The aim is to prevent even root users from uninstalling our app on their mac.
Apparently, many security applications have this sort of functionality wherein a user(even with root privilege) can not uninstall or tamper with the agent on their machine.
I tried tampering/deleting an antivirus app on Catalina but I failed and noticed a few interesting things:
2. The application is installed in /Library directory rather than the usual /Applications directory.
The folder does not have any extended attributes. I can not delete this folder or any of its subfolders and getting permission denied error even as root.
3. The app has a bunch of launchdaemons but I can not remove them (again tried as root)
4. Tried killing the processes, again operation not permitted.
5. The app comes with an uninstaller which can somehow uninstall the app, but it needs a special password (separate from system password) to be entered to work
Many of Apple's own apps and services have this sort of behavior but they come with the system and are backed up by System Integrity Protection.
Note: Ours is an enterprise app that will be installed on machines owned by the companies and managed by IT but end users will have root access on their machine.
Apparently, many security applications have this sort of functionality wherein a user(even with root privilege) can not uninstall or tamper with the agent on their machine.
I tried tampering/deleting an antivirus app on Catalina but I failed and noticed a few interesting things:
It has a kernel extension. But I can not remove the kernel extension(as root).
Code Block #kextunload /Library/Extensions/***.kext (kernel) Kext com.***.kext did not stop (return code 0x5). (kernel) Kext com.***.kext can't unload - module stop returned 0xdc008017. Failed to unload com.***.kext - (libkern/kext) kext (kmod) start/stop routine failed.
2. The application is installed in /Library directory rather than the usual /Applications directory.
Code Block drwxr-xr-x 7 root wheel 224 Oct 28 14:40 xxxx
The folder does not have any extended attributes. I can not delete this folder or any of its subfolders and getting permission denied error even as root.
3. The app has a bunch of launchdaemons but I can not remove them (again tried as root)
Code Block #launchctl remove com.***.***. Not privileged to remove service.
4. Tried killing the processes, again operation not permitted.
5. The app comes with an uninstaller which can somehow uninstall the app, but it needs a special password (separate from system password) to be entered to work
Many of Apple's own apps and services have this sort of behavior but they come with the system and are backed up by System Integrity Protection.
How can a third-party app achieve this sort of behavior? This is not unique to this particular application but antivirus have similar sort of features. Any insight on how to achieve this..
Note: Ours is an enterprise app that will be installed on machines owned by the companies and managed by IT but end users will have root access on their machine.