how to uninstall SEP 12.1 using Symantec’s own script

Symantec has always had a reputation for being difficult to completely remove from a computer once it’s been installed, on both PCs and Macs. Luckily Symantec HAS provided a nice convenient removal script to completely uninstall SEP 12.1 from Mac OS X. However, this removal script was not built for unattended removals and still requires some user interaction to elevate privileges – fine for a small business, but not a global enterprise. It can be automated to an extent when using Apple Remote Desktop, but one is still required to specify to run the command as ‘root.’ If the uninstall is part of a larger workflow or the company simply does not employ ARD for Mac management, this solution can become unwieldy at best.

A quick look at Symantec’s removal script quickly reveals that it will not be easy or fast to rewrite, and cannot be simply imported into JAMF’s Casper Suite as it requires user interaction and will just continually fail when run through Remote (and would likely do so with other Mac management tools). With this information in mind I set out to incorporate the .command file into the larger Symantec Endpoint Protection.mpkg installer. My goal was to simply include this .command file in the /Library/Application Support/Symantec/Uninstaller folder where it is inaccessible to my end users, but available to JAMF tools, and since the script is smart enough to know if it’s being run as sudo (and therefore requires no interaction), Casper Remote can simply call the .command file and be done with it.

The first step is to package the .command file so we can include it in the .mpkg installer. This way the removal script will always be included with the rest of the Symantec software. Using Composer I packaged it in the following directory: /Library/Application Support/Symantec/Uninstaller and changed the permissions so that only root and the admin group can read, write, and execute it.

The second step is easy: just copy it to the /Contents/Resources directory inside the Symantec Endpoint Protection.mpkg metapackage. To do this right click (control click) the metapackage and choose Show Package Contents. Then navigate to the Contents/Resources folder and copy your removal script package in here – I named mine RemoveSymantecMacFiles.command.pkg.

Next we need to specify that this is a required package since the assumption is that SEP 12.1 is being deployed en masse, unattended. To do this, open the Info.plist file for the metapackage located inside the Contents folder. Add the following XML code to the file (inside the <IFPkgFlagPackageList> array)


Now when launching the .mpkg by double clicking it, you’ll see that the Symantec Removal package we created above will be installed by default and cannot be toggled off.

To run this via Casper Remote, simply write a shell script that first navigates to the folder with the removal .command and then executes it:

cd /Library/Application\ Support/Symantec/Uninstaller
## Run this in the background (&)
./RemoveSymantecMacFiles.command -A &
## Get the Process ID of the last comand run in the background ($!)
UninstallPID=`echo "$!"`
## Wait for the comand to finish before rebooting
wait $UninstallPID

Uninstalling Symantec requires that the computer be rebooted, so we add a reboot command to the end of this script. To make the script smarter, we issue the RemoveSymantecMacFiles.command in the background with the & switch, then grab the PID of this command with the $! command and wait for it to complete. This will ensure that the Symantec removal completes before the computer reboots since the removal commands are not in the script being run by Casper and rather are run in a separate process (unless we wait for that process to finish, the reboot will be issued immediately). Since Casper Remote runs every operation as sudo, the Symantec removal command does not require any user interaction.

About this entry