Posted on 02-19-2020 10:44 AM
Hi all, we're having a difficult time uninstalling Sophos Endpoint Protection from our Mac endpoints with Jamf. This particular enterprise version of Sophos employs Tamper Protection, which was easy enough for us to disable by creating a policy that deletes the SophosSecure.keychain file that Tamper Protection creates on all the endpoints, but even with Tamper Protection disabled we can't figure out how to remotely uninstall the client itself. So far, we've tried the following approaches, both of these scoped to a test machine with Sophos Endpoint Protection installed and with Tamper Protection disabled:
No luck with either method. If anyone here has successfully removed Sophos Endpoint Protection with a Jamf policy, or if you have any other ideas in general, your feedback would be most appreciated. Sophos support told us that they do not have a batch uninstall feature but I have to believe it's possible with Jamf.
Posted on 02-21-2020 01:55 AM
I have policy which runs a script that in essence runs this command which works in 99% of cases
/Applications/Remove Sophos Endpoint.app/Contents/MacOS/tools/InstallationDeployer --force_remove --tamper_password <password>
Posted on 02-21-2020 04:58 AM
Guess I'm not the only one in the process of removing that nightmare. We disabled tamper protection universally and gave it a little time to update all of the clients. I then deployed the following script for the Macs which seems to be working just fine:
cd /Library/Preferences
sudo rm -r com.sophos.*
sudo /Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --force_remove
Posted on 02-21-2020 09:39 AM
That worked! Thank you so much!
Posted on 07-09-2020 07:13 AM
I was able to push the uninstaller.pkg via policy and that worked for me.
Posted on 07-20-2020 08:34 AM
@ekey Can you give me an idea of how you did this? I attempted to do the same and it did not work. Was it just a matter of dragging the uninstaller.pkg and deploying as-is or did you need to add a post-install script/ any commands? I have a ticket open with Sophos but am very stuck so any help is much appreciated!
Posted on 07-20-2020 10:36 PM
Hi Guys,
If it can help someone in my case I had different path to the uninstaller... I used this script bellow to uninstall Sophos. Before I ran the script, tamper protection has been disabled.
#!/bin/bash
if [ -e /Library/Application Support/Sophos/opm/Installer.app ]
then
/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer --force_remove
fi
if [ -e /Library/Sophos Anti-Virus/Remove Sophos Endpoint.app ]
then
/Library/Sophos Anti-Virus/Remove Sophos Endpoint.app/Contents/MacOS/tools/InstallationDeployer --force_remove
fi
if [ -e /Library/Application Support/Sophos/opm-sa/Installer.app ]
then
/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools/InstallationDeployer --force_remove
fi
Posted on 02-09-2021 09:39 AM
This works:
rm -R /Library/Sophos Anti-Virus/product-info.plist
/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --force_remove
Note: The first command removes tamper protection. The second command uninstalls Sophos.
Posted on 03-18-2021 06:34 AM
Hi @dan0 Your fix is for Sophos antivirus product, the post is about endpoint (a different product) to avoid confusion. The path for your product will not be the same.
Posted on 03-18-2021 10:23 AM
Posted on 04-20-2021 07:11 AM
I'm trying to remove it from our computers, so far no luck. Every script I try runs, but none of them actually seem to remove the app (based on JAMF's reporting). I can't figure out what I'm doing wrong. Does anyone have any thoughts?
Posted on 04-20-2021 10:45 AM
If you remove the SecureKeychain from the "LibrarySophos Anti-Virus" folder you can remove at will without a tamper proof key. I have an automator action and a script that does this and kicks off the removal tool which when ran from an admin account works out awesome.
Posted on 04-22-2021 09:55 AM
What are you thoughts on just removing all of the Sophos components via script?
