Jamf Nation Community

easyedc · ‎10-20-2023

Microsoft has a nice post here about the adding of Defender to the Office installer that many have used in the past. I didn't catch the change in time to block the install with a profile, and about a dozen Macs picked up the Defender component with an Office suite install. I've fixed the go-forward issue, but cleaning up the Macs that got Defender doesn't seem as straight forward as the mentioned

rm -rf /Applications/Microsoft\ Defender.app

from the article. There's an uninstall that is laid down with the installer that appears to remove more than just the .app itself. There's a bit of crud left behind that gets cleaned up with Defender's baked in uninstaller mentioned here

sudo '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'

But I can't seem to run that remotely. I'd rather run the uninstaller, and let it catch things like LaunchAgents/Daemons/other crud that were installed with the installer but would be left behind by just dragging the .app to the trash. Has anyone had any success with a policy running the uninstall string as a command? It works without issue when run in a local session, just not remotely via Jamf. Or am I just left to write a script looking for everything that I've found?

daniel_behan · ‎10-23-2023

In my experience, the shim only installs the .app. There is no uninstaller in /Library/Application Support to invoke. I didn't see any supplemental LaunchAgents or Daemons, so simply removing the app seems to work for me.

View solution in original post

mm2270 · ‎10-23-2023

Thanks for that confirmation @merlin

I'm guessing then that the no such file or directory error is because it's running on devices where that doesn't exist, i.e. the app was never run by a user to do a full install.

@easyedc you might want to consider using a more fleshed out script for the removal then. Something to detect if the "uninstall" binary exists if Microsoft Defender.app is in Applications.

#!/bin/zsh

if [ -d "/Applications/Microsoft Defender.app" ]; then
    if [ -e "/Library/Application Support/Microsoft/Defender/uninstall/uninstall" ]; then
        /bin/echo "Using the uninstall option to remove Defender and any support files..."
        "/Library/Application Support/Microsoft/Defender/uninstall/uninstall"
    else
        /bin/echo "Deleting the Microsoft Defender shim from Applications..."
        /bin/rm -Rfd "/Applications/Microsoft Defender.app"
    fi
else
    /bin/echo "Microsoft Defender shim is not installed on this Mac."
fi

View solution in original post

mm2270 · ‎10-20-2023

Thanks for this. I was wondering why I haven't seen the Defender shim installed on any of our Macs, since it seems like we would be getting this as well, and after reading the linked article, this line explains why.

"Alternatively, you can use the Standard Suite Installer. This option installs Word, Excel, PowerPoint, Outlook, OneNote, OneDrive, and Microsoft AutoUpdate. It does not include Teams nor the Defender shim."

I'm only using the Standard Suite installer when I push out Office 365, as we like to install Teams separately. So it seems like I dodged this issue, just by luck!

mm2270 · ‎10-20-2023

To make my post a little more useful, I'm wondering if the uninstall needs to be run as the logged in user and not as root? I mean, that wouldn't really make sense since my assumption is to remove Defender you'd need to be running as an admin, right? That can't really be it I suppose.

Another thought. I don't have it installed anywhere so I can't check this, but is that "uninstall" a script of some sort, or is it an executable? If it's a script, can you open it and examine what it's doing? Maybe you can extract the pieces from it you need and drop it into a separate script in Jamf. Just a thought.

easyedc · ‎10-20-2023

You're in the same mind-set I was, thinking I could pop it open and just run its contents as a script, but it's an executable. When I ran it locally on a test box, it popped up a window asking for credentials to remove the 2 system extensions that are installed during the install - hence my interest in more than just "Dragging to trash..." We WERE relying on the Teams component of it, which is why I had chosen that particular installer. What really throws me is that it's not that it fails, I just acts like there's no uninstaller present:

Executing Policy Uninstall Microsoft Defender
Running command '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'...
Result of command:
/bin/sh: /Library/Application Support/Microsoft/Defender/uninstall/uninstall: No such file or directory

The error implies maybe it needed a "/bin/sh" command in front of it, but that doesn't work either. I am tempted to open a case with MSFT but I figure the collective brain power of the Mac folks can defeat Redmond.

mm2270 · ‎10-20-2023

Silly question, but did you try it with double quotes around the path instead of singles? The "No such file or directory" error makes me think it's not handling the space correctly in /Library/Application Support

easyedc · ‎10-20-2023

That's the one thing I didn't try - but will now. I tried it with the single quote and absolute path and neither worked.

easyedc · ‎10-23-2023

So same result. Maybe one of the folks from the Microsoft world that lurk in the Apple shadows can weigh in...?

