Configuration Profiles In-depth – Part I

Configuration Profiles In-depth – Part I



Overview


This blog was created from the first multi-part of a presentation at the June 2017 University of Utah MacAdmin meeting which covers in-depth information on managing settings on Mac systems including property lists format, naming, preference search paths, file system locations and structure and parts. Tools and methodologies to view, edit compare and discover property list files to aid in managing configurations on a fleet of Mac systems.

To view the archived presentation, click here.


Why use Configuration Profiles?


There are multiple reasons to invest time and resources for implementing configuration profiles to manage settings & authorization on your managed Mac systems.

Profiles Approved & Supported Management Method from Apple

  • Used on all platforms iOS, macOS, tvOS & watchOS


Layered Management

  • In general, configuration profiles can easily be installed and removed, which leaves the device or user settings intact.

Payloads
Apple maintains & supports complex settings & authorization management with configuration profile. Like 802.1x, Active Directory Binding/Certificates, etc.

System Integrity Protection (SIP)
This a security feature of Apple’s macOS operating system introduced in OS X El Capitan. It includes a number of mechanisms that are enforced by the kernel. Primarily the protection of system-owned files and directories against modifications by processes without a specific “entitlement”, even when executed by the root user or a user with root privileges (sudo).

  • A security feature of macOS operating system
  • Protects system owned files & directories from modification
  • Even executed by root user or user with root privileges

For more info see links below:

Apple Increasing Protection

  • Originally introduced in OS X 10.7 Lion
  • Each OS release increasing implementation and restrictions
  • Configuration Profiles “might be” the only option for for secured settings
  • Like Privacy Services restricted by SIP in macOS 10.12
.We have a GitHub repository called “Privacy Services Manager” that was broken with increase SIP protections in MacOS 10.12.

Scripting

  • Using configuration profiles helps alleviates complexities of scripting, managing, updating settings burden on the administrators especially with operating system updates modifies previous methods.

Workgroup Manager Compatibility
Is part of OS X Server for directory-based management of users, groups and computers across a network. This is where an administrator could add, delete, and modify computer, and user accounts and groups.

Local MCX ≠ Workgroup Manager

  • It uses local client flat database files
  • Managed Client for OS X (MCX) Local Node
  • Apple never officially supported local MCX, but was used widespread by the MacAdmin community.
  • Currently it works up to macOS 10.12.x, but an Apple software update could break it!!!

Migrate MCX to Configuration Profiles

  • There are tools to help transition Managed Client for OS X (MCX) to configuration profiles.

Tim Sutton – mcxToProfile


Property Lists – Overview


Property lists are a critical part of implemented configuration profiles and it is useful to have solid knowledge & understanding for anybody managing Mac’s.

About

  • Property lists organizes data into named values & lists of values
  • It is used to store Application, System Settings, etc…

 

File Format

  • ASCII – Old style format primarily for legacy support

  • XML – Human-readable in the standards-based XML
  • Binary – Not human-readable, but efficient & compact

 

Format Identification

  • Binary
    Uses the Magic Number ( pblist ) to identify the file as binary. 
It is a constant numerical or text value that is used to identify a file format.
    When viewing the file in a text editor look for the text  pblist at the top of the file.
    .
  • Or use file command line tool to identify binary files:
  • For example:

Named After its Domain

  • It is a unique namespace that the preferences implement
  • Apple’s recommended using reverse domain name format
  • Here is an example of the reverse Domain Name System (DNS) convention
  • For example:

Apple recommends using only upper or lower case ( A-Z, a-z ), hyphen ( - ), and period ( . )

Application Unique Identifier

  • The information Property List ( Info.plist ) includes configuration information for the application.For Example:

Apple recommends only using  alphanumeric characters ( A-Z, a-z, 0-9 ), hyphen ( - ), and period ( . )

  • You can output application identifier using defaults  command:
  • For example:
  • You can output application identifier using mdls  command:
  • For example:
  • You can output application identifier using lsappinfo  command:
  • For example:

Global Preference Domain
This is the preference domain that identifies & applies Settings to apply globally. This domain is called NSGlobalDomain .

