This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Howard_Gyton
Advisor
‎2022-02-22 03:02 AM

Endpoint on Mac: Uninstalling the E85.30 ME blade

Hi,

We have a user who has problem accessing USB devices on their Mac that is running E85.30.

I exported a new package from the server that was the same version, but had the ME blade unticked at export.  When this was installed, which finished without error, I noticed in the console that the ME blade's status was "Off", and a plugged in memory stick could be read.

We rebooted the laptop, expecting the ME blade to be removed entirely from the console, but instead it was still there, and active.

I had no luck finding anything about this on the support site, and not much here either.  I did find in the installation folder a number of scripts, including one called "uninstall_ME.sh", however this just generates errors when it is run.

Is there another process to call this script?  The fall back would be to remove the entirety of Endpoint, including Filevault, then re-install the newly exported package with ME missing, but I was hoping to avoid that.

0 Kudos
17 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-02-22 05:16 AM

Have you considered testing E86.20 here?

CCSM R77/R80/ELITE
0 Kudos
Howard_Gyton
Advisor
‎2022-02-22 06:32 AM
In response to Chris_Atkinson

I hadn't.  But I would if it allowed for the selective adding/removing of blades as the Windows version does, even if it is locally driven rather than from the Endpoint server.

Chris_Atkinson
Employee Employee
Employee
‎2022-02-22 06:39 AM
In response to Howard_Gyton

R81.10 introduced deployment rules support for MacOS clients but I've not tested the granularity of the same.

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2022-02-22 06:37 AM

Just curious...what is exact error when you run that script? Have you tried running it with sudo flag?

Andy

0 Kudos
Howard_Gyton
Advisor
‎2022-02-22 07:13 AM
In response to the_rock

Yes, and as root, though I didn't actually think that would make a difference.

There isn't any one error if I remember right, but about two screens worth of individual files reporting "operation not permitted" or similar.  I suspect it was trying to delete the files, and didn't have the rights to do so, as if an active process was protecting them.  Perhaps trying it in Safe Mode would be one thing to try?

the_rock
Legend
Legend
‎2022-02-22 07:16 AM
In response to Howard_Gyton

Actually yes! Thats excellent suggestion...did not think of that, but I am positive it would work. Let us know if you can try that.

Andy

0 Kudos
Howard_Gyton
Advisor
‎2022-02-22 09:26 AM
In response to the_rock

The colleague with the laptop in question will be back in the office on Thursday, so I hope to give Safe Mode a go then.  I will report back.

the_rock
Legend
Legend
‎2022-02-22 09:57 AM
In response to Howard_Gyton

Im not nearly as Mac expert as @PhoneBoy , but I guess the fact I had old grape mac desktop qualifies me for something : - ). Not sure if below link might help in your situation?

http://www.macosxtips.co.uk/index_files/tips-for-deleting-stubborn-files.php#:~:text=To%20delete%20a....

0 Kudos
Howard_Gyton
Advisor
‎2022-02-23 01:26 AM
In response to the_rock

I think forcibly deleting files out from under Endpoint might be a bad thing to do.

0 Kudos
the_rock
Legend
Legend
‎2022-02-23 05:31 AM
In response to Howard_Gyton

I get your point...might be a bit risky, thats true, but at least probably better than removing the whole thing.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-02-22 12:27 PM

Your best bet is to uninstall the fill Endpoint client and try again.
I suspect the reason you can't delete the files in question is the self-protection mechanisms built into the product.

0 Kudos
Howard_Gyton
Advisor
‎2022-02-23 01:24 AM
In response to PhoneBoy

I fear you may be right.  Any idea what those various "uninstall_<blade>.sh" scripts might be for in that case?  I know if I run the "uninstall.sh" script it will remove the entire product, after first triggering decrypt, so I assume there is a way to do this selectively.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-02-23 07:38 AM
In response to Howard_Gyton

I assume those install_<blade>.sh scripts are meant to be called from the larger uninstall.sh script.
Perhaps there's a way to selectively trigger it, but offhand, I don't know if that's possible.
Might be worth a TAC case.

jcortez
Employee
Employee
‎2022-03-07 07:17 AM
In response to PhoneBoy

@Howard_Gyton 

It is not possible to handle individual blades installations offline like you can do with Windows. The only option you have for our macOS clients is the full exported package or Software Deployment rules. We are limited to just these options because of Apple's architecture and them limiting what 3rd Party Security products can do on their systems and OS since they like to control what software does.

 

If there is a suspicion with the Self Protection with our macOS client then I would suggest trying this SK.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
Howard_Gyton
Advisor
‎2022-03-07 07:25 AM
In response to jcortez

I know it doesn't work like the PC.  I did use an exported package that had everything minus the ME blade, and installed that over the top, hoping that it would remove the ME blade, but it didn't.

During the install I could see that the ME blade's status changed to something like Inactive(?), but after a reboot the ME blade was running again.

I'm sure I've used that process to add a blade, but is it possible to remove them also?  If not it seems a pretty weak solution to have to do a full de-install, and decrypt, just to add one blade.

0 Kudos
jcortez
Employee
Employee
‎2022-03-07 07:42 AM
In response to Howard_Gyton

@Howard_Gyton 

No, the method of installing a different package with the blade(s) not included on top of what is already installed will not work. The same will not work on Windows installations without using the msiexec cli cmd and providing the blade mask.

 

Again if you want to remove and or add blades on macOS clients without having to uninstall and reinstall the client you will have to use Software Deployment Rules. This is only supported in GA though since E86.20 macOS client and your Endpoint Server version would need to be R81.10.

Enterprise Endpoint Security E86.20 macOS Client

Capture5.PNG


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
Howard_Gyton
Advisor
‎2022-03-07 07:44 AM
In response to jcortez

Great, thanks for the clarification.  We are pushing E62.20, but still have an R80.30 server.  I'll look to upgrade to R81.10 in that case.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events