Running command "/Library/Application Support/Microsoft/Defender/uninstall/uninstall"...
Result of command:
/bin/sh: /Library/Application Support/Microsoft/Defender/uninstall/uninstall: No such file or directory

mm2270 · ‎10-23-2023

Ok, interesting. If I had to guess, I suspect that this binary is something that has to be run directly within shell environment, rather than called in a GUI-less way the way a Jamf Pro policy would. If so, that's very shortsighted on the part of Microsoft. The Mac team there has done a pretty good job of making sure their tools are executable from MDMs like Jamf. I'm not sure why this one doesn't work.

I wish I could test it out, but I don't have a machine right now with Defender installed on it. I may choose to let it install on a test Mac just to see what's what. If only because while we've escaped this so far, it's not impossible it may end up installed on some machines at some point, and I'll need to figure out some way to remove without involving users.

I did note that on the learn.microsoft.com page you linked to above, it does say for the uninstall steps.

Go to Finder > Applications.
Right click on Microsoft Defender for Business, and then choose Move to Trash.

But it sounds like this leaves behind some cruft, so it's curious that would be their first recommendation.

daniel_behan · ‎10-23-2023

I posted last week with a smart group and script used to resolve shim installs:

https://community.jamf.com/t5/jamf-pro/configuration-profile-to-block-quot-defender-shim-quot/m-p/30...

mm2270 · ‎10-23-2023

Hi @daniel_behan Maybe I'm missing it, but looking over what you posted, it looks like for the uninstall/removal, you're just doing a rm -rf /Applications/Microsoft\ Defender.app type of command in your script. Is that right? If so, as @easyedc mentioned above, this may not completely remove everything that gets installed by the Defender shim, hence why they were trying to run the uninstall command, which does seem to remove all the installed components.

daniel_behan · ‎10-23-2023

In my experience, the shim only installs the .app. There is no uninstaller in /Library/Application Support to invoke. I didn't see any supplemental LaunchAgents or Daemons, so simply removing the app seems to work for me.

mm2270 · ‎10-23-2023

OK, well that's good to know. @easyedc I wonder if why you're getting the 'No such file or directory' error is because the 'uninstall' is not actually present on the device?

easyedc · ‎10-23-2023

I'm trying to remember if I'd ever launched the Defender App before try to run through the removal process. I'd already planned to wipe my test box and re-run the installer with the shim and re-capture what is laid down via composer to make sure.

merlin · ‎10-23-2023

I've tested this today, removing the app is more than enough, I think the Library folder and the corresponding uninstall file it's created only if someone runs the app and actually installs the full version.

mm2270 · ‎10-23-2023

Thanks for that confirmation @merlin

I'm guessing then that the no such file or directory error is because it's running on devices where that doesn't exist, i.e. the app was never run by a user to do a full install.

@easyedc you might want to consider using a more fleshed out script for the removal then. Something to detect if the "uninstall" binary exists if Microsoft Defender.app is in Applications.

#!/bin/zsh

if [ -d "/Applications/Microsoft Defender.app" ]; then
    if [ -e "/Library/Application Support/Microsoft/Defender/uninstall/uninstall" ]; then
        /bin/echo "Using the uninstall option to remove Defender and any support files..."
        "/Library/Application Support/Microsoft/Defender/uninstall/uninstall"
    else
        /bin/echo "Deleting the Microsoft Defender shim from Applications..."
        /bin/rm -Rfd "/Applications/Microsoft Defender.app"
    fi
else
    /bin/echo "Microsoft Defender shim is not installed on this Mac."
fi

easyedc · ‎10-23-2023

Though I don't remember doing it, at some point I must have launched the Defender.app. I did a wipe/rebuild of a test box, installed the Business Pro suite and there isn't a Defender path in the Application Support directory or any of the other stuff I'd found. I do have the start of a script digging out all the stuff, so I'll probably finish it out, but it does look like just the rm -Rf of the /Applications/Microsoft Defender.app path looks like it'll do the trick.

I do like where @mm2270's thought process was of checking if that uninstall path is there, and if not, just doing the removal of the app.

Jamf Nation Community

Removing Microsoft Defender installed from Office Suite Shim