This is what the product guide is saying, and it worked for me:
To remove... Use this command...
All modules sudo /usr/local/McAfee/uninstall EPM
Threat Prevention module sudo /usr/local/McAfee/uninstall ThreatPrevention
Firewall module sudo /usr/local/McAfee/uninstall Firewall
Web Control module sudo /usr/local/McAfee/uninstall WebControl
Some of these install commands will prompt for ePO password. Not sure you can script, since the command is interactive.
Via Casper we run an enforce script that checks the health of McAfee. All our users are admins so they can try and tinker and break things. McAfee does not have self healing abilities for partial installs and your see the uninstall scripts failing to remove. Our enforce script, if an issue is found, runs our own ripoff script. It kills user level process, launch agents, launch daemons and then unloads any kernel extensions. Then all filesystem locations are removed and the user and groups used are removed also.
Generally no reboot required, then our enforce script calls a secondary payload script to deploy a new install of McAfee.
We have found this works best for keeping things in check as relying on the mcafee installers / agents is not good enough. Shoot even Casper doesn't self heal. WE have our own daemon for that, well before such a thing was posted on jamfnation.
Anyway, I can share that bash function if anyone wants it.
Here is a modified script who's only purpose is to rip off McAfee versions 2.3.0 through 10.2.1. Now this works great for us but we do not use anything other than Threat Protection in version 10.2.1. If you use more modules in 10.2.1 this will most likely miss various services and kernel extensions.
Please see the attached zip file. Simple bash script. If you feel up to you can add files or folders to the arrays if you want to expand upon it.
Must be run as root
RipOff_McAfee.sh.zip 2.1 K
Here is our avEnforce.sh script that runs from Casper once a day. This script is geared for 10.2.1 currently. This script will ripoff and remove McAfee when it finds a lower version or components are missing or unloaded. It supports removal from 2.3.0 up to 10.2.1. However on 10.2.1 it is only coded to remove properly if you use Threat Protection only. If you have the entire suite installed this requires you to add more kernel exts and files I'm sure. For 2.3.0 it will remove the entire suite.
At the end of the script after it has forcibly removed McAfee it will call jamf policy -event. You need to have a payload policy that can be called to install McAfee new.
This is how we manage the environment because at 43,000 Macs we have found that this is the only way to keeps users from breaking things. Like when they do a time machine restore or a migration assistant. If they don't choose everything it will not bring over the users that mcafee needs and it will be hosted. This script deals with that.
Hope this helps someone.
avEnforce.sh.zip 3.1 K
The only problem with any removal scripts is if you've got a password set at the ePO level, any script you use would have to be interactive. Not sure how you'd automate that, given how password protection works on their product.
Any self healing solution for Casper would have to accomodate MDM health, which is contingent on SCEP, etc., automating "health" of that agent would be best effort.
For the JSS shell script used to determine current logged in user, might want to use Apple's method that accommodates Fast User Switching:
CurrentUser=$( python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None]); username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");' )
For Casper I'm not talking about if the backend solution is messed up, sure if those are not there then nothing will help. However I'm talking about local breakage on the Mac. If a user does a migration assistant this breaks the device cert and thus Casper enrollment. Users removing jamf themselves or black holing various folder and binaries...yes our users are all admins and engineers. Our daemon detects these issues and gets the mac enrolled again. If we can enroll then MDM is working and we can check profiles that are installed also but we are most interested in getting the agent installed and enrollment successful. It has worked good for us and each place is different. It's just none of this is built-in to the solution that is JAMF Pro.
We are able to ripoff and remove McAfee even with password enforcement enabled, using our ripoff script. It cannot stop root from unloading daemons and kernel extensions the way it's currently designed. At least in previous versions. I will admit since we don't use this I have not tested this on 10.2.1.
We don't use fast user switching it's not allowed so never needed that code.
Again only sharing what we have, no idea if it fits the bill for others out there...