Uninstalling macOS system extensions
With the ongoing change from kernel extensions to system extensions, one new thing Mac admins will need to learn is how to uninstall system extensions. Fortunately, Apple has provided a tool as of macOS Catalina that assists with this: systemextensionsctl
If you run the systemextensionsctl command by itself, you should get the following information about usage:
systemextensionsctl: usage: systemextensionsctl developer [on|off] systemextensionsctl list [category] systemextensionsctl reset - reset all System Extensions state systemextensionsctl uninstall ; can also accept '-' for teamID
The last verb, uninstall, is what allows us to remove system extensions. For more details, please see below the jump.
To uninstall a system extension using systemextensionsctl, you need to provide the following:
- Team identifier of the certificate used to sign the system extension
- Bundle identifier for the system extension
Locating Team and bundle identifiers
You can identify team and bundle identifiers by locating the system extension in question inside the application and running the following commands:
To identify the Team identifier:
codesign -dvvv /path/to/name_goes_here.systemextension 2>&1 | awk -F= '/^TeamIdentifier/ {print $NF}'
To identify the bundle identifier:
codesign -dvvv /path/to/name_goes_here.systemextension 2>&1 | awk -F= '/^Identifier/ {print $NF}'
For example, Microsoft Defender ATP currently has several system extensions within its application bundle:
- /Applications/Microsoft Defender ATP.app/Contents/Library/SystemExtensions/com.microsoft.wdav.epsext.systemextension
- /Applications/Microsoft Defender ATP.app/Contents/Library/SystemExtensions/com.microsoft.wdav.netext.systemextension
- /Applications/Microsoft Defender ATP.app/Contents/Library/SystemExtensions/com.microsoft.wdav.tunnelext.systemextension
To find the bundle identifier for the com.microsoft.wdav.epsext.systemextension system extension, run the command shown below:
codesign -dvvv "/Applications/Microsoft Defender ATP.app/Contents/Library/SystemExtensions/com.microsoft.wdav.epsext.systemextension" 2>&1 | awk -F= '/^Identifier/ {print $NF}'
That should give you the following output:
username@computername ~ % codesign -dvvv "/Applications/Microsoft Defender ATP.app/Contents/Library/SystemExtensions/com.microsoft.wdav.epsext.systemextension" 2>&1 | awk -F= '/^Identifier/ {print $NF}' com.microsoft.wdav.epsext username@computername ~ %
To find the Team identifier for the com.microsoft.wdav.epsext.systemextension system extension, run the command shown below:
codesign -dvvv "/Applications/Microsoft Defender ATP.app/Contents/Library/SystemExtensions/com.microsoft.wdav.epsext.systemextension" 2>&1 | awk -F= '/^TeamIdentifier/ {print $NF}'
That should give you the following output:
username@computername ~ % codesign -dvvv "/Applications/Microsoft Defender ATP.app/Contents/Library/SystemExtensions/com.microsoft.wdav.epsext.systemextension" 2>&1 | awk -F= '/^TeamIdentifier/ {print $NF}' UBF8T346G9 username@computername ~ %
Uninstalling a system extension
Once you have both, you can run the following command with root privileges to uninstall a system extension:
systemextensionsctl uninstall Team_Identifier_Goes_Here Bundle_Identifier_Goes_Here
For example, if you wanted to uninstall Microsoft Defender’s com.microsoft.wdav.epsext.systemextension system extension, you would run the following command with root privileges:
systemextensionsctl uninstall UBF8T346G9 com.microsoft.wdav.epsext
Note: As of September 1, 2020, running the systemextensionsctl uninstall command requires System Integrity Protection (SIP) to be disabled. This limitation is supposed to be removed by Apple at some point in the very near future.
This information is *so* timely for me. Thanks, as always, for another really thorough and helpful post.
Nice writeup. Here’s some other info I found on system extensions while spelunking around recently. Maybe of use to someone reading this article. https://gist.github.com/nstrauss/ebca31a8110f6429ea4f2f91f4a7257b
Thanks for the tips
How the heck are AV and firewall administrators able to do their job when they can’t remotely and silently remove or upgrade *.systemextensions?
Firstly, thank you (@rtrouton) very much for your helpful post.
So, after deleting all files/folders associated with an anti-virus/malware app I downloaded, a leftover folder&file would not delete from library/systemextensions.
As your post notes, SIP has to be first disabled.
I ultimately was able to remove the folder/file using your instructions, but first had to …
(1) gain root access and
(2) disable SIP .
[Important: Reversed those settings after finishing job].
This is to thank you (@rtrouton) for your instructions, also to share the additional steps that allowed the deletion of said folder/file. Could be useful to yet others.
(1) gain root access (https://support.apple.com/en-us/HT204012), and
(2) disable SIP (https://www.imore.com/how-turn-system-integrity-protection-macos).
Firstly, thank you (@rtrouton) very much for your helpful post.
So, after deleting all files/folders associated with an anti-virus/malware app I downloaded, a leftover folder&file would not delete from library/systemextensions.
As your post notes, SIP has to be first disabled.
I ultimately was able to remove the folder/file using your instructions, but first had to …
(1) gain root access (https://support.apple.com/en-us/HT204012), and
(2) disable SIP (https://www.imore.com/how-turn-system-integrity-protection-macos).
[Important: Reversed those settings after finishing job].
This is to thank you (@rtrouton) for your instructions, also to share the additional steps that allowed the deletion of said folder/file. Could be useful to yet others.
We are now Feb 2021 and SIP is still required to use this on macOS 11
Just tested with macos 11.2 (April 2021) Still have to have SIP disabled for this to work.
**Locating Team and bundle identifiers**
`systemextensionsctl list`
will list the extensions, and you can get the TeamID and BundleID from that list
As of January 2022 you still need SIP disabled. Sucks
is there any way you find to do it
To disable SIP:
reboot into recovery mode (hold down Cmd-R on an Intel Mac or follow instruction here for Apple Silicon https://support.apple.com/en-gb/guide/mac-help/mchl82829c17/13.0/mac/13.0 )
When in recovery mode open the Terminal (from the Utilities menu) and at the command prompt type: csrutil disable
You can then reboot and will be able to disable the kernal extension as explained in a previous post.
Just remember to repeat the step, re-enabling SIP when you’re finished using the “csrutil enable” command.
Thank you very much. You saved me from that criminal Avira extension that there was no way to remove.
Lol, almost 4 years later and it is still coming soon!