01-05-2025 09:35 AM
Hello,
Because of my previous work, I had to install Cortex XDR to work remotely from home and access to the VPN.
Now that I'm no longer working for them, I would like to uninstall Cortex XDR from my laptop (MacBook Pro M2) but it is impossible. I tried to install the uninstaller but it impossible, the installation don't ever finish.
Someone know howt to delete Cortex XDR ?
Kind regards.
01-09-2025 08:17 AM
Hi @Rixals ,
To uninstall the agent, you need the uninstall password or a temporary token:
Hope this helps,
-Kim.
01-09-2025 09:47 AM
Hello @kiwi !
Thank you for your help !
Yes I saw that but I don't understand what I must do. I don't know where the "Cortex XDR management console" is and I don't get what an endpoint is, could you help me please ?
Have a nice day 😊
01-10-2025 12:46 AM
Hi @Rixals ,
You don't need to worry about the management console. That's likely managed by your previous employer.
You should uninstall it directly from your endpoint (= your MacBook).
Check the following process from the admin guide:
To uninstall the agent, you need the uninstall password or a temporary token. See Manage Agent Tokens to obtain a temporary token.
Ensure that you extract the uninstaller from the installer package which is the same version as the Cortex XDR agent for Mac currently installed on the endpoint.
Ensure that the installer file, called Cortex XDR Uninstaller.app, is saved in the following location: /Library/Application\Support/PaloAltoNetworks/Traps/bin
Run the Cortex XDR agent uninstaller Cortex XDR Uninstaller.app from: /Library/Application\Support/PaloAltoNetworks/Traps/bin.
When prompted, enter the Cortex XDR agent uninstall password or temporary token, and click OK.
When prompted, enter the macOS credentials for a user that has permissions to uninstall apps and click OK.
The uninstaller completes the uninstall process and removes the Cortex XDR agent and related files.
Good luck !
-Kim.
01-10-2025 03:09 AM
Hello @kiwi !
Yes I tried to follow these instructions but I don't see where to execute the differents steps needed.
"1. View agent password.
You can view the password of the selected agent. Whether the password is from a rolling token or a temporary token is indicated in the dialog.
Select Endpoints → All Endpoints → Endpoint Control → View Token."
For exemple here where do I do "Select Endpoints → All Endpoints → Endpoint Control → View Token" ? The only thing related to Cortex XDR which I can interact with is this :
Have a nice day 😊
01-10-2025 04:14 AM
Hi @Rixals ,
The 'Manage Agent Token' is also part of the management console so you won't have access to that:
https://www.youtube.com/watch?v=G55kf6L0nas
Try using the default password and cross your fingers that it wasn't changed: Password1
If the uninstall password was changed, then I'm afraid you'll need to reach out to your previous employer to assist you with uninstalling. The ones managing the management console should be able to provide you with the uninstall pwd or token.
Kind regards,
-Kim.
01-10-2025 04:18 AM
Hi @kiwi,
Okay I understand !
Now comes my main problem, where do I put this password ? I would presume in the uninstaller but I can't find it on my MacBook. Is it hidden ? Or maybe I can download it on internet ?
Kind regards,
Nathan
01-10-2025 06:35 AM
Hi @Rixals ,
Below is the path:
admin@lab bin % pwd
/Library/Application Support/PaloAltoNetworks/Traps/bin
admin@lab bin % ls
Cortex XDR Agent.app dbtool
Cortex XDR Configuration Wizard.app irpc_client_api
Cortex XDR Uninstaller.app openssl
authorized pmd
cortex_xdr_uninstaller_tool sandboxd
cytool traps_config
You can try uninstalling using the default password with the following command:
/Library/Application\ Support/PaloAltoNetworks/Traps/bin/cortex_xdr_uninstaller_tool Password1
Note however that tampering protection might be in place which might have to be disabled first using cytool (located in the same folder) . Use the same default password if it prompts you:
cytool protect disable
Kind regards,
-Kim.
01-10-2025 08:23 AM
Oh thank you I finaly found the Uninstaller !
But unfortunately it asks for a password and "Password1" doesn't work. Is there another way to pass around it ?
01-13-2025 12:48 AM
Hi @Rixals ,
Here's a similar discussion on the topic. Preferably try uninstalling using the management console (=via your previous employer).
Or you could try the Mac-OS root password:
Once you exhausted all your possible passwords and still fail to uninstall the agent, try using the tool (reset_agent_settings) to help reset the agent settings. This should revert the uninstall password back to Password1.
You need to follow these steps to use the tool and reset the agent. Afterwards you should be able to uninstall using the default password:
A. Boot into macOS recovery OS (https://support.apple.com/en-us/102603)
B. If the disk is encrypted (FileVault enabled) unlock the disk (https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785/mac)
C. Execute the tool (reset_agent_settings):
Run as root:
chmod +x /Volumes/<volume_name>/Library/Application\ Support/PaloAltoNetworks/Traps/download/content/reset_agent_settings
/Volumes/<volume_name>/Library/Application\ Support/PaloAltoNetworks/Traps/download/content/reset_agent_settings
D. After the agent settings have been successfully reset, boot the macOS back to normal mode and uninstall the agent using the previously mentioned command using the default password: Password1
Good luck !
Kind regards,
-Kim.
01-13-2025 09:49 AM
Hello @kiwi,
Where do you find the tool "reset_agent_settings" ? When I search for it with the search bar I find the file but when I go the folder "download" there is nothing :
I tried to show hidden files but it didn't change anything.
Another question how do you run the tool "reset_agent_settings" ? Should I copy/paste the code lines you wrote under "Run as root" in the terminal and that's it ?
Kind regards,
Rixals
01-14-2025 01:31 AM
Hi @Rixals ,
The tool is located at /Library/Application\ Support/PaloAltoNetworks/Traps/download/content/
Only root user can run the tool.
The tool should not be moved/renamed, it needs to execute from its original location (it can be called with relative path and absolute path, both work).
The tool only runs in recovery OS mode (https://support.apple.com/en-us/102603)
If the disk is encrypted (FileVault enabled) unlock the disk (https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785/mac)
Start Terminal and run the commands as a root user.
I'm not 100% sure but I believe starting in recovery mode already puts you at root privileges. So 'su' or 'sudo' won't be necessary and you should just run the command as is. If that's not the case then just 'sudo' the commands.
Kind regards,
-Kim.
01-14-2025 12:36 PM
Hello @kiwi,
Okay thank you !
I tried to enter the command you wrote in safe mode without FileVault and the terminal respond that :
/Volumes/Macintosh_HD/Library/Application\ Support/PaloAltoNetworks/Traps/download/content/reset_agent_settings
chmod: /Volumes/Macintosh_HD/Library/Application Support/PaloAltoNetworks/Traps/download/content/reset_agent_settings: No such file or directory
zsh: no such file or directory: /Volumes/Macintosh_HD/Library/Application Support/PaloAltoNetworks/Traps/download/content/reset_agent_settingsI didn't change the volume name, is "Macintosh_HD" the right name ?
01-15-2025 12:53 AM
have you tried reaching out to your previous employer's IT department to simply run the uninstall from the management console? (or release your agent)
01-15-2025 12:58 AM
Hello @reaper,
Yes I tried, it is a small reasearch institute and the person who told me to install Cortex XDR isn’t from IT or anything, she’s just the person who follow the instructions.
I tried to reach the IT department whose giving these instructions but to no avail.
Have a nice day !
Rixals
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
