Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: owengall
owengall Author
User level: Level 1
4 points

Unable to remove uchg user immutable flag/lock with root user

Current app file permissions:



When I run 


# file location
cd /Applications

# show flags
ls -lO | grep <app>
# "drwxr-xr-x  3 root            wheel  uchg        96 Dec  1  2021 <app>.app"

# via sudo, fails
sudo chflags nouchg <app>.app

# via su, fails
su root
chflags nouchg <app>.app


I get


chflags: <app>.app: Operation not permitted


I've already tried disabling system integrity protection and granting full disk access to Terminal.


csrutil status
# "System Integrity Protection status: disabled."


How can I unlock this file?


Also asked at https://apple.stackexchange.com/q/457333/320992

Posted on Mar 18, 2023 7:18 AM

Reply
Question marked as Best reply
User profile for user: etresoft
etresoft
User level: Level 8
46,312 points

Posted on Mar 25, 2023 5:35 AM

owengall wrote:

How do I know if the app is on the sealed startup volume? Currently looking into it and do think, as of now, that I have the sealed volume enabled and that this app is probably on it.

No. It looks like the antivirus itself has software running that prevents you from deleting it.


Since this is an “inherited” computer, the best solution is to erase the hard drive and reinstall the operating system. It is possible to remove this file using Recovery. However, there are other components of the antivirus that you haven’t found yet. Only a complete erase (or proper uninstallation) will remove them.


Also, there is a good chance that there is some kind of MDM activation lock on this computer. At some point, it may stop working entirely and you’ll never be able to recover it. Make sure to keep good backups for when, not if, that happens.


The best solution is to never, ever buy a used device. Not ever.

View in context

Similar questions

5 replies
Question marked as Best reply
User profile for user: etresoft
etresoft
User level: Level 8
46,312 points

Mar 25, 2023 5:35 AM in response to owengall

owengall wrote:

How do I know if the app is on the sealed startup volume? Currently looking into it and do think, as of now, that I have the sealed volume enabled and that this app is probably on it.

No. It looks like the antivirus itself has software running that prevents you from deleting it.


Since this is an “inherited” computer, the best solution is to erase the hard drive and reinstall the operating system. It is possible to remove this file using Recovery. However, there are other components of the antivirus that you haven’t found yet. Only a complete erase (or proper uninstallation) will remove them.


Also, there is a good chance that there is some kind of MDM activation lock on this computer. At some point, it may stop working entirely and you’ll never be able to recover it. Make sure to keep good backups for when, not if, that happens.


The best solution is to never, ever buy a used device. Not ever.

Reply

Unable to remove uchg user immutable flag/lock with root user

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up