cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2477
Views
10
Helpful
4
Replies
ac513
Beginner

macOS Security Changes = Can No Longer Silently Uninstall AMP Endpoint Client

We pre-approve disk access and extensions with Jamf config profiles for silent AMP endpoint client installations on our macOS devices. Inevitably, due to bugs or interruptions or whatever quirk of the day, we wind up with some small number of devices with faults due to "lacking" disk access or extensions, or extensions not being loaded. Uninstalling/reinstalling typically clears these up quickly, as these items they're supposedly faulting for are approved with our aforementioned Jamf profiles. They don't apply retroactively, but they're ready to go & work fine with a full reinstallation of AMP.

So in years past, I could accomplish this fault-clearing process silently & without my desktop support guys visiting machines simply by running and/or pushing the AMP uninstaller .pkg that's included in AMP's application folder, or manually removing it via Cisco's documentation. Then I'd circle back with another Jamf policy to force install AMP, and the machine would be back in working order with zero faults.

However, in past months, it now seems that due to security changes in macOS, we can no longer silently uninstall the AMP client.  Whether you run the uninstaller .pkg as root, or manually uninstall via the aforementioned script, the end user is always faced with an authentication prompt from macOS to elevate & approve the uninstallation process. (I'm guessing it's unloading/removing extensions?) If the user ignores or cancels this prompt, it leaves AMP in a half-uninstalled, borked state. Several others over at Jamf Nation have noted the same behavior:

https://www.jamf.com/jamf-nation/discussions/37354/removing-cisco-amp-version-1-14-0-or-newer

The end result now is that when I find faulted AMP Mac clients, I can't just fix them with a sequence of Jamf policies.  Someone has to physically touch the machine and reinstall AMP. In a big education environment, this does not scale well. I don't see Apple reversing security changes they've made, but I also understand Cisco has to work within the framework Apple gives them... so I don't know whose court this ball lies in at the moment.

Thoughts on this? Am I missing any obvious solution?  I'd hate to think that from now on, I have no more non-interactive maintenance methods for AMP.

1 ACCEPTED SOLUTION

Accepted Solutions
antc
Cisco Employee

It's currently not possible to silently uninstall AMP in macOS Big Sur due to an operating system constraint. You guessed correctly, removing a system extension requires user approval.

 

The situation should improve in macOS 12 Monterrey which introduces Removable System Extensions.

View solution in original post

4 REPLIES 4
stealthmode
Cisco Employee

Would it be possible for you to try the automated script when the Mac is booted in safe mode? 

That would require physically touching the machine, right? We can remove AMP from a macOS client hands-on all day long, that's not the problem. The problem is not being able to fully automate the removal with zero input on the endpoint (e.g. scripts or pushing uninstaller via Jamf for me specifically), which we could do prior to these security changes where Apple needs authorization on the endpoint for the uninstall process. Thus this post, I'm curious if this is something that we will just no longer be able to do "because Apple", or if there's something Cisco can do with future releases to account for silent uninstalls again.

I understand your concern and well, you could still script booting into safe mode https://www.isunshare.com/mac/how-to-start-mac-in-safe-mode.html 

 

 

antc
Cisco Employee

It's currently not possible to silently uninstall AMP in macOS Big Sur due to an operating system constraint. You guessed correctly, removing a system extension requires user approval.

 

The situation should improve in macOS 12 Monterrey which introduces Removable System Extensions.

View solution in original post

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (37%)

Content for Community-Ad