macOS - Software - Uninstall OpenVPN

What the OpenVPN removal Worklet does

This Automox Worklet™ detects and removes the OpenVPN client from macOS endpoints. The Worklet performs a comprehensive uninstallation that includes application bundles, launch daemons, preferences, caches, and package receipts.

The Worklet evaluates each endpoint by checking for the presence of OpenVPN in multiple locations: application directories, system launch services, user launch agents, installed package receipts, and running processes. This multi-point detection ensures the Worklet identifies OpenVPN regardless of installation method.

When remediation runs, the Worklet terminates all active OpenVPN processes, unloads launch services, removes application directories, and forgets package receipts. This approach eliminates configuration remnants that could interfere with future software installations or cause unexpected behavior.

Why remove OpenVPN from managed endpoints

Organizations manage VPN access through centralized solutions rather than user-installed clients. OpenVPN running outside of approved channels creates security gaps, complicates network monitoring, and bypasses endpoint security controls. Removing OpenVPN enforces your organization's VPN policy by eliminating unauthorized client access.

Uninstalling OpenVPN prevents users from establishing unmonitored connections to external networks or personal VPN services, which could expose corporate data. Complete removal also prevents configuration conflicts when deploying approved VPN solutions such as Cisco AnyConnect, ForcePoint, or Jamf Threat Defense.

How OpenVPN removal works

1. Evaluation phase: The Worklet checks for OpenVPN application bundles in /Applications, scans /Library/LaunchDaemons and /Library/LaunchAgents for OpenVPN launch configuration files, searches user LaunchAgents directories, queries the macOS package manager with pkgutil for OpenVPN package receipts, and detects running OpenVPN processes using pgrep. If any of these detection methods find OpenVPN, the endpoint reports that the application is installed and requires remediation.

2. Remediation phase: The Worklet terminates running OpenVPN processes using pkill, unloads all launch services from /Library/LaunchDaemons, /Library/LaunchAgents, and user directories using launchctl, removes application directories /Applications/OpenVPN Connect.app and /Applications/OpenVPN.app, deletes support files from /Library/Application Support, cleans preference and cache files, removes all user-specific OpenVPN files from each user's Library directory, and removes package receipts from the system package database using pkgutil --forget. The remediation completes with verification that no OpenVPN artifacts remain.

OpenVPN removal requirements

• macOS 10.14 or later

• Root user privileges for remediation execution

• Automox agent must have permission to execute scripts and modify system directories

• FixNow compatible for immediate execution through Automox console

Expected macOS state after OpenVPN removal

After the Worklet completes successfully, the endpoint will have no OpenVPN application files, no launch services configured to start OpenVPN, and no package receipts indicating past installation. Users cannot launch OpenVPN, and the system will not attempt to start OpenVPN services at boot. Network traffic previously routed through OpenVPN will follow the default network path unless an approved VPN solution is configured.

You can verify removal by checking that /Applications/OpenVPN Connect.app and /Applications/OpenVPN.app no longer exist, by running pkgutil --pkgs | grep -i openvpn which should return no results, and by confirming that no openvpn processes appear in the system process list. The endpoint is now ready for deployment of your organization's approved VPN client.

How to validate uninstall openvpn changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for uninstall openvpn.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as ls, exit, else.

4. Validate remediation effects from script operations such as exit, pkill, rm, then rerun evaluation for compliance.