Uninstalling the Client
An MDM policy script can execute the Endpoint Security macOS Uninstall_EPS.sh script.
The Self-Protection (see sk171012 ) feature is enabled by default in E85.30 and higher. The password has to be provided by the MDM policy script that executes the uninstallation.
To access the Uninstall_EPS.sh script:
-
Download the EPS_MDM.zip file from here.
-
Unzip the file and go to the EPS_MDM/jamf_scripts/ folder.
-
Access the Uninstall_EPS.sh file.
Example of a parameterized MDM policy script for JAMF
Copy
#!/bin/sh
# Argument 4: Is the self protection password used to disable self protection required for uninstallation
logFile="/var/log/jamf_eps_uninstall.log"
log ()
{
/bin/echo $1
/bin/echo $(date "+%Y-%m-%d %H:%M:%S: ") $1 >> $logFile
}
EPS_SP_TOOL="/Library/Application Support/Checkpoint/Endpoint Security/cpSelfProtection"
EPS_UNINSTALL_SCRIPT="/Library/Application Support/Checkpoint/Endpoint Security/uninstall.sh"
function isCatalinaOrGreater
{
var=$(sw_vers -productVersion | awk -F"." '{if (s3=="") $3="0";print $1,$2,$3}')
if [ $1 -eq 10 ] && [ $2 -lt 15 ];
then
log "Running Mojave or less"
return 1
else
log "Running Catalina or greater"
return 0
fi
}
function disableSelfProtection
{
if [ -f "$EPS_SP_TOOL" ];
then
pgrep cpdaApp
if [ $? -eq 0 ];
then
"$EPS_SP_TOOL" disable "$1"
if [ $? -ne 0 ];
then
log "Failed to disable self protection"
return 1
fi
log "Self protection disabled"
return 0
else
log "deviceAgent(cpdaApp) not running"
return 1
fi
else
log "cpSelfProtection not installed"
fi
return 0
}
VERSION_INSTALLED=$(/usr/libexec/PlistBuddy -c 'Print :pkg-version' /dev/stdin <<< $(pkgutil --pkg-info-plist com.checkpoint.pkg.eps.core))
if [ $VERSION_INSTALLED ];
then
log "version installed: $VERSION_INSTALLED"
# self protection is only implemented on Catalina or later
isCatalinaOrGreater
if [ $? -eq 0 ];
then
disableSelfProtection $4
SP_RETVAL=$?
if [ $SP_RETVAL -ne 0 ];
then
exit $SP_RETVAL
fi
fi
yes | "$EPS_UNINSTALL_SCRIPT"
else
log "Endpoint Security not installed"
fi
exit 0