remove_zscaler_mac

remove_zscaler.sh

#!/bin/bash
# remove_zscaler.sh — Run from macOS Recovery Mode terminal
# Removes Zscaler Client Connector and all associated files
#
# Usage from Recovery Mode:
#   1. Mount your main volume (see instructions below)
#   2. bash /Volumes/Macintosh\ HD/Users/<you>/dev/zscaler/remove_zscaler.sh
#
# NOTE: Adjust VOLUME if your startup disk has a different name.

set -euo pipefail

VOLUME="/Volumes/Macintosh HD"

if [ ! -d "$VOLUME" ]; then
    echo "ERROR: $VOLUME not found."
    echo "Available volumes:"
    ls /Volumes/
    echo ""
    echo "Re-run with the correct volume, e.g.:"
    echo "  VOLUME='/Volumes/YourDisk' bash remove_zscaler.sh"
    exit 1
fi

echo "=== Zscaler Removal Script ==="
echo "Target volume: $VOLUME"
echo ""

# Allow VOLUME override from environment
: "${VOLUME:=/Volumes/Macintosh HD}"

# --- 1. Remove the application ---
echo "[1/7] Removing Zscaler.app..."
rm -rf "$VOLUME/Applications/Zscaler"
rm -rf "$VOLUME/Applications/Zscaler.app"

# --- 2. Remove LaunchDaemons ---
echo "[2/7] Removing LaunchDaemons..."
rm -f "$VOLUME/Library/LaunchDaemons/com.zscaler."*
rm -f "$VOLUME/Library/LaunchDaemons/com.zsdp."*

# --- 3. Remove LaunchAgents ---
echo "[3/7] Removing LaunchAgents..."
rm -f "$VOLUME/Library/LaunchAgents/com.zscaler."*

# --- 4. Remove system extensions and kexts ---
echo "[4/7] Removing System Extensions and Kexts..."
# Network extension / system extension bundles
find "$VOLUME/Library/SystemExtensions" -name "*zscaler*" -exec rm -rf {} + 2>/dev/null || true
find "$VOLUME/Library/SystemExtensions" -name "*Zscaler*" -exec rm -rf {} + 2>/dev/null || true
rm -rf "$VOLUME/Library/Extensions/ZscalerTunnel.kext"

# --- 5. Remove application support, preferences, caches ---
echo "[5/7] Removing support files, preferences, and caches..."
rm -rf "$VOLUME/Library/Application Support/Zscaler"
rm -f  "$VOLUME/Library/Preferences/com.zscaler."*

# Per-user cleanup (all users)
for USERHOME in "$VOLUME/Users/"*/; do
    [ -d "$USERHOME" ] || continue
    rm -rf "$USERHOME/Library/Application Support/Zscaler"
    rm -f  "$USERHOME/Library/Preferences/com.zscaler."*
    rm -rf "$USERHOME/Library/Caches/com.zscaler."*
    rm -rf "$USERHOME/Library/Logs/Zscaler"
done

# --- 6. Remove certificates and profiles ---
echo "[6/7] Removing configuration profiles and related files..."
rm -rf "$VOLUME/var/db/ConfigurationProfiles/Store/com.zscaler."* 2>/dev/null || true
# Zscaler's certificate in the system keychain must be removed manually
# after booting normally (see notes below).

# --- 7. Remove logs and miscellaneous ---
echo "[7/7] Removing logs and temp files..."
rm -rf "$VOLUME/var/log/zscaler"
rm -rf "$VOLUME/private/var/log/zscaler"
rm -rf "$VOLUME/tmp/zscaler"* 2>/dev/null || true
rm -rf "$VOLUME/private/tmp/zscaler"* 2>/dev/null || true

echo ""
echo "=== Done ==="
echo ""
echo "POST-BOOT CLEANUP (after restarting into normal macOS):"
echo "  1. Open Keychain Access → System keychain"
echo "     Search 'Zscaler' and delete any Zscaler Root CA certificates."
echo "  2. System Settings → General → VPN & Network"
echo "     Remove any Zscaler network/VPN entries."
echo "  3. System Settings → General → Login Items & Extensions"
echo "     Remove any Zscaler entries."
echo "  4. If MDM-managed, the profile may reinstall Zscaler on next check-in."
echo ""
echo "Restart now with: reboot"