Endpoint Security Extension removal by root

Question

Created Jan ’25

Replies 3

Boosts 0

Participants 3

Is this always possible using systemextensionsctl by root? Is there a way to prevent root from removing an Endpoint Security Extension? The use case is for a Mac managed by AirWatch.

Answered by DTS Engineer in 822299022

Last I checked the uninstall command only works if you disable SIP:

  
% sw_vers
ProductName:            macOS
ProductVersion:         15.2
BuildVersion:           24C101
% systemextensionsctl list
1 extension(s)
--- com.apple.system_extension.network_extension (…)
enabled active  teamID          bundleID (version)                               …
*       *       SKMME9E2Y8      com.example.apple-samplecode.QNE2FilterMac.SysEx …
% sudo systemextensionsctl uninstall SKMME9E2Y8 com.example.apple-samplecode.QNE2FilterMac.SysEx
At this time, this tool cannot be used if System Integrity Protection is enabled.
This limitation will be removed in the near future.
Please remember to re-enable System Integrity Protection!

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Jan ’25

Accepted Answer

Recommended

Last I checked the uninstall command only works if you disable SIP:

  
% sw_vers
ProductName:            macOS
ProductVersion:         15.2
BuildVersion:           24C101
% systemextensionsctl list
1 extension(s)
--- com.apple.system_extension.network_extension (…)
enabled active  teamID          bundleID (version)                               …
*       *       SKMME9E2Y8      com.example.apple-samplecode.QNE2FilterMac.SysEx …
% sudo systemextensionsctl uninstall SKMME9E2Y8 com.example.apple-samplecode.QNE2FilterMac.SysEx
At this time, this tool cannot be used if System Integrity Protection is enabled.
This limitation will be removed in the near future.
Please remember to re-enable System Integrity Protection!

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

Etresoft OP

Jan ’25

Did you check the new uninstall functionality in Sequoia System Settings?

0

Answer 3

pnelson OP

Jan ’25

The right to change these switches is com.apple.system-extensions.admin

1


	% sw_vers
	ProductName: macOS
	ProductVersion: 15.2
	BuildVersion: 24C101
	% systemextensionsctl list
	1 extension(s)
	--- com.apple.system_extension.network_extension (…)
	enabled active teamID bundleID (version) …
	* * SKMME9E2Y8 com.example.apple-samplecode.QNE2FilterMac.SysEx …
	% sudo systemextensionsctl uninstall SKMME9E2Y8 com.example.apple-samplecode.QNE2FilterMac.SysEx
	At this time, this tool cannot be used if System Integrity Protection is enabled.
	This limitation will be removed in the near future.
	Please remember to re-enable System Integrity Protection!