  • Finder – Show Extensions, Quit Menu, etc.
  • Language – Set Language & Text Formats, etc.
  • Menu Bar – Enable Transparency, Hide/Show Menu Bar, etc.
  • Mouse/Trackpad – Enable Tap-to-Click, Disable Launchpad Gesture, etc.
  • Keyboard – Key Repeat Rate, Enable Full Keyboard Access, etc.
  • Printing – Default Paper Size, Expand Dialog, etc.
  • Saving – Save to Disk not iCloud, Expand Dialog, etc.
  • Scroll Bar – Always Show Scroll Bars, Disable Natural Scrolling, etc.
  • Windows – Disable Window Animations, Expand Save Panel, etc.

    For example:
    Using the defaults command can use the domain  NSGlobalDomain to show extensions for all filenames in Finder.

Preference Domain Search Path
Apple’s Developer site has minimal documentation for MacAdmins on the preference domain search path.

Many presentations on this topic had the stance that this was poorly documented an unknown for MacAdmins…

Basically depending on the scope including application, user or computer (i.e. all or current). The below workflow outlines how the framework searches for property lists or keys and values.

  • 1st Search Path – Current App – Current User – Current Computer
    This applies to the scope of current application, current user & current computer.



    For example, this would apply to the following path:

    For example, this is the path for iTunes for the 1st preference domain search path:

    UUID = Universal Unique Identifier
    A universally unique identifier (UUID) is a 128-bit number used to identify information in computer systems. The term globally unique identifier (GUID) is also used on other platforms.

    You can use system_profiler  command to output a Mac’s UUID:

    You can output a custom UUID using the uuidgen  command:

    Or using python :

  • 2nd Search Path – Current App – Current User – All Computers
    This applies to the scope of current application, current user & all computers.




    For example, this would apply to the following path:

    For example, this is the path for iTunes for the 2nd preference domain search path:

  • 3rd Search Path – All Apps – Current User – Current Computer
    This applies to the scope of all applications, current user & current computer.




    For example, this would apply to the following path:

    For example, this is the path for global setting for all applications scope:

  • 4th Search Path – All Apps – Current User – All Computers
    This applies to the scope of all applications, current user & all computers.




    For example, this would apply to the following path:

    For example, this is the path for global setting for all applications & all computers scope:

  • 5th Search Path – Current App – All Users – Current Computer
    This applies to the scope of current application, all users & current computer.




    For example, this would apply to the following path:

    For example, this is the path for iTunes for the 5th preference domain search path:

  • 6th Search Path – Current App – All Users – All Computers
    This applies to the scope of current application, all users & all computers.




    For example, this would apply to the following path:

    Not Implemented – The pair “all users — all computers” would require a central network repository. The framework supports the functionality, but it is NOT implemented.

  • 7th Search Path – All Apps – All Users – Current Computer
    This applies to the scope of all applications, all users & current computer.




    For example, this would apply to the following path:

    For example, this is the path for global setting for all applications & all users scope:

  • 8th Search Path – All Apps – All Users – All Computers
    This applies to the scope of all applications, all users & all computer
    .



    For example, this would apply to the following path:

    Not Implemented – The pair “all users — all computers” would require a central network repository.The framework supports the functionality, but it is NOT implemented.

Preference Domain Searh Path User & Application Example
Below is an animation outlining the preference domain search path in regards to a user and application.

Property List Locations
Property lists exist in multiple locations on the macOS file system.

  • Application Bundles
    The basic structure of a Mac app bundle is very simple. At the top-level of the bundle is a directory named Contents . This directory contains everything, including the resources, executable code, private frameworks, private plug-ins, and support files needed by the application.

  • Library -> Preferences

  • Users -> [CURRENT USER] -> Library -> Preferences

  • Users -> [CURRENT USER] -> Library -> Preferences -> ByHost


  • Application Sandbox
    App Sandbox is an access control technology provided in macOS, enforced at the kernel level. It is designed to contain damage to the system and the user’s data if an app becomes compromised. Apps distributed through the Mac App Store must adopt App Sandbox. Apps signed and distributed outside of the Mac App Store with Developer ID can (and in most cases should) use App Sandbox as well.

  • App Group Sandbox
    A sandboxed app can specify an entitlement that gives it access to one or more app group container directories, each of which is shared among all apps with that entitlement. For example, Microsoft Office 2016 used an app group container that can be applied to the entire software suite.

