Uninstall packages

[pintomi1989]

Goal

User story
As a IT admin who no longer wants to manage a software item (package),
I want to uninstall the package from a host
so that I can prevent the host from having outdated and potentially vulnerable software installed.

Context

• Requestor(s): @pintomi1989
• Product designer: @marko-lisica

Changes

Product

• UI changes: Figma link
• REST API changes:
  • API design: Uninstall software #22318
  • Added uninstall_script to software/batch #22040
• Permissions changes: Maintainers and admins (team and global) can uninstall software on a specific host. (Team roles can uninstall software on hosts assigned to their team(s)): Permissions: uninstall software #22434
• Changes to paid features or tiers: Available in Fleet Premium.

Engineering

• Reference documentation changes: [Draft] Reference docs: Uninstall packages #21618
• Usage documentation changes: TODO
• Database schema migrations: TODO
• Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

Demo videos

• API demo: https://www.loom.com/share/037c82cbde9743cfa42778eb04612482

QA

Risk assessment

• Risk level: High
• Risk description: Risk is high due to the high amount of code changes.

Manual testing steps

Note about EXE installers

They are not standardized and are more likely to have issues. Related issue that's currently being worked on: #20000

@getvictor tested FileZilla:

• https://filezilla-project.org/download.php?platform=win64
• Modified uninstall script to:

& "C:\Program Files\FileZilla FTP Client\uninstall.exe" /quiet

Migration

1. Before migration, start with some installers (1 for each type pkg, exe, msi, deb).
2. After migration, the uninstall_software_migration cron job should run once (should be within 10 seconds of starting up the server), and update the uninstall scripts for the existing software.
3. Make sure the scripts are updated -- easiest way is to look at them using the Edit Software feature (which is not merged as of this writing). Another way is to use the API (see video above) and get the software title.

UI

1. Test installing/uninstalling with each type pkg, exe, msi, deb

API

1. Follow similar steps as the video above.

GitOps

1. Try adding software with/without uninstall script.

Testing notes

Confirmation

1. Engineer (@____): Added comment to user story confirming successful completion of QA.
2. QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

Hey @marko-lisica it sounds like there's another use case we should be designing for when working on this story. We can decided later if we'd ship it separately.

customer-reedtimmer described this use case:

I want to be able to remove any software. Not just software that Fleet installed.

For example, we use the Restricted Software feature in Jamf to delete WeChat anytime it's installed by the end user.

[nonpunctual]

@marko-lisica @noahtalerman I am pretty sure the Crowdstrike Falcon agent has an uninstaller?

[marko-lisica]

@marko-lisica @noahtalerman I am pretty sure the Crowdstrike Falcon agent has an uninstaller?

@nonpunctual That's right, I forgot about security agents. Thinking about the default uninstall script, I'm not sure how Fleet can know if the native uninstaller is available for some .pkg. Since we expose the uninstall script, the user can edit and use what vendor provided in docs. I think most probably they will need some token to remove security agents, so they will anyway need to edit uninstall script.

For Crowdstrike Falcon it seems pretty simple to copy the script from their docs (sudo /Library/CS/falconctl uninstall ––maintenance-token). If there are some other examples it would be great to track them in this issue here, and we can always open a feature request to improve uninstall feature in Fleet.

[noahtalerman]

@nonpunctual thanks for calling this use case out!

@marko-lisica I think mean that the IT admin would take these steps to install and then later uninstall CrowdStrike in Fleet?

1. Add the CrowdStrike package to available for install software in Fleet
2. Add a policy to check if the CrowdStrike is installed
3. To automatically install: In new policy automation: install software (Policy automations: install software #19551), Connect CrowdStrike to the policy
4. Edit CrowdStrike's uninstall script to the following:

sudo /Library/CS/falconctl uninstall ––maintenance-token

5. To manually uninstall: on a host's Host details > Software tab, find CrowdStrike and select Actions > Uninstall.

No automatic uninstall in Fleet yet. Today, the IT admin would add a policy to check if Crowdstrike is installed, turn on policy webhooks, and catch webhook and hit Fleet's uninstall API endpoint (coming soon) in Tines (third-party automation tool).

[sharon-fdm]

QA DRI - @mostlikelee

[getvictor]

Related issues for EXE packages: #20000, #22092 (duplicate)

EXE packages that work with default scripts:

FileZilla
https://filezilla-project.org/download.php?platform=win64
In uninstall script, use /S as $uninstallArgs

Firefox
Get the full installer like: https://download.mozilla.org/?product=firefox-latest&os=win&lang=en-US
DO NOT get product=firefox-stub
In uninstall script, use -ms as $uninstallArgs

[getvictor]

@marko-lisica @noahtalerman

1. Currently, $PACKAGE_ID is only replaced in the uninstall script. Do we also need to replace it in install/post-install scripts?
2. Did we spec a timeout for install/post-install scripts? I don't see anything in the code.

[marko-lisica]

Hey @getvictor

1. As far as I know there's no use case that $PACKAGE_ID is needed for install or post-install scripts. I would keep it for the uninstall script only until we learn that it's required in other scripts.
2. What's the timeout for regular scripts? We should have the same timeout for software-related scripts.

[mostlikelee]

I'm ok with calling QA on this feature good. There are many error cases where uninstall does not always work against software not installed by Fleet, but based on product feedback these are not bugs and will be filed as feature enhancements.

• cannot uninstall some software not installed by Fleet
• UI error when attempting to uninstall software without an associated software installer in Fleet
• unknown expected behavior when uninstalling software that has multiple versions installed

[noahtalerman]

@zayhanlon and @dherder heads up that this user story was shipped in Fleet 4.57 🙌

[fleet-release]

Uninstall with ease,
Secure hosts from old threats,
Like leaves in the breeze.