So, as the subject suggests, my colleagues and I are working on a method to uninstall the Cortex XDR agent from of number of computers (Macs). We do utilize the JAMF MDM here and hence why we are working on a script, however I cannot help but to think simply using the tenant to remove these clients would be sufficient but I digress. If we could call the uninstaller from Terminal and "pass" the uninstall password that might work but I'm jumping around here.
*Note: All MacBooks are Monterey with a small number still on BigSur
Has anyone written any scripts or have any ideas/suggestions regarding how this may be approached? We can easily remove any leftover folders/files but one with the .app extension may be problematic. This is what we've come up with so far, nothing fancy, but semi-operable. There are concerns associated with the .app file extension running in terminal properly. (I know the "rm" command" precedes it below but disregard).
cd /tmp && unzip "/Library/Application Support/JAMF/Waiting Room/Cortex_Mac_7_7_0_2356.zip" &&
/usr/sbin/installer -allowUntrusted -pkg "Cortex XDR.pkg" -target / &&
rm -fdr "Cortex XDR Uninstaller.app" &&
rm -fdr "Cortex XDR.pkg" &&
rm -fdr Config.xml &&
rm -fdr "/Library/Application Support/JAMF/Waiting Room/Cortex_Mac_7_7_0_2356.zip" &&
rm -fdr "/Library/Application Support/JAMF/Waiting Room/Cortex_Mac_7_7_0_2356.zip.cache.xml"
Any help or suggestions would be appreciated!
Thanks in advance...
Utilizing the Cortex XDR management console to uninstall the Cortex XDR agent for macOS operating systems is currently the recommended practice. This can be done by:
More information can be found on the agent administrator documentation to uninstall the agent for Mac:
Additionally, our documentation team is currently developing instructions for uninstalling the macOS agent using JAMF and I can update you in the LiveCommunity when an implementation has been made.
Hi David, I hope that it is not so late but, I think I would share with you something I did for solving this problem that I had to face as well.
The case is that Cortex xdr have some processes that are running on the endpoints, these processes must be stopped before executing any kind of unintalling procedure. Cytool is a tool that Cortex has when Cortex was installed on the endpoint. So, you need to stop these processes by executing:
cytool stop echo "whatever your password is" | sudo -b /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool runtime stop all
echo " " | sudo -b /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool runtime stop all
After that you can uninstall /clean Cortex xxdr from the endpoints.
Hope that it is going to help 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!