  •  launchd
    Is a unified service management framework for starting, stopping and managing daemons, applications, processes, and scripts. Written and designed by Dave Zarzycki at Apple, it was introduced with Mac OS X 10.4 “Tiger”. It used property lists to describe the configuration details of details of a daemon or agent.



    LaunchDaemons
    LaunchDaemons property list files can be found at the following locations:


    LaunchAgents
    LaunchAgents property list files can be found at the following locations:


  • Miscellaneous
    There are many other locations for property lists throughout the file system.For example…


  • Which Property Lists Can or Can’t Be Managed?
    The following property list locations can or can’t be managed with configuration profiles.

    Locations that CAN NOT be managed:



    Locations that CAN be managed:

Viewing Property List Files


  • Quick Look
    Quick Look is a quick preview feature built into to the operating system, it was introduced in Mac OS X 10.5 Leopard. It allows users to look at the contents of a file in the Finder at full or near-full size, depending on the size of the document relative to the screen resolution. It can preview files such as PDFs, HTML, QuickTime readable media, plain text and RTF text documents, iWork (Keynote, Pages, and Numbers) documents, ODF documents, Microsoft Office (Word, Excel, and PowerPoint) files (including OOXML), and RAW camera images.It can displays property list files in binary & xml format without manually converting binary files.

  • BBEdit
    BBEdit is a commercial text editor made by Bare Bones Software, originally developed for Macintosh System 6, and currently supporting the latest macOS release macOS 10.12. Sierra. It is designed for use by software developers and web designers, but is simple and powerful to be used by a wide audience and needs. It has native support for many programming languages and custom modules can be created by users to support any language. The application supports multi-file text searching capabilities including support for Perl-compatible regular expressions.With announcement of phasing out popular TextWrangler text editor, it includes a unlicensed mode with the same features as TextWrangler.It can displays property list files in binary & xml format without manually converting binary files.

  • PlistEdit Pro
    PlistEdit Pro is a advanced commercial property list and JSON editor written for macOS. It offers powerful find and replace functionality, as well as structure definitions which provide easy access to commonly used keys in various standard property list files. Browse through your preferences, or search an entire folder of plist files at once for a particular key or value. It also enables automation of tasks involving property lists, via its Applescript support and its pledit  command line tool.It can displays property list files in binary & xml format without manually converting binary files.



  • PrefEdit
    PrefEdit is a commercial application that can manage nearly all aspects of the preference system on macOS. It includes a property list browser and editor, a browser for preference manifest files and you can use it to display and edit all files compliant with Apple’s property list standard. It the “Versions” feature of macOS and can be used to restore old versions of a file you have edited with PrefEdit.It can displays property list files in binary & xml format without manually converting binary files.


  • Xcode
    Xcode is an integrated development environment for macOS containing a suite of software development tools developed by Apple for developing software for macOS, iOS, watchOS and tvOS. First released in 2003 and is available via the Mac App Store free of charge. Xcode supports source code for the programming languages C, C++, Objective-C, Objective-C++, Java, AppleScript, Python, Ruby, ResEdit (Rez), and Swift, with a variety of programming models, including but not limited to Cocoa, Carbon, and Java.It can displays property list files in binary & xml format without manually converting binary files.


  • Convert Binary to XML File
    If you want to use text editors that can’t automatically convert binary to XML, you will need to convert the property list prior to viewing.Using the plutil  command line utility:

    Using the xmllint  command line utility:

    Then you can use any text editor to view property list in XML format like TextMate, Sublime, pico, vi, emacs, etc.


  • Viewing Property List Key/Value Pairs
    Property list files contain key/value pairs that define a setting.Using the defaults  command line utility with domain:

    For example, outputting the key/values for the Dock domain:

    Using the defaults command line utility to arbitrary path:

    Or specifying associated application:

Property Lists – Anatomy (Structure & Parts)


  • Document Type Definition
    Document Type Definition (DTD) is a set of Markup Declarations that Define a Document Type. It appears at the start of all Property List files

    Example property list structure:

  • Creating Skeleton Property List
    Skeleton code is basically a preset of code that can be seen as a starting point, easing the burden of creating property lists with key/values you want to manage.Using defaults  command:

    For example:

    Or other tools like PlistEdit Pro, etc.

