07 Jul Configuration Profiles In-depth – Part I
Overview
This blog was created from the first multi-part of a presentation at the June 2017 University of Utah MacAdmin meeting which covers in-depth information on managing settings on Mac systems including property lists format, naming, preference search paths, file system locations and structure and parts. Tools and methodologies to view, edit compare and discover property list files to aid in managing configurations on a fleet of Mac systems.
To view the archived presentation, click here.
Why use Configuration Profiles?
There are multiple reasons to invest time and resources for implementing configuration profiles to manage settings & authorization on your managed Mac systems.
Profiles Approved & Supported Management Method from Apple
- Used on all platforms iOS, macOS, tvOS & watchOS
- Can be Managed using MDM Service (i.e. Apple Profile Manager, Jamf Pro, etc.)
Layered Management
- In general, configuration profiles can easily be installed and removed, which leaves the device or user settings intact.
Payloads
Apple maintains & supports complex settings & authorization management with configuration profile. Like 802.1x, Active Directory Binding/Certificates, etc.
System Integrity Protection (SIP)
This a security feature of Apple’s macOS operating system introduced in OS X El Capitan. It includes a number of mechanisms that are enforced by the kernel. Primarily the protection of system-owned files and directories against modifications by processes without a specific “entitlement”, even when executed by the root user or a user with root privileges (sudo).
- A security feature of macOS operating system
- Protects system owned files & directories from modification
- Even executed by root user or user with root privileges
For more info see links below:
- Apple – About System Integrity Protection on your Mac
- Rich Trouton – System Integrity Protection Blog & Presentations
- Wikipedia – System Integrity Protection
Apple Increasing Protection
- Originally introduced in OS X 10.7 Lion
- Each OS release increasing implementation and restrictions
- Configuration Profiles “might be” the only option for for secured settings
- Like Privacy Services restricted by SIP in macOS 10.12 .We have a GitHub repository called “Privacy Services Manager” that was broken with increase SIP protections in MacOS 10.12.
Scripting
- Using configuration profiles helps alleviates complexities of scripting, managing, updating settings burden on the administrators especially with operating system updates modifies previous methods.
Workgroup Manager Compatibility
Is part of OS X Server for directory-based management of users, groups and computers across a network. This is where an administrator could add, delete, and modify computer, and user accounts and groups.
- Is no longer supported in Mac OS X 10.10 Yosemite or later
- Apple Article – OS X Server: Admin Tools Compatibility Information
Local MCX ≠ Workgroup Manager
- It uses local client flat database files
- Managed Client for OS X (MCX) Local Node
/var/db/dslocal/nodes/MCX/computers/local_machine.plist
- Apple never officially supported local MCX, but was used widespread by the MacAdmin community.
- Currently it works up to macOS 10.12.x, but an Apple software update could break it!!!
Migrate MCX to Configuration Profiles
- There are tools to help transition Managed Client for OS X (MCX) to configuration profiles.
Property Lists – Overview
Property lists are a critical part of implemented configuration profiles and it is useful to have solid knowledge & understanding for anybody managing Mac’s.
About
- Property lists organizes data into named values & lists of values
- It is used to store Application, System Settings, etc…
File Format
- ASCII – Old style format primarily for legacy support
- XML – Human-readable in the standards-based XML
- Binary – Not human-readable, but efficient & compact
Format Identification
- Binary
Uses the Magic Number (pblist ) to identify the file as binary. It is a constant numerical or text value that is used to identify a file format.
When viewing the file in a text editor look for the text pblist at the top of the file.
.
