interested in this same process. Following.

ajc196
New Contributor II

Tossing my hat in the ring as another AMP customer that wants to silently uninstall. (So I can then turn around and reinstall with another Jamf policy) Pushing the uninstaller .pkg used to work like a charm, not anymore. Both it & scripted removal trigger end user authentication prompts.

If I can't do this to clear faulted clients anymore, my guys that support our users are going to be not very happy.

iJake
Valued Contributor

This is an Apple issue as they require user authentication to remove a System Extension. Raise this with Apple.

Sachin_Parmar
Contributor

So we've just done this painfully but managed to do it...(I'll post the theory)

  1. Any machines below macOS 10.15 can automatically uninstall AMP by invoking the Uninstaller via script (no sys extension) - Silent no additional helpers etc required

  2. Any machines above 10.15 (sys extensions) will require an additional jamfHelper to alerts the User they need to remove AMP.

When they click OK it launches the uninstaller and then the user completes the removal themselves.

The script that contains the helper also contains another script that makes the user a temporary admin (which gives them the rights to remove AMP from the machine) at the end of the script run if they weren't a admin before it'll return them back to a Standard user.

user-NTKbCXOtlH
New Contributor

@Sachin_Parmar Any chance you will share the script with us? Our entire org is on Big Sur and our small group of Jamf admins are at (myself included) are stuck at the moment. Doesn't help that no one has Mac admin experience so we have been learning in a trail by fire method and its brutal.

Sachin_Parmar
Contributor

@dlondon @user-NTKbCXOtlH

  • Devices running AMP 1.14 on lower than macOS 10.15 (not less than or equal)
#!/bin/sh
#Remove Cisco AMP
sudo installer -pkg /Applications/Cisco AMP/Uninstall AMP for Endpoints Connector.pkg -target /

- Devices running AMP 1.14 on macOS 10.15 or Higher
Uses this as a pre-req - https://github.com/kc9wwh/MakeMeAdminPy/blob/master/grantTempAdmin.py

#!/bin/bash
sudo /usr/local/bin/jamf policy -event temporaryAdmin #elevate user if they're not admin users temporarily

jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" 
messageToDisplay="We've detected that you're running Cisco AMP for Endpoints on your machine. 
Due to a current Apple macOS limitation we're unable to proactively and automatically remove Cisco AMP for Endpoints from your machine, which means this needs to be removed manually by yourself.

Clicking OK, will launch the uninstaller for Cisco AMP for Endpoints.
During this process you'll be prompted to provide your mac username and password a couple of times.

If you have any questions please message [Slack channel #XXXXXXXXX]" #AMEND NOTIFICATION WHERE NEEDED

result=$("$jamfHelper" -windowType utility -description "$messageToDisplay" -button1 "OK" -icon '/tmp/CAMPLogo.png')
count=$((count))

    if [[ $result == 0 ]]; then
        open "/Applications/Cisco AMP for Endpoints/Uninstall AMP for Endpoints Connector.pkg"
    fi

    rm '/tmp/CAMPLogo.png'

    until [ ! -f "/Applications/Cisco AMP for Endpoints/acknowledgement.txt" ]
    do
        sleep 2
        ((count=count+1))
        echo "Sleeping"
        echo $count
        if [ $count == 180 ]; then
            exit 1
        fi
    done

exit 0

Credit - @brenden.rea & @david.anderson

The counter below is to give the user enough time to do the uninstall if they do it in the time frame then we return exit 0 or if they completely ignore it we return a exit 1 (fail) and have 4 x retries on jamf policy. We also have a seperate PKG which just puts the logo in /tmp/.

I would caveat this entire process and say it's also worth throughly communicating this properly with the business to make them aware it was coming so when the pop up did appear they weren't caught off guard.