macOS - Software Lifecycle - Uninstall Rapid7 Insight Agent

What the Rapid7 Insight Agent uninstaller does

This Automox Worklet™ removes the Rapid7 Insight Agent from macOS endpoints by running Rapid7's official agent control script with the uninstall subcommand. The evaluation phase inspects two signals on the endpoint: the launchctl daemon list for the com.rapid7.ir_agent service, and the presence of the /opt/rapid7 install directory. If either signal is present, the endpoint is flagged for remediation.

The remediation phase reads the processor architecture with uname -p, then downloads the matching agent control shell script from Rapid7's customer ingress endpoint at us.storage.endpoint.ingress.rapid7.com. Apple Silicon endpoints (where uname -p reports arm) receive agent_installer-arm64.sh, and Intel endpoints receive agent_installer-x86_64.sh. The Worklet marks the script executable with chmod +x and invokes it as ./agent_installer-<arch>.sh uninstall, which is Rapid7's documented removal flow. The script stops ir_agent, unloads its LaunchDaemons, removes /opt/rapid7, and clears related support files.

The evaluation phase is non-destructive. Endpoints without Rapid7 installed exit compliant immediately and skip the download, so there is no wasted bandwidth and no unnecessary touch on healthy hosts.

Why remove Rapid7 Insight Agent from macOS

Stale endpoint agents accumulate cost in unused CPU, log volume, and conflicting kernel hooks. After a vendor migration, an organizational acquisition, or a department-level swap to a different vulnerability management product, the Rapid7 Insight Agent often lingers on macOS hardware long after the Insight console has stopped collecting from it. The ir_agent service continues to consume CPU, network sockets, and log volume, and the /opt/rapid7 directory holds cached scan data on long-lived endpoints.

Two telemetry agents competing for the same kernel-level file events can produce duplicate alerts, misattributed processes, and intermittent crashes in whichever EDR or compliance tool is supposed to be the source of truth going forward. Removing the Rapid7 Insight Agent at scale runs into two problems: the agent ships separate builds for Intel and Apple Silicon, and most fleets have a mix of both. This Worklet detects the endpoint architecture, pulls the correct script from Rapid7, runs it under the Automox agent's elevated context, and reports back through the activity log. No Jamf push, no SSH session, no end user opening Terminal.

How Rapid7 agent removal works

1. Evaluation phase: The Worklet runs launchctl list | grep com.rapid7.ir_agent and tests for the /opt/rapid7 directory. If either check is positive, the endpoint exits non-zero and is flagged non-compliant. Endpoints with no trace of Rapid7 exit zero immediately, so the policy can target the entire macOS fleet without spurious activity.

2. Remediation phase: The script reads uname -p, downloads agent_installer-arm64.sh or agent_installer-x86_64.sh from us.storage.endpoint.ingress.rapid7.com via curl -LsS, marks the file executable, and invokes it as ./agent_installer-<arch>.sh uninstall. Rapid7's script stops the ir_agent process, unloads its LaunchDaemons, removes /opt/rapid7, and clears its supporting files. The remediation script then writes a completion line to the activity log so the run is visible in the Automox console.

Rapid7 agent removal requirements

• macOS endpoint running on Intel (x86_64) or Apple Silicon (arm) hardware, as reported by uname -p

• Root or sudo privileges on the endpoint; the default Automox agent context already meets this requirement

• Outbound HTTPS reachability to us.storage.endpoint.ingress.rapid7.com so the architecture-correct agent control script can be downloaded at remediation time

• MDM-managed endpoints: any PPPC payload granting Full Disk Access to com.rapid7.ir_agent becomes obsolete once the agent is removed; refresh the MDM payload set afterward to drop the now-orphaned entry

• No additional Worklet variables required; the remediation script auto-detects architecture and selects the correct script URL

• Optional: retire the endpoint from the Rapid7 Insight Platform console after the Worklet completes so the asset record reflects the off-boarded state and stops counting against licensing

Expected macOS state after Rapid7 removal

After remediation, launchctl list returns no com.rapid7.ir_agent entry. The /opt/rapid7 directory is gone, and no rapid7 plist files remain under /Library/LaunchDaemons or /Library/LaunchAgents. The ir_agent process is absent from ps aux output, and Activity Monitor no longer shows Rapid7 Insight Agent under background processes. The Rapid7 Insight Platform console marks the asset stale once its heartbeat lapses, at which point it can be retired from the asset inventory.

Validate with these commands on a pilot endpoint after the Worklet finishes: launchctl list | grep -i rapid7 (should return nothing), ls /opt/rapid7 (should return No such file or directory), and pgrep -fl ir_agent (should return no matches). On the next Automox evaluation pass, the endpoint reports compliant because both signals the evaluation script depends on are absent.

If the activity log shows the uninstall did not complete, check two common conditions before re-running. First, the curl step fails when a network policy blocks outbound HTTPS to us.storage.endpoint.ingress.rapid7.com; allow the egress and re-run the policy. Second, ir_agent may hold an open kernel handle that refuses an immediate stop; reboot the endpoint and re-run the policy, and the uninstall flow completes on the second pass with no residual artifacts.