- Or use file command line tool to identify binary files:
file /path/to/binary.plist
- For example:
file ~/Library/Preferences/com.apple.dock.plist /Users/u0105821/Library/Preferences/com.apple.dock.plist: Apple binary property list
Named After its Domain
- It is a unique namespace that the preferences implement
- Apple’s recommended using reverse domain name format
- Here is an example of the reverse Domain Name System (DNS) convention
[REGISTERED DOMAIN].[APPLICATION/SERVICE].[SPECIAL OPTION]
- For example:
Apple recommends using only upper or lower case (A-Z, a-z ), hyphen (– ), and period (. )
Application Unique Identifier
- The information Property List (Info.plist ) includes configuration information for the application.For Example:
[APP NAME]/Contents/Info.plist
Apple recommends only using alphanumeric characters (A-Z, a-z, 0-9 ), hyphen (– ), and period (. )
- You can output application identifier using defaults command:
defaults read “/path/to/[APP NAME]/Contents/Info.plist” CFBundleIdentifier
- For example:
defaults read "/Applications/Web Browsers/Safari.app/Contents/Info.plist” CFBundleIdentifier com.apple.Safari
- You can output application identifier using mdls command:
mdls -name kMDItemCFBundleIdentifier -raw /path/to/[APP NAME].app
- For example:
mdls -name kMDItemCFBundleIdentifier -raw "/Applications/Web Browsers/Safari.app" com.apple.Safari
- You can output application identifier using lsappinfo command:
lsappinfo info -only bundleid [APP NAME]
- For example:
lsappinfo info -only bundleid "Safari" "CFBundleIdentifier"="com.apple.Safari"
Global Preference Domain
This is the preference domain that identifies & applies Settings to apply globally. This domain is called NSGlobalDomain .
- Finder – Show Extensions, Quit Menu, etc.
- Language – Set Language & Text Formats, etc.
- Menu Bar – Enable Transparency, Hide/Show Menu Bar, etc.
- Mouse/Trackpad – Enable Tap-to-Click, Disable Launchpad Gesture, etc.
- Keyboard – Key Repeat Rate, Enable Full Keyboard Access, etc.
- Printing – Default Paper Size, Expand Dialog, etc.
- Saving – Save to Disk not iCloud, Expand Dialog, etc.
- Scroll Bar – Always Show Scroll Bars, Disable Natural Scrolling, etc.
- Windows – Disable Window Animations, Expand Save Panel, etc.
For example:
Using the defaults command can use the domain NSGlobalDomain to show extensions for all filenames in Finder.defaults write NSGlobalDomain AppleShowAllExtensions -bool true
Preference Domain Search Path
Apple’s Developer site has minimal documentation for MacAdmins on the preference domain search path.
- Apple Developer – Preference Domains Guide
Many presentations on this topic had the stance that this was poorly documented an unknown for MacAdmins…
Basically depending on the scope including application, user or computer (i.e. all or current). The below workflow outlines how the framework searches for property lists or keys and values.
- 1st Search Path – Current App – Current User – Current Computer
This applies to the scope of current application, current user & current computer.
For example, this would apply to the following path:/Users/[CURRENT USER]/Library/Preferences/ByHost/[REGISTERED DOMAIN].[APP].[UUID].plist
For example, this is the path for iTunes for the 1st preference domain search path:
/Users/[CURRENT USER]/Library/Preferences/ByHost/com.apple.iTunes.FDA0C567-2199-5502-8D4F-9CACA18E9958.plist
UUID = Universal Unique Identifier
A universally unique identifier (UUID) is a 128-bit number used to identify information in computer systems. The term globally unique identifier (GUID) is also used on other platforms.You can use system_profiler command to output a Mac’s UUID:
system_profiler SPHardwareDataType | awk '/UUID/ { print $3; }'
You can output a custom UUID using the uuidgen command:
uuidgen | tr -d - | tr -d '\n' | tr '[:upper:]' '[:lower:]'
Or using python :
python -c 'import sys,uuid; sys.stdout.write(uuid.uuid4().hex)'
- 2nd Search Path – Current App – Current User – All Computers
This applies to the scope of current application, current user & all computers.
For example, this would apply to the following path:/Users/[CURRENT USER]/Library/Preferences/[REGISTERED DOMAIN].[APP].plist
For example, this is the path for iTunes for the 2nd preference domain search path:
/Users/[CURRENT USER]/Library/Preferences/com.apple.iTunes.plist
- 3rd Search Path – All Apps – Current User – Current Computer
This applies to the scope of all applications, current user & current computer.
