![]() So far, we've tried the following approaches, both of these scoped to a test machine with Sophos Endpoint Protection installed and with Tamper Protection disabled: ![]() This particular enterprise version of Sophos employs Tamper Protection, which was easy enough for us to disable by creating a policy that deletes the SophosSecure.keychain file that Tamper Protection creates on all the endpoints, but even with Tamper Protection disabled we can't figure out how to remotely uninstall the client itself. Wanted to give people the heads up, since once Sophos is removed you can't easily get rid of the extensions without installing Sophos again and then manually removing them.Hi all, we're having a difficult time uninstalling Sophos Endpoint Protection from our Mac endpoints with Jamf. We use Central and have Jamf MDM with profiles/policies for all the needful. My testing was on macOS 11.5.2 using Sophos Endpoint 10.1.4. For now you need to make sure and have the System Extensions deleted first and then run the script or the removal app in the Sophos folder. The Sophos provided uninstaller doesn't remove the System Extensions, so you will have to do it manually or sorta scripted:įWIW the CrowdStrike agent does do the right thing and tell macOS to remove their System Extension, so maybe someday Sophos will too. Have been using a script much like MrRobotos's for years with no issues, but Big Sur is a different story. We are looking to switch from Sophos to CrowdStrike and I have been validating the Big Sur part of all that. Just got done with a week of fiddling with this. I did this, and then Remove Sophos Endpoint.app ran successfully without any password prompt. I finally resorted to filing a support ticket with Sophos, and they said for versions above 9.7, to delete /Library/Sophos Anti-Virus/SophosSecure.keychain to disable the Tamper Protection, then run the application. Needless to say I had no idea what such a password would be, nor could I find it in my Sophos Central admin panel anywhere. However, with no services running, now it did not communicate with Sophos Central so I could not see the machine to disable Tamper Protection, AND when I tried to run Remove Sophos Endpoint.app to uninstall, the app prompted me for a password. Knowing I did not intend to use Sophos Endpoint on this machine, but not thinking that it would copy over, I declined all permission requests from Sophos. I will begin rolling this out gradually through my environment.įrom a manual removal situation, I had a machine recently that copied the Sophos application components over to a new machine while using Migration Assistant. Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer -force_remove With Tamper Protection disabled from the Sophos Central admin console, Dan0's script: Sophos support told us that they do not have a batch uninstall feature but I have to believe it's possible with Jamf. If anyone here has successfully removed Sophos Endpoint Protection with a Jamf policy, or if you have any other ideas in general, your feedback would be most appreciated. Created a Policy with the Files & Processes payload, using the Execute Command feature to call up the Sophos uninstaller app directly on the endpoint (/Applications/Remove Sophos Endpoint.app).Packaged the Sophos uninstaller (Remove Sophos Endpoint.app) with Composer and added it to a Policy with the Packages payload (specifically, we installed Sophos on the test machine, started Composer and took a before snapshot, uninstalled Sophos, then took an after snapshot, saved and uploaded the resulting.Hi all, we're having a difficult time uninstalling Sophos Endpoint Protection from our Mac endpoints with Jamf.
0 Comments
Leave a Reply. |