SEP Removal and AMP Install for macOS

This support article outlines how to remove Symantec Endpoint Protection (SEP) and install Cisco AMP for Endpoints (AMP) on a Macintosh computer.

SEP Removal

Identifying Symantec Endpoint Protection

SEP can be most easily identified by looking for an app icon in the upper right of the screen. 

Searching for the SymUIAgent.app process in Activity Monitor can also confirm if SEP is still installed

Uninstalling SEP via Graphical User Interface (GUI)

In most cases SEP can be removed via the GUI. To do so, click the SEP app icon and select the Open Symantec Endpoint Protection under the dropdown menu.

Once the application has opened click Symantec Endpoint Protection option from the Finder menu bar and select Uninstall Symantec Endpoint Protection in the dropdown menu.

Click the orange Uninstall button and enter administrator credentials to start the uninstallation. Once uninstallation is finished, restart the computer by selecting the Restart Now button. After the computer has restarted, uninstallation is complete.

Uninstalling SEP via Terminal Command Line

If SEP has trouble uninstalling via the GUI, a command line option can help remove any remaining files. Follow the KB article here to manually remove SEP. Note: the download link only seems to work with Apple Safari and not Google Chrome.

AMP Installation

After SEP has been removed, open a Terminal window and run the following command:

 sudo jamf policy -event installEP

Provide an administrator password. A script will run and install AMP on the computer. After the script completes AMP should be running on the computer.

AMP Scanning

After installing AMP, it is recommended to perform a full scan of the computer. To do so, first update the virus definitions by clicking the AMP icon and selecting the Update Virus Definitions from the dropdown menu. 

To initiate the scan, click the AMP icon and select the Full Scan option under Scan in the dropdown menu.

If you would like to see the status of a scan, click the AMP icon and look at Status: in the dropdown menu.