For example, this would apply to the following path:/Users/[CURRENT USER]/Library/Preferences/ByHost/.GlobalPreferences.[UUID].plist
For example, this is the path for global setting for all applications scope:
/Users/[CURRENT USER]/Library/Preferences/ByHost/.GlobalPreferences.FDA0C567-2199-5502-8D4F-9CACA18E9958.plist
- 4th Search Path – All Apps – Current User – All Computers
This applies to the scope of all applications, current user & all computers.
For example, this would apply to the following path:/Users/[CURRENT USER]/Library/Preferences/.GlobalPreferences.plist
For example, this is the path for global setting for all applications & all computers scope:
/Users/[CURRENT USER]/Library/Preferences/.GlobalPreferences.plist
- 5th Search Path – Current App – All Users – Current Computer
This applies to the scope of current application, all users & current computer.
For example, this would apply to the following path:/Library/Preferences/[REGISTERED DOMAIN].[APP].plist
For example, this is the path for iTunes for the 5th preference domain search path:
/Library/Preferences/com.apple.iTunes.plist
- 6th Search Path – Current App – All Users – All Computers
This applies to the scope of current application, all users & all computers.
For example, this would apply to the following path:/Network/Library/Preferences/[REGISTERED DOMAIN].[APP].plist
Not Implemented – The pair “all users — all computers” would require a central network repository. The framework supports the functionality, but it is NOT implemented.
- 7th Search Path – All Apps – All Users – Current Computer
This applies to the scope of all applications, all users & current computer.
For example, this would apply to the following path:/Library/Preferences/.GlobalPreferences.plist
For example, this is the path for global setting for all applications & all users scope:
/Library/Preferences/.GlobalPreferences.plist
- 8th Search Path – All Apps – All Users – All Computers
This applies to the scope of all applications, all users & all computer.
For example, this would apply to the following path:/Network/Library/Preferences/.GlobalPreferences.plist
Not Implemented – The pair “all users — all computers” would require a central network repository.The framework supports the functionality, but it is NOT implemented.
Preference Domain Searh Path User & Application Example
Below is an animation outlining the preference domain search path in regards to a user and application.
Property List Locations
Property lists exist in multiple locations on the macOS file system.
- Application Bundles
The basic structure of a Mac app bundle is very simple. At the top-level of the bundle is a directory named Contents . This directory contains everything, including the resources, executable code, private frameworks, private plug-ins, and support files needed by the application.[MyApp].app/Contents/Info.plist
- Library -> Preferences
/Library/Preferences
- Users -> [CURRENT USER] -> Library -> Preferences
/Users/[CURRENT USER]/Library/Preferences/
- Users -> [CURRENT USER] -> Library -> Preferences -> ByHost
/Users/[CURRENT USER]/Library/Preferences/ByHost
- Application Sandbox
App Sandbox is an access control technology provided in macOS, enforced at the kernel level. It is designed to contain damage to the system and the user’s data if an app becomes compromised. Apps distributed through the Mac App Store must adopt App Sandbox. Apps signed and distributed outside of the Mac App Store with Developer ID can (and in most cases should) use App Sandbox as well./Users/[CURRENT USER]//Library/Containers/[PREFERENCE DOMAIN]/Data/Library/Preferences
- App Group Sandbox
A sandboxed app can specify an entitlement that gives it access to one or more app group container directories, each of which is shared among all apps with that entitlement. For example, Microsoft Office 2016 used an app group container that can be applied to the entire software suite./Users/[CURRENT USER]/Library/Group Containers/[PREFERENCE DOMAIN]/Data/Library/Preferences
- launchd
Is a unified service management framework for starting, stopping and managing daemons, applications, processes, and scripts. Written and designed by Dave Zarzycki at Apple, it was introduced with Mac OS X 10.4 “Tiger”. It used property lists to describe the configuration details of details of a daemon or agent.
LaunchDaemons
LaunchDaemons property list files can be found at the following locations:/Library/LaunchDaemons
/System/Library/LaunchDaemons
LaunchAgents
LaunchAgents property list files can be found at the following locations:/Users/[USER NAME]/Library/LaunchAgents
/Library/LaunchAgents
/System/Library/LaunchAgents
- Miscellaneous
There are many other locations for property lists throughout the file system.For example…/usr
/var
- Which Property Lists Can or Can’t Be Managed?
