Home > Mac administration, macOS > Uninstalling macOS system extensions

Uninstalling macOS system extensions

With the ongoing change from kernel extensions to system extensions, one new thing Mac admins will need to learn is how to uninstall system extensions. Fortunately, Apple has provided a tool as of macOS Catalina that assists with this: systemextensionsctl

If you run the systemextensionsctl command by itself, you should get the following information about usage:

systemextensionsctl: usage:
	systemextensionsctl developer [on|off]
	systemextensionsctl list [category]
	systemextensionsctl reset  - reset all System Extensions state
	systemextensionsctl uninstall  ; can also accept '-' for teamID

The last verb, uninstall, is what allows us to remove system extensions. For more details, please see below the jump.

To uninstall a system extension using systemextensionsctl, you need to provide the following:

  • Team identifier of the certificate used to sign the system extension
  • Bundle identifier for the system extension

Locating Team and bundle identifiers

You can identify team and bundle identifiers by locating the system extension in question inside the application and running the following commands:

To identify the Team identifier:

codesign -dvvv /path/to/name_goes_here.systemextension 2>&1 | awk -F= '/^TeamIdentifier/ {print $NF}'

To identify the bundle identifier:

codesign -dvvv /path/to/name_goes_here.systemextension 2>&1 | awk -F= '/^Identifier/ {print $NF}'

For example, Microsoft Defender ATP currently has several system extensions within its application bundle:

  • /Applications/Microsoft Defender ATP.app/Contents/Library/SystemExtensions/com.microsoft.wdav.epsext.systemextension
  • /Applications/Microsoft Defender ATP.app/Contents/Library/SystemExtensions/com.microsoft.wdav.netext.systemextension
  • /Applications/Microsoft Defender ATP.app/Contents/Library/SystemExtensions/com.microsoft.wdav.tunnelext.systemextension

To find the bundle identifier for the com.microsoft.wdav.epsext.systemextension system extension, run the command shown below:

codesign -dvvv "/Applications/Microsoft Defender ATP.app/Contents/Library/SystemExtensions/com.microsoft.wdav.epsext.systemextension" 2>&1 | awk -F= '/^Identifier/ {print $NF}'

That should give you the following output:

username@computername ~ % codesign -dvvv "/Applications/Microsoft Defender ATP.app/Contents/Library/SystemExtensions/com.microsoft.wdav.epsext.systemextension" 2>&1 | awk -F= '/^Identifier/ {print $NF}'
com.microsoft.wdav.epsext
username@computername ~ %

To find the Team identifier for the com.microsoft.wdav.epsext.systemextension system extension, run the command shown below:

codesign -dvvv "/Applications/Microsoft Defender ATP.app/Contents/Library/SystemExtensions/com.microsoft.wdav.epsext.systemextension" 2>&1 | awk -F= '/^TeamIdentifier/ {print $NF}'

That should give you the following output:

username@computername ~ % codesign -dvvv "/Applications/Microsoft Defender ATP.app/Contents/Library/SystemExtensions/com.microsoft.wdav.epsext.systemextension" 2>&1 | awk -F= '/^TeamIdentifier/ {print $NF}'
UBF8T346G9
username@computername ~ %

Uninstalling a system extension

Once you have both, you can run the following command with root privileges to uninstall a system extension:

systemextensionsctl uninstall Team_Identifier_Goes_Here Bundle_Identifier_Goes_Here

For example, if you wanted to uninstall Microsoft Defender’s com.microsoft.wdav.epsext.systemextension system extension, you would run the following command with root privileges:

systemextensionsctl uninstall UBF8T346G9 com.microsoft.wdav.epsext

Note: As of September 1, 2020, running the systemextensionsctl uninstall command requires System Integrity Protection (SIP) to be disabled. This limitation is supposed to be removed by Apple at some point in the very near future.

 

Categories: Mac administration, macOS
  1. Bruce-at-UMass
    September 1, 2020 at 7:29 pm

    This information is *so* timely for me. Thanks, as always, for another really thorough and helpful post.

  2. Nathaniel S
    September 2, 2020 at 1:58 am

    Nice writeup. Here’s some other info I found on system extensions while spelunking around recently. Maybe of use to someone reading this article. https://gist.github.com/nstrauss/ebca31a8110f6429ea4f2f91f4a7257b

  3. September 11, 2020 at 12:23 am

    Thanks for the tips

  4. November 17, 2020 at 7:19 pm

    How the heck are AV and firewall administrators able to do their job when they can’t remotely and silently remove or upgrade *.systemextensions?

  5. Moto
    December 12, 2020 at 1:28 pm

    Firstly, thank you (@rtrouton) very much for your helpful post.

    So, after deleting all files/folders associated with an anti-virus/malware app I downloaded, a leftover folder&file would not delete from library/systemextensions.

    As your post notes, SIP has to be first disabled.

    I ultimately was able to remove the folder/file using your instructions, but first had to …
    (1) gain root access and
    (2) disable SIP .

    [Important: Reversed those settings after finishing job].

    This is to thank you (@rtrouton) for your instructions, also to share the additional steps that allowed the deletion of said folder/file. Could be useful to yet others.

  6. Moto
    December 12, 2020 at 1:30 pm
  7. Moto
    December 12, 2020 at 1:32 pm

    Firstly, thank you (@rtrouton) very much for your helpful post.

    So, after deleting all files/folders associated with an anti-virus/malware app I downloaded, a leftover folder&file would not delete from library/systemextensions.

    As your post notes, SIP has to be first disabled.

    I ultimately was able to remove the folder/file using your instructions, but first had to …
    (1) gain root access (https://support.apple.com/en-us/HT204012), and
    (2) disable SIP (https://www.imore.com/how-turn-system-integrity-protection-macos).

    [Important: Reversed those settings after finishing job].

    This is to thank you (@rtrouton) for your instructions, also to share the additional steps that allowed the deletion of said folder/file. Could be useful to yet others.

  8. Adrian S
    February 19, 2021 at 8:13 pm

    We are now Feb 2021 and SIP is still required to use this on macOS 11

  9. Jeremy
    April 15, 2021 at 1:30 pm

    Just tested with macos 11.2 (April 2021) Still have to have SIP disabled for this to work.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: