Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Specify custom PayloadType #18

Open
poundbangbash opened this issue Nov 10, 2017 · 5 comments
Open

Feature Request: Specify custom PayloadType #18

poundbangbash opened this issue Nov 10, 2017 · 5 comments

Comments

@poundbangbash
Copy link

macOS 10.13.2 beta 2 introduces a new MDM PayloadType to manage whitelisted KEXTs settings only thru UAMDM.

The new KEXT whitelist policy now has a PayloadType of com.apple.syspolicy.kernel-extension-policy instead of the default com.apple.ManagedClient.preferences. I'm sure there will be more PayloadTypes coming down the line as UAMDM seems to be the path for new security features so having an option to override the default Type would be handy in the future.

-Eric
@keeleysam
Copy link

keeleysam commented Nov 10, 2017 via email

@poundbangbash
Copy link
Author

Yes, that's how I've been using this tool for some time now. I create a plist of the specific keys that I want in a profile and feed it thru mcxtoprofile. The output is a mobileconfig with the payload of the keys that I provided. I have a PR that appears works for my one use case but I'm very newbish in Python so more eyes on it would be welcomed.

@poundbangbash poundbangbash mentioned this issue Nov 10, 2017
Open
@poundbangbash
Copy link
Author

An example:

I have a plist of

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AllowUserOverrides</key>
	<false/>
	<key>AllowedTeamIdentifiers</key>
	<array>
        <string>293UQF7R4S</string>
        <string>3G47DU9NXM</string>
        <string>3T5GSNBU6W</string>
        <string>4C6364ACXT</string>
        <string>54GTJ2AU36</string>
        <string>6KR3T733EC</string>
        <string>6LS4845VS3</string>
        <string>73YQY62QM3</string>
        <string>7J8K6Q87RJ</string>
        <string>8J7TAMPT4P</string>
        <string>9PTGMPNXZ2</string>
        <string>9VB857J7CD</string>
        <string>9ZGFBWLSYP</string>
        <string>CPQQ3AW49Y</string>
        <string>DE8Y96K9QP</string>
        <string>E56RCXEQ93</string>
        <string>EG27766DY7</string>
        <string>EG7KH642X6</string>
        <string>G43BCU2T37</string>
        <string>G7HH3F8CAK</string>
        <string>J6L96W8A86</string>
        <string>PLT8TQHCAJ</string>
        <string>QED4VVPZWA</string>
        <string>U42NNPDKG7</string>
        <string>VB5E2TV963</string>
        <string>WSG985FR47</string>
        <string>YZC2T44ZDX</string>
        <string>Z3L495V9L4</string>
	</array>
</dict>
</plist>

I feed that thru mcxtoprofile via mcxToProfile.py --plist com.apple.syspolicy.kernel-extension-policy.plist --identifier com.apple.syspolicy.kernel-extension-policy -g "Company Name" --displayname=com.apple.syspolicy.kernel-extension-policy --payloadtype com.apple.syspolicy.kernel-extension-policy -o ./com.apple.syspolicy.kernel-extension-policy.mobileconfig

That outputs:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadContent</key>
			<dict>
				<key>com.apple.syspolicy.kernel-extension-policy</key>
				<dict>
					<key>Forced</key>
					<array>
						<dict>
							<key>mcx_preference_settings</key>
							<dict>
								<key>AllowUserOverrides</key>
								<false/>
								<key>AllowedTeamIdentifiers</key>
								<array>
									<string>293UQF7R4S</string>
									<string>3G47DU9NXM</string>
									<string>3T5GSNBU6W</string>
									<string>4C6364ACXT</string>
									<string>54GTJ2AU36</string>
									<string>6KR3T733EC</string>
									<string>6LS4845VS3</string>
									<string>73YQY62QM3</string>
									<string>7J8K6Q87RJ</string>
									<string>8J7TAMPT4P</string>
									<string>9PTGMPNXZ2</string>
									<string>9VB857J7CD</string>
									<string>9ZGFBWLSYP</string>
									<string>CPQQ3AW49Y</string>
									<string>DE8Y96K9QP</string>
									<string>E56RCXEQ93</string>
									<string>EG27766DY7</string>
									<string>EG7KH642X6</string>
									<string>G43BCU2T37</string>
									<string>G7HH3F8CAK</string>
									<string>J6L96W8A86</string>
									<string>PLT8TQHCAJ</string>
									<string>QED4VVPZWA</string>
									<string>U42NNPDKG7</string>
									<string>VB5E2TV963</string>
									<string>WSG985FR47</string>
									<string>YZC2T44ZDX</string>
									<string>Z3L495V9L4</string>
								</array>
							</dict>
						</dict>
					</array>
				</dict>
			</dict>
			<key>PayloadEnabled</key>
			<true/>
			<key>PayloadIdentifier</key>
			<string>MCXToProfile.fcb6630c-f0c4-4363-b333-3f473a2bde64.alacarte.customsettings.6032b9d8-8e0a-4181-b7a4-5744b91522f0</string>
			<key>PayloadType</key>
			<string>com.apple.syspolicy.kernel-extension-policy</string>
			<key>PayloadUUID</key>
			<string>6032b9d8-8e0a-4181-b7a4-5744b91522f0</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Included custom settings:
com.apple.syspolicy.kernel-extension-policy

Git revision: a0e04c60fc</string>
	<key>PayloadDisplayName</key>
	<string>com.apple.syspolicy.kernel-extension-policy</string>
	<key>PayloadIdentifier</key>
	<string>com.apple.syspolicy.kernel-extension-policy</string>
	<key>PayloadOrganization</key>
	<string>Company Name</string>
	<key>PayloadRemovalDisallowed</key>
	<true/>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>fcb6630c-f0c4-4363-b333-3f473a2bde64</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

@timsutton
Copy link
Owner

I can see why you'd want to be able to do this, although we probably could have made an argument for a while to include any of the many other PayloadTypes which Profile Manager has been able to generate, going on 7 years now. mcxToProfile was originally just meant as a mechanism to do with profiles what we were doing before with MCX, using Apple's managed client support.

I'm not necessarily opposed to the idea of allowing arbitrary payload types as a flag. However, because this seems (to me, at least) to be one of Apple's ways to extend its management capabilities via config profiles, how can we know that the profiles it would generate using other Payload Types would match other tools from Apple which are also able to generate profiles? One option could be that we state this is an experimental feature and it's just going to set the value to what you want without any other changes to the structure of the data.

@poundbangbash
Copy link
Author

poundbangbash commented Nov 11, 2017 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timsutton @poundbangbash @keeleysam