The following property list locations can or can’t be managed with configuration profiles.
Locations that CAN NOT be managed:
Locations that CAN be managed:
Viewing Property List Files
- Quick Look
Quick Look is a quick preview feature built into to the operating system, it was introduced in Mac OS X 10.5 Leopard. It allows users to look at the contents of a file in the Finder at full or near-full size, depending on the size of the document relative to the screen resolution. It can preview files such as PDFs, HTML, QuickTime readable media, plain text and RTF text documents, iWork (Keynote, Pages, and Numbers) documents, ODF documents, Microsoft Office (Word, Excel, and PowerPoint) files (including OOXML), and RAW camera images.It can displays property list files in binary & xml format without manually converting binary files.
- BBEdit
BBEdit is a commercial text editor made by Bare Bones Software, originally developed for Macintosh System 6, and currently supporting the latest macOS release macOS 10.12. Sierra. It is designed for use by software developers and web designers, but is simple and powerful to be used by a wide audience and needs. It has native support for many programming languages and custom modules can be created by users to support any language. The application supports multi-file text searching capabilities including support for Perl-compatible regular expressions.With announcement of phasing out popular TextWrangler text editor, it includes a unlicensed mode with the same features as TextWrangler.It can displays property list files in binary & xml format without manually converting binary files.
- PlistEdit Pro
PlistEdit Pro is a advanced commercial property list and JSON editor written for macOS. It offers powerful find and replace functionality, as well as structure definitions which provide easy access to commonly used keys in various standard property list files. Browse through your preferences, or search an entire folder of plist files at once for a particular key or value. It also enables automation of tasks involving property lists, via its Applescript support and its pledit command line tool.It can displays property list files in binary & xml format without manually converting binary files.
- PrefEdit
PrefEdit is a commercial application that can manage nearly all aspects of the preference system on macOS. It includes a property list browser and editor, a browser for preference manifest files and you can use it to display and edit all files compliant with Apple’s property list standard. It the “Versions” feature of macOS and can be used to restore old versions of a file you have edited with PrefEdit.It can displays property list files in binary & xml format without manually converting binary files.
- Xcode
Xcode is an integrated development environment for macOS containing a suite of software development tools developed by Apple for developing software for macOS, iOS, watchOS and tvOS. First released in 2003 and is available via the Mac App Store free of charge. Xcode supports source code for the programming languages C, C++, Objective-C, Objective-C++, Java, AppleScript, Python, Ruby, ResEdit (Rez), and Swift, with a variety of programming models, including but not limited to Cocoa, Carbon, and Java.It can displays property list files in binary & xml format without manually converting binary files.
- Convert Binary to XML File
If you want to use text editors that can’t automatically convert binary to XML, you will need to convert the property list prior to viewing.Using the plutil command line utility:plutil -convert xml1 /path/to/binary.plist -o /path/to/xml.plist
Using the xmllint command line utility:
xmllint --format /path/to/binary.plist --output /path/to/xml.plist
Then you can use any text editor to view property list in XML format like TextMate, Sublime, pico, vi, emacs, etc.
- Viewing Property List Key/Value Pairs
Property list files contain key/value pairs that define a setting.Using the defaults command line utility with domain:defaults read [DOMAIN]
For example, outputting the key/values for the Dock domain:
defaults read com.apple.dock { autohide = 0; "checked-for-launchpad" = 1; "last-messagetrace-stamp" = "513038197.270103"; "mod-count" = 250; "persistent-apps" = ( { GUID = 1866467815; . . .Using the defaults command line utility to arbitrary path:
defaults read /path/to/[PROPERTY LIST].plist
Or specifying associated application:
defaults read -app [APP NAME]
Property Lists – Anatomy (Structure & Parts)
- Document Type Definition
Document Type Definition (DTD) is a set of Markup Declarations that Define a Document Type. It appears at the start of all Property List files<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
Example property list structure:
- Creating Skeleton Property List
Skeleton code is basically a preset of code that can be seen as a starting point, easing the burden of creating property lists with key/values you want to manage.Using defaults command:defaults export [PREF DOMAIN] /path/to/name.plist
For example:
defaults export edu.lib.utah.skeleton.plist ~/Desktop/edu.lib.utah.skeleton.plist
Or other tools like PlistEdit Pro, etc.
