Solved: Re: macOS Security Changes = Can No Longer Silently Uninstall AMP Endpoint Client

ac513 · ‎03-18-2021

We pre-approve disk access and extensions with Jamf config profiles for silent AMP endpoint client installations on our macOS devices. Inevitably, due to bugs or interruptions or whatever quirk of the day, we wind up with some small number of devices with faults due to "lacking" disk access or extensions, or extensions not being loaded. Uninstalling/reinstalling typically clears these up quickly, as these items they're supposedly faulting for are approved with our aforementioned Jamf profiles. They don't apply retroactively, but they're ready to go & work fine with a full reinstallation of AMP.

So in years past, I could accomplish this fault-clearing process silently & without my desktop support guys visiting machines simply by running and/or pushing the AMP uninstaller .pkg that's included in AMP's application folder, or manually removing it via Cisco's documentation. Then I'd circle back with another Jamf policy to force install AMP, and the machine would be back in working order with zero faults.

However, in past months, it now seems that due to security changes in macOS, we can no longer silently uninstall the AMP client. Whether you run the uninstaller .pkg as root, or manually uninstall via the aforementioned script, the end user is always faced with an authentication prompt from macOS to elevate & approve the uninstallation process. (I'm guessing it's unloading/removing extensions?) If the user ignores or cancels this prompt, it leaves AMP in a half-uninstalled, borked state. Several others over at Jamf Nation have noted the same behavior:

https://www.jamf.com/jamf-nation/discussions/37354/removing-cisco-amp-version-1-14-0-or-newer

The end result now is that when I find faulted AMP Mac clients, I can't just fix them with a sequence of Jamf policies. Someone has to physically touch the machine and reinstall AMP. In a big education environment, this does not scale well. I don't see Apple reversing security changes they've made, but I also understand Cisco has to work within the framework Apple gives them... so I don't know whose court this ball lies in at the moment.

Thoughts on this? Am I missing any obvious solution? I'd hate to think that from now on, I have no more non-interactive maintenance methods for AMP.

antc · ‎07-07-2021

It's currently not possible to silently uninstall AMP in macOS Big Sur due to an operating system constraint. You guessed correctly, removing a system extension requires user approval.

The situation should improve in macOS 12 Monterrey which introduces Removable System Extensions.

View solution in original post

stealthmode · ‎03-22-2021

Would it be possible for you to try the automated script when the Mac is booted in safe mode?

ac513 · ‎03-22-2021

That would require physically touching the machine, right? We can remove AMP from a macOS client hands-on all day long, that's not the problem. The problem is not being able to fully automate the removal with zero input on the endpoint (e.g. scripts or pushing uninstaller via Jamf for me specifically), which we could do prior to these security changes where Apple needs authorization on the endpoint for the uninstall process. Thus this post, I'm curious if this is something that we will just no longer be able to do "because Apple", or if there's something Cisco can do with future releases to account for silent uninstalls again.

stealthmode · ‎03-22-2021

I understand your concern and well, you could still script booting into safe mode https://www.isunshare.com/mac/how-to-start-mac-in-safe-mode.html

antc · ‎07-07-2021

It's currently not possible to silently uninstall AMP in macOS Big Sur due to an operating system constraint. You guessed correctly, removing a system extension requires user approval.

The situation should improve in macOS 12 Monterrey which introduces Removable System Extensions.

bharathganesan · ‎01-15-2023

Just to update here, We got help from one of our vendors (ManageEngine-Endpoint Central) who managed to prepare a script for silent uninstallation of Cisco AMP to any of the latest macOS, simply works like a charm. Hope this helps you as well.

#!/bin/bash
uninstallCiscoAMP() {
    #The uninstall procedure for Mac connector versions 1.18.0 and newer varies depending on the version of macOS being used.

    #To manually uninstall Mac connector, run the following commands:

    #/bin/launchctl unload /Library/LaunchAgents/com.cisco.amp.agent.plist
    #If this does not stop the menulet, click on it and select Quit Secure Endpoint connector.
    currentUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name  { print $3 }' )
    uid=$(id -u "$currentUser")
    /bin/launchctl asuser "$uid" sudo -u "$currentUser" /bin/launchctl unload /Library/LaunchAgents/com.cisco.amp.agent.plist


    sudo /bin/launchctl unload /Library/LaunchDaemons/com.cisco.amp.daemon.plist
    sudo /bin/launchctl list com.cisco.amp.daemon
    #This should yield the message: Could not find service.
    sudo /bin/launchctl unload /Library/LaunchDaemons/com.cisco.amp.updater.plist
    sudo /bin/launchct list com.cisco.amp.updater
    #This should yield the message: Could not find service "com.cisco.amp.updater" in domain for system.
    #For macOS versions 10.15 and older:
    sudo /sbin/kextunload -b com.cisco.amp.fileop
    #For macOS versions 10.15 and older:
    sudo /sbin/kextunload -b com.cisco.amp.nke
    #For macOS versions 10.15 and older:
    sudo /usr/sbin/kextstat -l | grep com.cisco.amp
    #This should yield an empty list.
    #For macOS versions 11 and newer:

