macOS - Software - Uninstall OpenVPN

What the OpenVPN removal Worklet does

This Automox Worklet™ detects and removes the OpenVPN client from macOS endpoints. The Worklet handles both the modern OpenVPN Connect app (typically installed at /Applications/OpenVPN Connect.app) and the legacy /Applications/OpenVPN.app bundle that the open-source community version ships under. Tunnelblick is not in scope for this Worklet, but the same artifact-removal pattern applies if you fork it for that client.

The evaluation phase looks for OpenVPN in five places: the /Applications directory, /Library/LaunchDaemons, /Library/LaunchAgents, per-user ~/Library/LaunchAgents, pkgutil package receipts, and the running process list via pgrep. If any check matches, the endpoint exits 2 and is flagged for remediation. If nothing matches, the endpoint exits 0 and the Worklet takes no further action on that machine.

The remediation phase terminates running OpenVPN processes with pkill, unloads every matching launchd plist with launchctl unload, removes both application bundles with rm -rf, and clears /Library/Application Support, /Library/Preferences, /Library/Caches, and the equivalent per-user paths under /Users/*/Library/. The Worklet then walks every package receipt returned by pkgutil --pkgs | grep -i openvpn and calls pkgutil --forget on each one, so a subsequent reinstall of an approved client does not collide with stale receipts.

Why remove OpenVPN from managed Mac endpoints

OpenVPN running outside of a sanctioned VPN stack creates real exposure. Self-installed clients carry user-supplied config profiles that route corporate traffic through unvetted endpoints, sit outside your SIEM telemetry, and survive employee transitions because no MDM uninstall ever runs. When a security review or zero-trust migration mandates a single VPN client – typically Cisco AnyConnect, Palo Alto GlobalProtect, Jamf Connect, or Twingate – every lingering OpenVPN Connect install is a policy gap. The package receipts and launchd plists this Worklet clears are the same artifacts a fresh AnyConnect or GlobalProtect installer can collide with at install time, which is why a clean removal matters more than just dragging the .app to the Trash.

Scheduling this Worklet against the Mac group walks /Applications, ~/Library/Application Support, and /Library/LaunchDaemons on every endpoint at evaluation time, removes the OpenVPN Connect bundle, and unloads the helper LaunchDaemon. The laptop in the conference room, the home-office laptop, and the contractor return that has not checked into Jamf since last quarter all receive the same removal pass on the next agent check-in, with per-host exit codes captured in the activity log.

How OpenVPN removal works

1. Evaluation phase: The Worklet checks /Applications for OpenVPN Connect.app and OpenVPN.app, lists /Library/LaunchDaemons and /Library/LaunchAgents for any plist whose name matches openvpn (case-insensitive), scans ~/Library/LaunchAgents for the running user, runs pkgutil --pkgs | grep -i openvpn to find package receipts, and runs pgrep -f openvpn to catch a live tunnel. Any positive match flips the is_installed flag and the script exits 2, which Automox interprets as non-compliant. A clean endpoint exits 0 and is left alone.

2. Remediation phase: The script confirms it is running as root (EUID 0), then calls pkill -x against openvpn, 'OpenVPN Connect', and OpenVPN to drop any active tunnel. It iterates /Library/LaunchDaemons/*openvpn*.plist and /Library/LaunchAgents/*openvpn*.plist with launchctl unload, then does the same for /Users/*/Library/LaunchAgents/*openvpn*.plist. It removes /Applications/OpenVPN Connect.app and /Applications/OpenVPN.app with rm -rf, wipes /Library/Application Support/OpenVPN*, /Library/Preferences/*openvpn*, and /Library/Caches/*openvpn*, then clears the per-user equivalents and Saved Application State entries. Finally, pkgutil --pkgs | grep -i openvpn is piped through a while-read loop that calls pkgutil --forget on each receipt, and the script re-checks for any remaining artifacts before exiting 0.

OpenVPN removal requirements

• macOS 10.14 Mojave or later, on Intel or Apple Silicon. The script uses bash, pkill, launchctl, and pkgutil – all native to macOS – so no Rosetta or Homebrew dependency is required.

• Root privileges. The remediation script exits 1 immediately if EUID is not 0, because removing /Library/LaunchDaemons and running pkgutil --forget both require root. The Automox agent runs as root by default on macOS, so no extra configuration is needed.

• Full Disk Access for the Automox agent if your endpoints enforce TCC restrictions on /Users/*/Library. Without it, the per-user cleanup steps will silently skip files in protected user containers.

• FixNow compatible. The Worklet's feature_compatibility includes RunNow, so you can trigger this removal from the Automox console on a single endpoint or an endpoint group without scheduling a policy run.

• A replacement VPN policy ready to deploy. Removing OpenVPN ends any active tunnel, so co-schedule a Worklet or MDM profile that installs your approved client (AnyConnect, GlobalProtect, Twingate, Jamf Connect) right after this one, or run them in the same policy group with this Worklet first.

Expected macOS state after OpenVPN removal

After remediation, neither /Applications/OpenVPN Connect.app nor /Applications/OpenVPN.app exists on the endpoint. The launchd database returns no openvpn-named jobs, no openvpn process appears in ps -ax, and pkgutil --pkgs | grep -i openvpn returns empty. System and per-user Library directories contain no OpenVPN preference, cache, support, or saved-state files. Network traffic that previously traversed the OpenVPN tunnel falls back to the default route until your sanctioned VPN client is installed and connected.

Run the following validation steps on a pilot endpoint before broad rollout: ls /Applications | grep -i openvpn (expect no output), launchctl list | grep -i openvpn (expect no output), pkgutil --pkgs | grep -i openvpn (expect no output), and pgrep -f openvpn (expect exit code 1). Capture the Automox activity log – exit code 0 from remediation with the line 'OpenVPN successfully removed' confirms the script completed its final verification pass. If the log instead shows 'WARNING: OpenVPN artifacts still detected', a custom install path or MDM-managed plist is still present, and the endpoint should be inspected by hand before the policy is widened.