- What is a setting?
With property lists, a setting consists of three primary items.(1) Name – Or property key uniquely identifies the setting.<key>[PROPERTY KEY NAME]</key>
(2) Value – Includes the content of the named property key.
<type>[VALUE]</type>
(3) Type – The type of value that defines how its interpreted.
Array = <array> Boolean = <true/> or <false/> Data = <data> Date = <date> Dictionary = <dict> Integer Number = <integer> Real Number = <real> String = <string>
- Array
An array is an order list of one of more types. It can include arrays & dictionaries.
Basic example:<array> <TYPE>[PROPERTY KEY CONTENT]</TYPE> <TYPE>[PROPERTY KEY CONTENT]</TYPE> </array>
Data type example:
<array> <data>[PROPERTY KEY CONTENT]</data> </array>String type example:
<array> <string>[PROPERTY KEY CONTENT]</string> </array>Nested array example:
<array> <array> <TYPE>[PROPERTY KEY CONTENT]</TYPE> <TYPE>[PROPERTY KEY CONTENT]</TYPE> </array> </array> - Boolean
Can be either the Value True or False. Tags are <true/> or <false/> or upper case variants can work <TRUE/> or <FALSE/> . The number 0 is Interpreted as false and any other number is true.
Basic example:<key>[PROPERTY KEY NAME]</key> <true/>
<key>[PROPERTY KEY NAME]</key> <false/>
- Data
Is encoded content in between tags.
Here is a basic example:<key>[PROPERTY KEY NAME]</key> <data>[VALUE]</data>
It is useful decoding to debug/investigate property lists or settings.
For example, encrypting in base64 :
echo 'secret' | openssl base64 c2VjcmV0Cg==
For example, decrypting from base64 content:
echo 'c2VjcmV0Cg==' | openssl base64 -d secret
Decrypting base64 from a property list file:
defaults read /path/to/[NAME].plist [KEY] | openssl base64 -d
defaults read [DOMAIN] [KEY] | openssl base64 -d
- Date
Contains date, time & time zone.
Property list basic example:<key>[PROPERTY KEY NAME]</key> <date>[VALUE]</date>
Is stored in ISO 8601 format.
YYYY-MM-DD HH:MM:SS timezone
Example of outputting at timestamp in ISO 8601 format using the date command:
date -u +%FT%TZ 2017-05-08T22:54:52Z
- Dictionary
Is the most complex property list type. It consists of key/value pairs and can include arrays & dictionaries.
Basic example:<dict> <key>[PROPERTY KEY NAME]</key> <type>[VALUE]</type> </dict>Array example:
<dict> <key>[PROPERTY KEY NAME]</key> <array> <TYPE>[PROPERTY KEY CONTENT]</TYPE> <TYPE>[PROPERTY KEY CONTENT]</TYPE> </array> </dict>Nested dictionary example:
<dict> <key>[PROPERTY KEY NAME]</key> <dict> <key>[PROPERTY KEY NAME]</key> <type>[VALUE]</type> </dict> </dict> - Integer
Is a whole number (not a fraction) and can be positive, negative, or zero, but cannot have decimal places.
Basic example:<key>[PROPERTY KEY NAME]</key> <integer>[VALUE]</integer>
- Real
Are floating point numbers. Have both a whole and fractional component and can be positive, negative, fractional & exponential.
Basic example:<key>[PROPERTY KEY NAME]</key> <real>[VALUE]</real>
- String
Are alphanumeric characters of arbitrary length.