    /Applications/Cisco\ Secure\ Endpoint/Secure\ Endpoint\ Service.app/Contents/MacOS/Secure\ Endpoint\ Service deactivate endpoint_security
    #Enter password when prompted. Note that this step cannot be executed remotely as the local user is required to enter the password.
    #For macOS versions 11 and newer:

    /Applications/Cisco\ Secure\ Endpoint/Secure\ Endpoint\ Service.app/Contents/MacOS/Secure\ Endpoint\ Service deactivate content_filter
    #Enter password when prompted. Note that this step cannot be executed remotely as the local user is required to enter the password.
    #For macOS versions 11 and newer:
    systemextensionsctl list | grep com.cisco.endpoint.svc
    #All system extensions for com.cisco.endpoint.svc.networkextension and com.cisco.endpoint.svc.securityextension should be listed with "[terminated waiting to uninstall on reboot]."
    #For macOS versions 10.15 and older:
    sudo rm -rf "/Applications/Cisco Secure Endpoint"
    #For macOS versions 10.15 and older:
    sudo rm -rf /Library/Extensions/ampfileop.kext
    #For macOS versions 10.15 and older:
    sudo rm -rf /Library/Extensions/ampnetworkflow.kext
    sudo rm -rf "/Library/Application Support/Cisco/Secure Endpoint"
    sudo rm -rf /opt/cisco/amp/
    sudo rm -f /Library/Logs/Cisco/amp*
    sudo rm -f /var/run/ampdaemon.pid
    sudo rm -f /Library/LaunchAgents/com.cisco.amp.agent.plist
    sudo rm -f /Library/LaunchDaemons/com.cisco.amp.daemon.plist
    sudo rm -f /Library/LaunchDaemons/com.cisco.amp.updater.plist
    sudo pkgutil --forget com.cisco.amp.agent
    sudo pkgutil --forget com.cisco.amp.daemon
    sudo pkgutil --forget com.cisco.amp.kextsigned
    sudo pkgutil --forget com.cisco.amp.kextunsigned
    sudo pkgutil --forget com.cisco.amp.support
    sudo pkgutil --forget com.sourcefire.amp.agent
    sudo pkgutil --forget com.sourcefire.amp.daemon
    sudo pkgutil --forget com.sourcefire.amp.kextsigned
    sudo pkgutil --forget com.sourcefire.amp.kextunsigned
    sudo pkgutil --forget com.sourcefire.amp.support
    #For each user, remove the following directory if it exists:
    rm -f ~/Library/Preferences/SourceFire-Inc.FireAMP-Mac.plist
    #For each user, remove the following directory if it exists:
    rm -f ~/Library/Preferences/Cisco-Inc.AMP-for-Endpoints-Connector.plist
}


doNotPromptForSysExt() {
    security -v authorizationdb write com.apple.system-extensions.admin is-root
}

restoreDoNotPromptForSysExt() {
    security -v authorizationdb write com.apple.system-extensions.admin authenticate-admin-nonshared
}

removingBasedOnObservation() {
    echo "Removing Based on Oberservation"
    sudo rm -rf "/Library/Application Support/Cisco"
    sudo rm -f "/Library/LaunchDaemons/com.cisco.amp.orbitalupdater.plist"
    echo "Done."
}

echo "Do Not Prompt Sys Ext"
doNotPromptForSysExt
echo "Do Not Prompt Sys Ext Done"
echo "Uninstall Cisco AMP"
uninstallCiscoAMP
echo "End of Uninstall Cisco AMP"
echo "Restore Do Not Prompt Sys Ext"
restoreDoNotPromptForSysExt
echo "Restore Do Not Prompt Sys Ext Done"
removingBasedOnObservation

exit 0

ac513 · ‎01-17-2023

Forgot I made this thread! In the time since, Apple has introduced removable system extensions into their MDM framework for macOS 12 and higher, as mentioned by @antc. We can now define and push these with config profiles via Jamf, and silently install once again if the need arises.

https://developer.apple.com/documentation/devicemanagement/systemextensions/removablesystemextensions