Unable to uninstall Velociraptor client on Mac

[dgilmore82]

Hello,

I have deployed a Velociraptor server and have connected some clients to it to test out (Windows, Linux, Mac..). It looks like it pretty straight forward installing the clients. When it comes to removing the client on Mac host, we are still seeing the service running when we run he following command: /usr/local/sbin/velociraptor service remove --config=/usr/local/sbin/velociraptor.config.yaml

from this post: https://docs.velociraptor.app/docs/deployment/clients/#mac

Our Mac admin confirmed that the associated files with the client are still there. Just trying to get a better understanding of how the client is removed from Macs. Is it just killing the service and we have to clean the metadata up manually or is there something we are not doing right.

Thanks

[scudette]

As you can see here https://github.com/Velocidex/velociraptor/blob/96c58345abfebc69764a59a1905cdf95e0ade65a/bin/installer_darwin.go#L46-L65

The service remove command essentially just calls launchctl unload - so it does not remove any files but stops the service from automatically starting next time.

Due to the requirements on MacOS people dont normally install Velociraptor using the built in installer. If you do there is no way to give Velociraptor full disk access (other than the user manually giving it that). Usually people use MDM to deploy a TCT signed package which they need to build by themselves (and sign).

So normally uninstall is managed via the MDM software and that is what is properly cleaning up files etc.

[dgilmore82]

Hello @scudette, is there any documentation for how to deploy MacOs clients via MDM?

[scudette]

This is usually done with the MDM software - see for example https://docs.jamf.com/composer/10.36.0/user-guide/Package_Building.html for one example of such software.

[scudette]

There is this talk which covers it pretty well https://docs.velociraptor.app/presentations/2022_velocon/#mac-response--the-good-the-bad-and-the-ugly