Basic example:<key>[PROPERTY KEY NAME]</key> <string>[VALUE]</string>
Editing Property List Files
- cfprefsd – Caching Mechanism
Is an Application Programming Interface (API) that was included with Mac OS X 10.8 and Later. It caches information for on disk property list files, asynchronously writes to files. Directly modifying property list files will have unexpected results.CFPREFSD(8) BSD System Manager's Manual CFPREFSD(8) NAME cfprefsd -- defaults server SYNOPSIS cfprefsd DESCRIPTION cfprefsd provides preferences services for the CFPreferences and NSUserDefaults APIs. There are no configuration options to cfprefsd manually. Mac OS X October 25th, 2011 Mac OS X
- Outputting Preferences Read & Writes
You can track preference read & writes using the signal SIGUSR1 .For example, using the killall command will output file to /tmp :killall -USR1 cfprefsd cat /tmp/cfprefsddump*.txt ==> /tmp/cfprefsddump(2179:515113890.765352).txt <== ***************************************************** Domain: 2BUA8C4S2C.com.agilebits.onepassword-osx-helper User: kCFPreferencesAnyUser Container: (null) Path: /Library/Managed Preferences/2BUA8C4S2C.com.agilebits.onepassword-osx-helper.plist plist data:(null) shmem index:503 dirty:0 byHost:1 mode:644 isMultiProcess:1 ==> /tmp/cfprefsddump(2341:515113890.771545).txt <== *****************************************************
- PlistBuddy
Popular utility with MacAdmin community that is great for modifying complex property list structures, but does NOT support cfprefsd with cached data./usr/libexec/PlistBuddy --help Command Format: Help - Prints this information Exit - Exits the program, changes are not saved to the file Save - Saves the current changes to the file Revert - Reloads the last saved version of the file Clear [<Type>] - Clears out all existing entries, and creates root of Type Print [<Entry>] - Prints value of Entry. Otherwise, prints file Set <Entry> <Value> - Sets the value at Entry to Value Add <Entry> <Type> [<Value>] - Adds Entry to the plist, with value Value Copy <EntrySrc> <EntryDst> - Copies the EntrySrc property to EntryDst Delete <Entry> - Deletes Entry from the plist Merge <file.plist> [<Entry>] - Adds the contents of file.plist to Entry Import <Entry> <file> - Creates or sets Entry the contents of fileBetter solution(s):
– Move to configuration profile where possible.
– Migrate to tools that support cfprefsd like defaults command, python with PyObjC CoreFoundation Framework or PlistEdit & PrefEdit applications for a few modifications.
- defaults
Is a popular tool with MacAdmin community, great for working with simple property list structures and supports cfprefsd with cached data.defaults write [DOMAIN] [KEY | VALUE]
Better solution(s):
– Move to configuration profile where possible.
– Migrate to more fine grained and featured configuration managment environment (i.e. Chef, Puppet, etc.), or python with PyObjC CoreFoundation Framework or PlistEdit & PrefEdit applications for a few modifications.
- Python PyObjC CoreFoundation
Is a method to translate Objective-C into python. A great for scripting macOS native frameworks and supports cfprefsd with cached data.For example, setting Safari Flash Player restriction:#!/usr/bin/python import CoreFoundation ManagedPlugInPolicies = {"com.macromedia.Flash Player.plugin": { "PlugInFirstVisitPolicy": "PlugInPolicyAllowNoSecurityRestrictions", }, } CoreFoundation.CFPreferencesSetAppValue("ManagedPlugInPolicies", ManagedPlugInPolicies, "com.apple.Safari") CoreFoundation.CFPreferencesAppSynchronize("com.apple.Safari")Better solution(s):
– Move to configuration profile where possible.
– Migrate to more fine grained and featured configuration managment environment (i.e. Chef, Puppet, etc.). - Workarounds
If you must use tools that don’t support cfprefsd like plutil, PlistBuddy, BBEdit (other text editors) or Python plistlib Module. You could try these workarounds to minimize cached data unexpected results.
Don’t edit property lists on booted system. Like with imaging using tools like DeployStudio, etc.
Quit & restart corresponding application or process:killall [APPLICATION NAME]
Force to cfprefsd to read property list data:
killall -HUP cfprefsd
defaults read /path/to/modified.plist
Comparing Property List Files
To discover which setting or keys/values where modified it is useful to compare a property list’s before and after state.
- BBEdit
BBEdit has support for comparing Binary & XML property list files or directory of property list files. This allows you to discover which property list files were modified or which key/values of a specific property list file.
- bbdiff
bbdiff is a command line tool included with BBEdit. It allows specifying two files or folders and comparing them.bbdiff /path/to/before.plist /path/to/after.plist
- Kaleidoscope
Kaleidoscope is an commercial advanced Mac graphical comparison application and supports text, folder, image comparison, but doesn’t support automatic binary file conversion.
