Uninstall Cortex XDR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
Hey Jamf Nation,
I'm currently trying to uninstall Cortex XDR from company devices, but I'm encountering an error that says "Uninstaller not found." The uninstaller is located in the folder '/Library/Application Support/PaloAltoNetworks/Traps/bin/'.
Do you have any recommendations or suggestions? Here is my script for the uninstallation:
#!/bin/bash
# Set your master key here
MASTER_KEY="master-key-here"
# Path to the uninstaller app
UNINSTALLER_APP="/Library/Application\ Support/PaloAltoNetworks/Traps/bin"
# Check if the uninstaller exists
if [ ! -d "$UNINSTALLER_APP" ]; then
echo "Uninstaller not found at $UNINSTALLER_APP"
exit 1
fi
# Launch the uninstaller and enter the tamper protection key
osascript <<EOF
tell application "$UNINSTALLER_APP"
activate
end tell
delay 2
tell application "System Events"
tell process "Cortex XDR Uninstaller"
repeat until exists window 1
delay 1
end repeat
set frontmost to true
# Enter the tamper protection key
set value of text field 1 of window 1 to "$MASTER_KEY"
click button "Uninstall" of window 1
end tell
end tell
EOF
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
One thing I noticed was that here:
# Path to the uninstaller app
UNINSTALLER_APP="/Library/Application\ Support/PaloAltoNetworks/Traps/bin"It might need it to be this instead since you’ve got the path in quotes:
# Path to the uninstaller app
UNINSTALLER_APP="/Library/Application Support/PaloAltoNetworks/Traps/bin"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thursday
You could just composer your own uninstaller by packaging the binary to put it where it is supposed to be or some type of landing zone like /tmp. Then use your post install script to call the binary from the landing zone location. Make a check-in policy in Jamf and deploy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monday
Cortex has a K-Base article on their uninstaller workflow - https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.6/Cortex-XDR-Agent-Administrator-Guide/Unins...
I took that info and wrote a script based on the steps.
#!/bin/sh
# Cortex XDR Uninstaller with variable password.sh
#
# Created by Ed C. on 1/24/25.
#
#####################
# Pulling from the KBase here
# https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.6/Cortex-XDR-Agent-Administrator-Guide/Uninstall-the-Cortex-XDR-Agent-for-Mac
#####################
# Using the command here
# /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cortex_xdr_uninstaller_tool --help
# Usage:
# Get password from stdin: cortex_xdr_uninstaller_tool
# Get password from command line: cortex_xdr_uninstaller_tool <password>
# Will pass the password as a Jamf parameter for $4
#####################
#####################
# Begin work
#####################
XDR_Token=$4
/Library/Application\ Support/PaloAltoNetworks/Traps/bin/cortex_xdr_uninstaller_tool $XDR_Token
# Check if the directory is empty and remove it if it is
if [ -d "/Library/Application Support/PaloAltoNetworks" ]; then
if [ -z "$(ls -A "/Library/Application Support/PaloAltoNetworks")" ]; then
echo "Directory /Library/Application Support/PaloAltoNetworks is empty. Removing it now..."
rmdir "/Library/Application Support/PaloAltoNetworks"
echo "Directory /Library/Application Support/PaloAltoNetworks has been removed."
exit 0
else
echo "Directory /Library/Application Support/PaloAltoNetworks is not empty. Exiting with error."
exit 1
fi
else
echo "Directory /Library/Application Support/PaloAltoNetworks does not exist."
exit 0
fi
exit 0
