Password Protecting Endpoint Security Agent Uninstall

There's a reason Endpoint Security Solution's middle name is, well, Security. The Endpoint team researched all the ways a user might bypass their solution (like uninstalling it). Then they hardened the product to close any such loopholes. Did you know, for example, you can protect ESS so that neither the user nor the Notification Server can uninstall the client without the correct password? Nice!

Setting the Uninstall Password

1. From the Altiris Notification server console, go to the "Configuration" tab.
2. Next, expand the section for "Solution Settings", then "Security Management", then "Endpoint Security", and finally the section for "Endpoint Security Solution Agent Rollout".
3. Click on the selection for "Altiris Endpoint Security Solution Agent Package", then in the right frame, select the tab for "Programs".
   
   

   Figure 1

   Click to view.

4. You can change between the "Install" and "Uninstall" parameters for the package, by clicking on the drop down box labeled "Program". Note that this is where you will change the switches for the install AND the uninstall packages. These switches include setting passwords for install AND uninstall. It is also important to note that if the install password is set, it will be necessary to set the uninstall password in order to have the NS perform uninstalls.
   
   

   Figure 2

   Click to view.

5. Click the drop down box and set the following for both "Programs" for the install of the Endpoint Security Package. The first is the "Install the Endpoint Security Package (Reboot)" and after, you will need to perform the same for "Install the Endpoint Security Package (No Reboot)".
   1. On the installation package for ESS, specify the following for the setup program switches (note: the password set for uninstall would be "123Password1". These should be added to the field for "Command line".

      setup.exe /s /V"/qn STRPA=1 STIUP=\"1Password123\""
      
      

   2. Click the Apply button.
   

   Figure 3

   Click to view.

6. Next, set the switches for the "Programs" used for uninstalling the package. The first is "Uninstall the Endpoint Security Package (Reboot)" and then after that, you will have to perform the same steps after changing the drop down menu to the "Uninstall the Endpoint Security Package (No Reboot)".
   1. On the uninstall package for ESS, specify the following for the msiexec program switches. Again, the password is "123Password1". Please take a special note that the switch changes from STIUP on the install to STUIP (the U and I are reversed) on the uninstall. These should be added to the field for "Command line".

      msiexec.exe /x {A2EA6882-31B2-4F86-9941-C23351D950D0} /qn STUNINSTALL=1 STUIP="1Password123"
      
      

      

      Figure 4

      Click to view.

   2. Click the Apply button.

Additional Notes

1. If you use the above method to set the uninstall password, then you can use the "Password Override" password as an option for the uninstall password. Either the uninstall password or password override will be allowed for uninstalling the client.
2. The uninstall of the Altiris agent will uninstall the ESS client. As long as the msiexec has the password to pass, the uninstall of the Altiris agent will also uninstall the ESS agent.
3. Either method is acceptable for uninstalling the client, using the NS or using the Start Menu option.
4. If the uninstall password is set, then the uninstall password is required on the uninstall on the NS as stated above.