- Convert Binary to XML File
You can convert binary files to XML then you can use any comparison tool you prefer.Like the command line diff tool:diff /path/to/before.plist /path/to/after.plist
For example:
diff /path/to/before/com.apple.dock.plist /path/to/after/com.apple.dock.plist 4a5,6 > <key>autohide</key> > <true/>
Examples & Resources
Here are some resources that give you examples of property list, application or process settings modification and examples.
- TinkerTool
TinkerTool is a macOS freeware application, which allows modifications to some preferences for Apple applications and operating system. All preferences settings can be reset to previous state.
- defaults-write.com
defaults-write.com is a web site that outlines macOS preference modifications. It covers multiple OS versions (OS X 10.5 – OS X 10.11), searchable and includes command line examples.
- GitHub
GitHub is web-based version control & Internet hosting service. It uses Git for version control & source code management and allows the community share code, etc.
- Kevin Suttle – awesome-osx-command-line
- Marcel Bischoff – macOS-Defaults
- Hannes Juutilainen – macOS-Defaults
- Google-fu
Simply do a internet search for the property list or configuration profile, key/values or setting you want to modify.
Summary
Here is the summary of the basic process of managing settings:
- Define Setting(s) You Want to Manage
This depends on many factors like culture at your organization, policies, end-users, administrator, etc.
- Find Property List(s) that Manages Setting(s)
This could be using online resources, finding the property list preference domain, etc.Use online resources:
Find Preference Domain:
Use tools to track down application or process preference domain.defaults read “/path/to/[APP NAME]/Contents/Info.plist” CFBundleIdentifier
Monitor Filesystem:
You can monitor the filesystem like file reads & writes to track down property lists responsible for setting.For example, using opensnoop to monitor an application…
opensnoop -n [APP NAME]
opensnoop tracks file opens and uses DTrace . As a process issues a file open, details such as UID, PID and pathname are printed out.
For example, using fs_usage to monitor an application…
fs_usage [APP NAME]
fs_usage utility presents an ongoing display of system call usage information pertaining to filesystem activity.
These tools output an extreme amount of data like drinking from a firehose, but can get the job done.
There is a command line tool that is an FSEvents client called filemon that is useful tracking down activity associated with property lists.
For example, using filemon to monitor and only output cfprefsd activity:filemon -f /path/to/directory | grep cfprefsd
There are graphical applications that can monitor the file system like Jamf Composer:
A popular application with MacAdmins called fseventer is no longer being developed and doesn’t support newer operating systems.
- Modified Files
You can search known locations for property lists files and track modifications.For example, you can use the ls or find commands to output last modified files:ls -tp /path/to/directory | grep -v /$ | head -10
find /path/to/directory -type f -cmin -5
Or you could use Finder and setup an advanced search:
- Snapshot
A snapshot is the state of a system at a particular point in time. The term was coined as an analogy to that in photography.Manual – You can manually backup know locations or specific property list files at the before state and then compare them to the after state.Tripwire – You can use a tripwire system, like radmind, to track the known state of the entire filesystem, directories or specific files to find modified property list files.
Jamf Composer also has the ability to snapshot the filesystem.
- Find Modified Keys & Values
Manually – Review property list file key/value pairs and test modifications.Compare – Use a tools like BBEdit, bbdiff or diff to compare the before & after states of property lists.
For example, using the BBEdit bbdiff command to compare before & after property list files:bbdiff /path/to/before.plist /path/to/after.plist
For example, using diff command to compare before & after property list files:
diff /path/to/before.plist /path/to/after.plist
- Test
Use tool to test key/value modification works correctly. If it does, then create skeleton property list with keys/values.
For example, here is a skeleton property list with only the key/value to enable the Dock’s autohide feature.<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>autohide</key> <true/> </dict> </plist>
Next, you are ready to create/test a configuration profile. The configuration profile process/details will be presented at our next campus MacAdmin meeting and blog will follow.
Chris
Posted at 20:24h, 10 Januarygreat resource. Thanks!