Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
16392
Views
10
Helpful
8
Replies

Remove Cisco AMP

Lance.Storm3
Level 1
Level 1

‎11-10-2020 04:56 AM

How do you remove Cisco AMP if you dont have the password?  the company I am at was sol

Labels:
0 Helpful
8 Replies 8

ppreenja
Cisco Employee
Cisco Employee

‎11-15-2020 04:57 AM

Hi Lance,

 

This is the procedure to uninstall the connector if the password is forgotten and no network connection is available:

 

Step 1. Click on the tray icon and open the Cisco AMP for Endpoints Connector.

Step 2. Ensure that the Connector is shown as disconnected.

Step 3. Note the policy that has been assigned to that connector.

Step 4. Navigate to your AMP for Endpoints Console and search for the policy that was previously noted.

Step 5. Expand the policy and click Duplicate as shown in the image.

Step 6. A new policy called "Copy of.." will be created. Click on Edit to edit this policy.

Step 7. At the Edit Policy page, navigate to Advanced Settings > Administrative Features.

Step 8. At the Connector Password Protection field, replace the password with a new password that can be recalled.

Step 9. Click the Save button in order to save this policy.

Step 10. Navigate to Management > Policies and search for the policy that was newly duplicated.

Step 11. Expand the policy and click Download XML. A file named policy.xml will be saved to your machine.
- If the filename is not change it to: policy.xml *important*
- Please check that the file extensions are shown so the file is not incorrectly named: policy.xml.xml

Step 12. Copy this policy.xml to the affected endpoint.
- Do not copy yet the file to C:\Programs Files\Cisco\AMP

Step 13. Reboot the affected endpoint in Safe Mode.

Step 14. Once the affected endpoint is in Safe Mode, navigate to C:\Program Files\Cisco\AMP.

Step 15. In this folder, search for a file named policy.xml and rename this to policy_old.xml.

Step 16. Now, paste the previously copied policy.xml to this folder.

Step 17. After the file has been copied, the uninstallation can be performed normally and at the password prompt, the newly configured password must be entered.
- Boot normally (not safe mode) and the connector should be using the new policy.xml.
- Proceed with the uninstallation, and when asked for the password proceed to enter the new one.

Step 18. This is an optional step. Since the connector was uninstalled when the machine was disconnected, the computer entry will remain on the console. Therefore, you can navigate to Management > Computers and expand the affected endpoint. Click Delete in order to delete the endpoint.

 

I hope that helps.

 

Cheers,

Pratham

0 Helpful

Lance.Storm3
Level 1
Level 1
In response to ppreenja

‎11-15-2020 05:06 AM

Hi Pratham,

What do you do if the company has been sold and you cant access the Endpoint Console?  is there a way to just remove it without having the password or Endpoint Console?

 

Thanks,

Lance

0 Helpful

ppreenja
Cisco Employee
Cisco Employee
In response to Lance.Storm3

‎11-15-2020 07:42 AM

Hi Lance,

 

We do have a feature request opened to remove the AMP for endpoints remotely as below:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq81718 

 

However, that option is currently not available.

 

Cheers,

Pratham

0 Helpful

river1
Level 1
Level 1
In response to ppreenja

‎10-28-2021 06:21 PM

Hi there,

 

Has this feature been added yet or is there some sort of workaround? This issue has been open since 2019! 

 

My company really needs to remove endpoints remotely as they do not get deleted when you "delete computer" in the console and just appear back on the list. This is a major flaw as there are many employees who have left that still have AMP installed on their BYOD.

 

Thanks.

0 Helpful

Lance.Storm3
Level 1
Level 1
In response to river1

‎10-29-2021 02:27 AM

I found out that you have to boot in safe mode. after in safe mode open Notepad with admin rights.

Go to: C:\Program Files\Cisco\AMP
Go to policy.xml, found the following tabs: <passwordex></passwordex>  Delete everything from the start of <passwordex>   to the end of  </passwordex>, save the changes.  

and you should be able to uninstall Cisco Amp then

river1
Level 1
Level 1
In response to Lance.Storm3

‎10-31-2021 04:21 PM

Thanks for your reply : )

Sorry I should have been more clear - I need to do a remote uninstall or "delete" from the AMP console for BYOD machines of staff who left the company years ago. So I can't do a local uninstall as we don't have the machines. I posted in a more relevant thread:

 

https://community.cisco.com/t5/cisco-bug-discussions/cscvq81718-feature-request-allow-remote-uninstallation-from-amp/m-p/4494606#M12817

 

Lance.Storm3
Level 1
Level 1
In response to river1

‎11-01-2021 05:15 AM

Hey River1,

maybe following ppreenja  directions.  I came to the company I am at now, they had Cisco AMP install but the company was sold and no longer had access to the Cisco AMP Console..I even open a ticket with Cisco and they told me to get in touch with the Company that sold us and see if they can re-enable the machine and give me the password to uninstall Cisco AMP. Since we were no longer under that company umbrella they did not want to help.  So I had to manually remove all the machines with Cisco AMP the way I said in my early tread.

0 Helpful

Jbuttle
Level 1
Level 1
In response to Lance.Storm3

‎11-17-2020 06:14 AM

I would reach out to the former owner's IT group and see if they can provide you with this information as well.

0 Helpful
Customers Also Viewed These Support Documents
Top