ProfileManifestsMirror icon indicating copy to clipboard operation
ProfileManifestsMirror copied to clipboard

Published 20 hours ago verified publisher icon Jamf-Custom-Profile-Schemas

pfm_value_inverted not implemented

Open davidbpirie opened this issue 2 years ago • 1 comments

It appears support for the manifest key pfm_value_inverted has not been implemented, therefore manifests which make use of this to invert boolean values end up with reversed behaviour for example com.apple.preference.security.plist.

davidbpirie avatar Aug 24 '22 05:08 davidbpirie

Good call. Should be able to normalize that

apizz avatar Aug 24 '22 12:08 apizz

Another great example is com.apple.loginwindow and the keys SleepDisabled,RestartDisabled,Shutdown Disabled.

The problem is in the descriptions, which state "Show the X button", yet a true value for these keys will "Hide the X Button" in practice. I believe other boolean keys in that schema are affected as well.

Due to a bug in Sonoma with the HideAdminUsers key, and the way that Jamf handles this payload in their built-in GUI for configuration profiles, this particular schema might be seeing some additional use right now.

jonesiscoding avatar Oct 05 '23 19:10 jonesiscoding

How would this be implemented in this repo, given that Jamf doesn't have any "inverted" concept? If pfm_value_inverted is true we would just reverse the boolean value?

homebysix avatar Oct 07 '23 20:10 homebysix

@homebysix I think that would be the most sensible solution. Since we are only dealing with booleans, we know all the possible values (2) so inverting the value during conversion should provide the intended result.

davidbpirie avatar Oct 08 '23 21:10 davidbpirie

I took a shot at implementing this. Does this diff look right?

homebysix avatar Oct 09 '23 00:10 homebysix

Is there a reason for the double-parenthesis on all()?

davidbpirie avatar Oct 09 '23 00:10 davidbpirie

The double-parens provides a single tuple to all(). Without it, you get this:

TypeError: all() takes exactly one argument (3 given)

homebysix avatar Oct 09 '23 02:10 homebysix

I don't think flipping the default values is the right thing to do here. Looking at a couple examples, the defaults as documented by Apple were correct before the change.

For example: com.apple.AssetCache → DenyTetheredCaching. The default value is false: https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.AssetCache.managed.yaml#L96

But this change would make it true incorrectly: https://github.com/Jamf-Custom-Profile-Schemas/ProfileManifestsMirror/blob/6b50c34bc1e3268d1e4aead40f99993fc8121073/manifests/ManifestsApple/com.apple.AssetCache.managed.json#L67

I don't see a path forward for supporting this feature now, but we can revisit if Jamf ever adds support for inverted values.

homebysix avatar Oct 09 '23 02:10 homebysix