macos_security icon indicating copy to clipboard operation
macos_security copied to clipboard
verified publisher icon usnistgov

macOS Major version specific Audit preference file domains

Open DavidRvrsR3 opened this issue 8 months ago • 1 comments

Problem to solve

Within some MDM solutions like, Intune Device inventory is updated too slowly to prevent the mSCP shell script from running against an old audit file potentially resulting in unwanted behaviour on the clients.

Intended users

All sysadmins within Intune and potentially other MDMs that have slow device inventory updates.

Further details

By making this change a wider and more stable adoption is possible. Additionally it will be less likely a system will have multiple audit preferences configured resulting in a script error.

Proposal

instead of using the generic org.cis_lvl{CIS_Level}.audit we could move to a macOS version specific naming. org.macOS{macOS_major_version}_cis_lvl{CIS_Level}.audit with additional checks in the script to ensure both the OS version and the Audit file match the expected conditions. (e.g. If you run the sequoia script check if macOS 15 is the current version of the OS and if the expected Audit file is present with the correct CIS level of the generated script.).

Documentation

Intune Documentation point out it can take up to 7 days to register the devices OS upgrade https://learn.microsoft.com/en-us/intune/intune-service/remote-actions/device-inventory Once the Device inventory has been updated it could an additional 24 hours to update the dynamic device group running the script whereas the preference file could already be installed if your are utilising filters for this. https://learn.microsoft.com/en-us/entra/identity/users/manage-dynamic-group

During this span you wouldn't want to unbeknownst to anyone be using a mismatched script and configuration, these additional checks would prevent that.

Testing

When this change has passed a big notifier should be included that the audit configuration domain prerequisites have changed. Warning people of the impact updating their internal scripts.

What does success look like, and how can we measure that?

A wider range of adoption including a clearer path to a growing MDM solution like Intune and most likely others.

Links / references

(https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/filters)

DavidRvrsR3 avatar Apr 30 '25 12:04 DavidRvrsR3

You can really name a baseline file whatever you want. macOS15_cis_lvl1 for example. But not everyone wants or does that.

I also believe the the fact that it takes so long for everything to happen (os upgrades, dynamic groups) is a very intune specific problem.

robertgendler avatar Apr 30 '25 14:04 robertgendler