mcxToProfile
mcxToProfile copied to clipboard
timsutton
Feature Request: Specify custom PayloadType
macOS 10.13.2 beta 2 introduces a new MDM PayloadType to manage whitelisted KEXTs settings only thru UAMDM.
The new KEXT whitelist policy now has a PayloadType of com.apple.syspolicy.kernel-extension-policy instead of the default com.apple.ManagedClient.preferences. I'm sure there will be more PayloadTypes coming down the line as UAMDM seems to be the path for new security features so having an option to override the default Type would be handy in the future.
-Eric
mcxToProfile is for turning MCX or other macOS preference files into profiles - I don't think that it'd ever take another payload type as com.apple.ManagedClient.preferences is exactly what it is for.
How would you propose this to work? Taking a generic plist and shoving it into the payloadtype you've specified?
On Fri, Nov 10, 2017 at 7:01 AM, eholtam [email protected] wrote:
macOS 10.13.2 beta 2 introduces a new MDM PayloadType to manage whitelisted KEXTs settings only thru UAMDM.
The new KEXT whitelist policy now has a PayloadType of com.apple.syspolicy.kernel-extension-policy instead of the default com.apple.ManagedClient.preferences. I'm sure there will be more PayloadTypes coming down the line as UAMDM seems to be the path for new security features so having an option to override the default Type would be handy in the future.
-Eric
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/timsutton/mcxToProfile/issues/18, or mute the thread https://github.com/notifications/unsubscribe-auth/AB_BM_zSxIXInv4IiHc8PZMDXccmmBzlks5s1GVXgaJpZM4QZrMa .
-- Samuel Keeley
Yes, that's how I've been using this tool for some time now. I create a plist of the specific keys that I want in a profile and feed it thru mcxtoprofile. The output is a mobileconfig with the payload of the keys that I provided. I have a PR that appears works for my one use case but I'm very newbish in Python so more eyes on it would be welcomed.
An example:
I have a plist of
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowUserOverrides</key>
<false/>
<key>AllowedTeamIdentifiers</key>
<array>
<string>293UQF7R4S</string>
<string>3G47DU9NXM</string>
<string>3T5GSNBU6W</string>
<string>4C6364ACXT</string>
<string>54GTJ2AU36</string>
<string>6KR3T733EC</string>
<string>6LS4845VS3</string>
<string>73YQY62QM3</string>
<string>7J8K6Q87RJ</string>
<string>8J7TAMPT4P</string>
<string>9PTGMPNXZ2</string>
<string>9VB857J7CD</string>
<string>9ZGFBWLSYP</string>
<string>CPQQ3AW49Y</string>
<string>DE8Y96K9QP</string>
<string>E56RCXEQ93</string>
<string>EG27766DY7</string>
<string>EG7KH642X6</string>
<string>G43BCU2T37</string>
<string>G7HH3F8CAK</string>
<string>J6L96W8A86</string>
<string>PLT8TQHCAJ</string>
<string>QED4VVPZWA</string>
<string>U42NNPDKG7</string>
<string>VB5E2TV963</string>
<string>WSG985FR47</string>
<string>YZC2T44ZDX</string>
<string>Z3L495V9L4</string>
</array>
</dict>
</plist>
I feed that thru mcxtoprofile via mcxToProfile.py --plist com.apple.syspolicy.kernel-extension-policy.plist --identifier com.apple.syspolicy.kernel-extension-policy -g "Company Name" --displayname=com.apple.syspolicy.kernel-extension-policy --payloadtype com.apple.syspolicy.kernel-extension-policy -o ./com.apple.syspolicy.kernel-extension-policy.mobileconfig
That outputs:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.apple.syspolicy.kernel-extension-policy</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>AllowUserOverrides</key>
<false/>
<key>AllowedTeamIdentifiers</key>
<array>
<string>293UQF7R4S</string>
<string>3G47DU9NXM</string>
<string>3T5GSNBU6W</string>
<string>4C6364ACXT</string>
<string>54GTJ2AU36</string>
<string>6KR3T733EC</string>
<string>6LS4845VS3</string>
<string>73YQY62QM3</string>
<string>7J8K6Q87RJ</string>
<string>8J7TAMPT4P</string>
<string>9PTGMPNXZ2</string>
<string>9VB857J7CD</string>
<string>9ZGFBWLSYP</string>
<string>CPQQ3AW49Y</string>
<string>DE8Y96K9QP</string>
<string>E56RCXEQ93</string>
<string>EG27766DY7</string>
<string>EG7KH642X6</string>
<string>G43BCU2T37</string>
<string>G7HH3F8CAK</string>
<string>J6L96W8A86</string>
<string>PLT8TQHCAJ</string>
<string>QED4VVPZWA</string>
<string>U42NNPDKG7</string>
<string>VB5E2TV963</string>
<string>WSG985FR47</string>
<string>YZC2T44ZDX</string>
<string>Z3L495V9L4</string>
</array>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>MCXToProfile.fcb6630c-f0c4-4363-b333-3f473a2bde64.alacarte.customsettings.6032b9d8-8e0a-4181-b7a4-5744b91522f0</string>
<key>PayloadType</key>
<string>com.apple.syspolicy.kernel-extension-policy</string>
<key>PayloadUUID</key>
<string>6032b9d8-8e0a-4181-b7a4-5744b91522f0</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Included custom settings:
com.apple.syspolicy.kernel-extension-policy
Git revision: a0e04c60fc</string>
<key>PayloadDisplayName</key>
<string>com.apple.syspolicy.kernel-extension-policy</string>
<key>PayloadIdentifier</key>
<string>com.apple.syspolicy.kernel-extension-policy</string>
<key>PayloadOrganization</key>
<string>Company Name</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>fcb6630c-f0c4-4363-b333-3f473a2bde64</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
I can see why you'd want to be able to do this, although we probably could have made an argument for a while to include any of the many other PayloadTypes which Profile Manager has been able to generate, going on 7 years now. mcxToProfile was originally just meant as a mechanism to do with profiles what we were doing before with MCX, using Apple's managed client support.
I'm not necessarily opposed to the idea of allowing arbitrary payload types as a flag. However, because this seems (to me, at least) to be one of Apple's ways to extend its management capabilities via config profiles, how can we know that the profiles it would generate using other Payload Types would match other tools from Apple which are also able to generate profiles? One option could be that we state this is an experimental feature and it's just going to set the value to what you want without any other changes to the structure of the data.
This is definitely experimental. My typical use case for this tool is for non-Apple payloads. I use Apple’s tools (Profile Manager or Configurator) for Apple specific domains to make sure the necessary bits are in the profile. Since I haven’t seen this new kext payload type available in their tools it got me thinking on how to systematically create test profiles.
-Eric
On Nov 10, 2017, at 3:23 PM, Timothy Sutton [email protected] wrote:
I can see why you'd want to be able to do this, although we probably could have made an argument for a while to include any of the many other PayloadTypes which Profile Manager has been able to generate, going on 7 years now. mcxToProfile was originally just meant as a mechanism to do with profiles what we were doing before with MCX, using Apple's managed client support.
I'm not necessarily opposed to the idea of allowing arbitrary payload types as a flag. However, because this seems (to me, at least) to be one of Apple's ways to extend its management capabilities via config profiles, how can we know that the profiles it would generate using other Payload Types would match other tools from Apple which are also able to generate profiles? One option could be that we state this is an experimental feature and it's just going to set the value to what you want without any other changes to the structure of the data.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.