- Jamf Nation Community
- Products
- Jamf Pro
- Uninstall Cortex XDR
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-15-2025 12:34 PM
Hey Jamf Nation,
I'm currently trying to uninstall Cortex XDR from company devices, but I'm encountering an error that says "Uninstaller not found." The uninstaller is located in the folder '/Library/Application Support/PaloAltoNetworks/Traps/bin/'.
Do you have any recommendations or suggestions? Here is my script for the uninstallation:
#!/bin/bash
# Set your master key here
MASTER_KEY="master-key-here"
# Path to the uninstaller app
UNINSTALLER_APP="/Library/Application\ Support/PaloAltoNetworks/Traps/bin"
# Check if the uninstaller exists
if [ ! -d "$UNINSTALLER_APP" ]; then
echo "Uninstaller not found at $UNINSTALLER_APP"
exit 1
fi
# Launch the uninstaller and enter the tamper protection key
osascript <<EOF
tell application "$UNINSTALLER_APP"
activate
end tell
delay 2
tell application "System Events"
tell process "Cortex XDR Uninstaller"
repeat until exists window 1
delay 1
end repeat
set frontmost to true
# Enter the tamper protection key
set value of text field 1 of window 1 to "$MASTER_KEY"
click button "Uninstall" of window 1
end tell
end tell
EOF
Alvaro Ortiz
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-21-2025 06:36 AM
Cortex has a K-Base article on their uninstaller workflow - https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.6/Cortex-XDR-Agent-Administrator-Guide/Unins...
I took that info and wrote a script based on the steps.
#!/bin/sh
# Cortex XDR Uninstaller with variable password.sh
#
# Created by Ed C. on 1/24/25.
#
#####################
# Pulling from the KBase here
# https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.6/Cortex-XDR-Agent-Administrator-Guide/Uninstall-the-Cortex-XDR-Agent-for-Mac
#####################
# Using the command here
# /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cortex_xdr_uninstaller_tool --help
# Usage:
# Get password from stdin: cortex_xdr_uninstaller_tool
# Get password from command line: cortex_xdr_uninstaller_tool <password>
# Will pass the password as a Jamf parameter for $4
#####################
#####################
# Begin work
#####################
XDR_Token=$4
/Library/Application\ Support/PaloAltoNetworks/Traps/bin/cortex_xdr_uninstaller_tool $XDR_Token
# Check if the directory is empty and remove it if it is
if [ -d "/Library/Application Support/PaloAltoNetworks" ]; then
if [ -z "$(ls -A "/Library/Application Support/PaloAltoNetworks")" ]; then
echo "Directory /Library/Application Support/PaloAltoNetworks is empty. Removing it now..."
rmdir "/Library/Application Support/PaloAltoNetworks"
echo "Directory /Library/Application Support/PaloAltoNetworks has been removed."
exit 0
else
echo "Directory /Library/Application Support/PaloAltoNetworks is not empty. Exiting with error."
exit 1
fi
else
echo "Directory /Library/Application Support/PaloAltoNetworks does not exist."
exit 0
fi
exit 0
Reply
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-15-2025 12:40 PM
One thing I noticed was that here:
# Path to the uninstaller app
UNINSTALLER_APP="/Library/Application\ Support/PaloAltoNetworks/Traps/bin"It might need it to be this instead since you’ve got the path in quotes:
# Path to the uninstaller app
UNINSTALLER_APP="/Library/Application Support/PaloAltoNetworks/Traps/bin"
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-17-2025 01:19 PM
You could just composer your own uninstaller by packaging the binary to put it where it is supposed to be or some type of landing zone like /tmp. Then use your post install script to call the binary from the landing zone location. Make a check-in policy in Jamf and deploy.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-21-2025 06:36 AM
Cortex has a K-Base article on their uninstaller workflow - https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.6/Cortex-XDR-Agent-Administrator-Guide/Unins...
I took that info and wrote a script based on the steps.
#!/bin/sh
# Cortex XDR Uninstaller with variable password.sh
#
# Created by Ed C. on 1/24/25.
#
#####################
# Pulling from the KBase here
# https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.6/Cortex-XDR-Agent-Administrator-Guide/Uninstall-the-Cortex-XDR-Agent-for-Mac
#####################
# Using the command here
# /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cortex_xdr_uninstaller_tool --help
# Usage:
# Get password from stdin: cortex_xdr_uninstaller_tool
# Get password from command line: cortex_xdr_uninstaller_tool <password>
# Will pass the password as a Jamf parameter for $4
#####################
#####################
# Begin work
#####################
XDR_Token=$4
/Library/Application\ Support/PaloAltoNetworks/Traps/bin/cortex_xdr_uninstaller_tool $XDR_Token
# Check if the directory is empty and remove it if it is
if [ -d "/Library/Application Support/PaloAltoNetworks" ]; then
if [ -z "$(ls -A "/Library/Application Support/PaloAltoNetworks")" ]; then
echo "Directory /Library/Application Support/PaloAltoNetworks is empty. Removing it now..."
rmdir "/Library/Application Support/PaloAltoNetworks"
echo "Directory /Library/Application Support/PaloAltoNetworks has been removed."
exit 0
else
echo "Directory /Library/Application Support/PaloAltoNetworks is not empty. Exiting with error."
exit 1
fi
else
echo "Directory /Library/Application Support/PaloAltoNetworks does not exist."
exit 0
fi
exit 0
Reply