#!/bin/sh
pkill Sophos
rm -rf /Library/Sophos*
rm -rf /Library/Application Support/Sophos*
rm -rf /Applications/Sophos*
rm -rf /Library/Frameworks/Sophos*
rm -rf /Library/Frameworks/SAVI*
rm -rf /usr/local/bin/SophosUpdate
rm -rf /usr/local/bin/sweep
launchctl remove /Library/LaunchAgents/com.sophos*
rm -rf /Library/LaunchAgents/com.sophos*
launchctl remove /Library/LaunchDaemons/com.sophos*
rm -rf /Library/LaunchDaemons/com.sophos*
rm -rf /Library/Extensions/Sophos*
kextcache -prune-staging
Posted on 11-24-2022 03:39 PM
This has worked like a charm for me. Thank you!
Posted on 06-14-2021 10:07 AM
With Tamper Protection disabled from the Sophos Central admin console, Dan0's script:
/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --force_remove
worked for me on my own Mojave machine. I will begin rolling this out gradually through my environment.
From a manual removal situation, I had a machine recently that copied the Sophos application components over to a new machine while using Migration Assistant. Knowing I did not intend to use Sophos Endpoint on this machine, but not thinking that it would copy over, I declined all permission requests from Sophos. However, with no services running, now it did not communicate with Sophos Central so I could not see the machine to disable Tamper Protection, AND when I tried to run Remove Sophos Endpoint.app to uninstall, the app prompted me for a password. Needless to say I had no idea what such a password would be, nor could I find it in my Sophos Central admin panel anywhere. I finally resorted to filing a support ticket with Sophos, and they said for versions above 9.7, to delete /Library/Sophos Anti-Virus/SophosSecure.keychain to disable the Tamper Protection, then run the application. I did this, and then Remove Sophos Endpoint.app ran successfully without any password prompt.
08-02-2021 12:31 PM - edited 08-02-2021 12:59 PM
Has anyone tried this on Big Sur? Seems like this scripts work up to Catalina but we have not seen any work due to the new format Big Sur is 11.x.
Update: MrRoboto's script looks to work fine on Big Sur! Pushing it out now and it's working great!
Posted on 09-03-2021 12:24 PM
Just got done with a week of fiddling with this. We are looking to switch from Sophos to CrowdStrike and I have been validating the Big Sur part of all that. Have been using a script much like MrRobotos's for years with no issues, but Big Sur is a different story. The Sophos provided uninstaller doesn't remove the System Extensions, so you will have to do it manually or sorta scripted:
https://community.sophos.com/intercept-x-endpoint/big-sur-eap/f/recommended-reads/124391/how-to-remo...
https://grahamrpugh.com/2021/04/06/delete-system-extension-command-line.html
FWIW the CrowdStrike agent does do the right thing and tell macOS to remove their System Extension, so maybe someday Sophos will too. For now you need to make sure and have the System Extensions deleted first and then run the script or the removal app in the Sophos folder. My testing was on macOS 11.5.2 using Sophos Endpoint 10.1.4. We use Central and have Jamf MDM with profiles/policies for all the needful. Wanted to give people the heads up, since once Sophos is removed you can't easily get rid of the extensions without installing Sophos again and then manually removing them. This will complicate the CrowdStrike rollout a little, but hey it is so secure!
12-22-2022 12:13 PM - edited 12-23-2022 06:55 AM
This script is for Sophos Endpoint. It will disable tamper protection and uninstall.
#!/bin/bash
#Delete Sophos Keychain
sudo rm /Library/Sophos\ Anti-Virus/SophosSecure.keychain
#Disable Sophos' tamper protection
sudo defaults write /Library/Preferences/com.sophos.sav TamperProtectionEnabled -bool false
#Changes Directory
cd /Library/Application\ Support/Sophos/saas/Installer.app/Contents/MacOS/tools/
#Execute Sophos uninstaller
sudo ./InstallationDeployer --remove
Posted on 06-24-2024 06:05 AM
Is this still an option as it seems that Apple requires the User to click all to uninstall Sophos?