Hi all, we're having a difficult time uninstalling Sophos Endpoint Protection from our Mac endpoints with Jamf. This particular enterprise version of Sophos employs Tamper Protection, which was easy enough for us to disable by creating a policy that deletes the SophosSecure.keychain file that Tamper Protection creates on all the endpoints, but even with Tamper Protection disabled we can't figure out how to remotely uninstall the client itself. So far, we've tried the following approaches, both of these scoped to a test machine with Sophos Endpoint Protection installed and with Tamper Protection disabled:
No luck with either method. If anyone here has successfully removed Sophos Endpoint Protection with a Jamf policy, or if you have any other ideas in general, your feedback would be most appreciated. Sophos support told us that they do not have a batch uninstall feature but I have to believe it's possible with Jamf.
Guess I'm not the only one in the process of removing that nightmare. We disabled tamper protection universally and gave it a little time to update all of the clients. I then deployed the following script for the Macs which seems to be working just fine:
sudo rm -r com.sophos.*
sudo /Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --force_remove
@ekey Can you give me an idea of how you did this? I attempted to do the same and it did not work. Was it just a matter of dragging the uninstaller.pkg and deploying as-is or did you need to add a post-install script/ any commands? I have a ticket open with Sophos but am very stuck so any help is much appreciated!
If it can help someone in my case I had different path to the uninstaller... I used this script bellow to uninstall Sophos. Before I ran the script, tamper protection has been disabled.
#!/bin/bash if [ -e /Library/Application Support/Sophos/opm/Installer.app ] then /Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer --force_remove fi if [ -e /Library/Sophos Anti-Virus/Remove Sophos Endpoint.app ] then /Library/Sophos Anti-Virus/Remove Sophos Endpoint.app/Contents/MacOS/tools/InstallationDeployer --force_remove fi if [ -e /Library/Application Support/Sophos/opm-sa/Installer.app ] then /Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools/InstallationDeployer --force_remove fi
What are you thoughts on just removing all of the Sophos components via script?
#!/bin/sh pkill Sophos rm -rf /Library/Sophos* rm -rf /Library/Application Support/Sophos* rm -rf /Applications/Sophos* rm -rf /Library/Frameworks/Sophos* rm -rf /Library/Frameworks/SAVI* rm -rf /usr/local/bin/SophosUpdate rm -rf /usr/local/bin/sweep launchctl remove /Library/LaunchAgents/com.sophos* rm -rf /Library/LaunchAgents/com.sophos* launchctl remove /Library/LaunchDaemons/com.sophos* rm -rf /Library/LaunchDaemons/com.sophos* rm -rf /Library/Extensions/Sophos* kextcache -prune-staging
With Tamper Protection disabled from the Sophos Central admin console, Dan0's script:
/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --force_remove
worked for me on my own Mojave machine. I will begin rolling this out gradually through my environment.
From a manual removal situation, I had a machine recently that copied the Sophos application components over to a new machine while using Migration Assistant. Knowing I did not intend to use Sophos Endpoint on this machine, but not thinking that it would copy over, I declined all permission requests from Sophos. However, with no services running, now it did not communicate with Sophos Central so I could not see the machine to disable Tamper Protection, AND when I tried to run Remove Sophos Endpoint.app to uninstall, the app prompted me for a password. Needless to say I had no idea what such a password would be, nor could I find it in my Sophos Central admin panel anywhere. I finally resorted to filing a support ticket with Sophos, and they said for versions above 9.7, to delete /Library/Sophos Anti-Virus/SophosSecure.keychain to disable the Tamper Protection, then run the application. I did this, and then Remove Sophos Endpoint.app ran successfully without any password prompt.
Just got done with a week of fiddling with this. We are looking to switch from Sophos to CrowdStrike and I have been validating the Big Sur part of all that. Have been using a script much like MrRobotos's for years with no issues, but Big Sur is a different story. The Sophos provided uninstaller doesn't remove the System Extensions, so you will have to do it manually or sorta scripted:
FWIW the CrowdStrike agent does do the right thing and tell macOS to remove their System Extension, so maybe someday Sophos will too. For now you need to make sure and have the System Extensions deleted first and then run the script or the removal app in the Sophos folder. My testing was on macOS 11.5.2 using Sophos Endpoint 10.1.4. We use Central and have Jamf MDM with profiles/policies for all the needful. Wanted to give people the heads up, since once Sophos is removed you can't easily get rid of the extensions without installing Sophos again and then manually removing them. This will complicate the CrowdStrike rollout a little, but hey it is so secure!