Removal of Cisco AMP in adherence to Executive Order GA-48

In order to facilitate adhering to the EO easily and in an enterprise way, Microsoft Defender for Endpoints has been selected to achieve this. In order for MDE to reliably apply all of the protections required, Cisco AMP must be removed. Having Cisco AMP installed side-by-side with MDE places MDE in passive mode which cannot effectuate the protections required by the EO. To that end EPM has identified 543 Windows endpoints and 1,480 MacOS endpoints with some named version of AMP installed, that will have to be removed to meet the requirements.

Configuration Manager has a Software Package already available to begin this. It is available for ITSOs to apply today to get ahead. Given the breadth and depth of the AMP installs, this package may not get everything installed on an endpoint. It uses the vendor prescribed method, but there may be conditions that exist on your endpoints that prevent the vendor method from succeeding, so please be vigilant if you deploy the package ahead of EPM.

Jamf has made the Cisco AMP removal script created by LAITS globally available.

In Scope:

All EPM enrolled endpoints are required to remove AMP

Out of scope:

Servers

Impact:

The removal of AMP will require a reboot

Timeline:

AMP will removed by EPM on February 25th - however, we ask ITSOs to be vigilante and act to remove AMP in advance of this timeline to ensure successful compliance.

How:

Windows

A Linkedin learning course on deploying packages and programs in Configuration Manager.

https://www.linkedin.com/learning/cloud-management-with-microsoft-intune/deploy-packages-and-programs-in-configuration-manager

Open

If a password was set on the installer follow this process provided by Cisco Procedure to Uninstall the AMP Connector if the Password is Forgotten

Jamf

A is a link to the global script to remove AMP that ITSOs can use to deploy to their site.
https://mdm.utexas.edu/view/settings/computer-management/scripts/1010?tab=script

Note: this script requires a user to be logged in for successful deployment.

Section Content

• ConfigMgr - Glossary of Terms

• ConfigMgr - Reports

• ConfigMgr - Collecting ISORA Data

• EPM Dashboards - Jamf and MECM

• EPM Enhancement Requests

• Jamf - Collecting ISORA Data from Jamf

• Jamf - Glossary of Terms

• Jamf Training Resources

• MCM Training Resources

• New to Endpoint Administration: Quick Guide

• Sample Page

• Teams: Endpoint Platform Community

• Texas Block 2.0 Blocking Apps/Services in adherence to Executive Order GA-48

• Removal of Cisco AMP in adherence to Executive Order GA-48

• Texas Block 1.0 TikTok Block

• Texas Block 2.0 Communication