  • What is a setting?
    With property lists, a setting consists of three primary items.(1) Name – Or property key uniquely identifies the setting.

    (2) Value –  Includes the content of the named property key.

    (3) Type – The type of value that defines how its interpreted.

  • Array
    An array is an order list of one of more types. It can include arrays & dictionaries.


    Basic example:

    Data type example:

    String type example:

    Nested array example:

  • Boolean
    Can be either the Value True or False. Tags are <true/>  or <false/>  or upper case variants can work

 <TRUE/>  or <FALSE/> . The number 0  is Interpreted as false and any other number is true.


    Basic example:

  • Data
    Is encoded content in between tags.



    Here is a basic example:

    It is useful decoding to debug/investigate property lists or settings.

    For example, encrypting in base64 :

    For example, decrypting from base64 content:

    Decrypting base64 from a property list file:

  • Date
    Contains date, time & time zone.



    Property list basic example:

    Is stored in ISO 8601 format.

    Example of outputting at timestamp in ISO 8601 format using the date  command:

  • Dictionary
    Is the most complex property list type. It consists of key/value pairs and can include arrays & dictionaries.



    Basic example:

    Array example:

    Nested dictionary example:

  • Integer
    Is a whole number (not a fraction) and can be positive, negative, or zero, but cannot have decimal places.



    Basic example:

  • Real
    Are floating point numbers. Have both a whole and fractional component and can be positive, negative, fractional & exponential.



    Basic example:

  • String
    Are alphanumeric characters of arbitrary length.



    Basic example:

     

Editing Property List Files


  • cfprefsd – Caching Mechanism
    Is an Application Programming Interface (API) that was included with Mac OS X 10.8 and Later. It caches information for on disk property list files, asynchronously writes to files. Directly modifying property list files will have unexpected results.

  • Outputting Preferences Read & Writes
    You can track preference read & writes using the signal SIGUSR1 .For example, using the killall  command will output file to /tmp :

  • PlistBuddy
    Popular utility with MacAdmin community that is great for modifying complex property list structures, but does NOT support cfprefsd with cached data.

    Better solution(s):
    – Move to configuration profile where possible.
    – Migrate to tools that support cfprefsd  like defaults  command, python with PyObjC  CoreFoundation Framework or PlistEdit & PrefEdit applications for a few modifications.

  • defaults
    Is a popular tool with MacAdmin community, great for working with simple property list structures and supports cfprefsd with cached data.

    Better solution(s):
    – Move to configuration profile where possible.
    – Migrate to more fine grained and featured configuration managment environment (i.e. Chef, Puppet, etc.), or python with PyObjC  CoreFoundation Framework or PlistEdit & PrefEdit applications for a few modifications.

  • Python PyObjC CoreFoundation
    Is a method to translate Objective-C into python. A great for scripting macOS native frameworks and supports cfprefsd with cached data.For example, setting Safari Flash Player restriction:

    Better solution(s):
    – Move to configuration profile where possible.
    – Migrate to more fine grained and featured configuration managment environment (i.e. Chef, Puppet, etc.).

  • Workarounds
    If you must use tools that don’t support cfprefsd  like plutil, PlistBuddy, BBEdit (other text editors) or Python plistlib Module. You could try these workarounds to minimize cached data unexpected results.
    Don’t edit property lists on booted system. Like with imaging using tools like DeployStudio, etc.



    Quit & restart corresponding application or process:

    Force to cfprefsd to read property list data:

Comparing Property List Files


To discover which setting or keys/values where modified it is useful to compare a property list’s before and after state.

  • BBEdit
    BBEdit has support for comparing Binary & XML property list files or directory of property list files. This allows you to discover which property list files were modified or which key/values of a specific property list file.


  • bbdiff
    bbdiff  is a command line tool included with BBEdit. It allows specifying two files or folders and comparing them.

  • Kaleidoscope
    Kaleidoscope is an commercial advanced Mac graphical comparison application and supports text, folder, image comparison, but doesn’t support automatic binary file conversion.

  • Convert Binary to XML File
    You can convert binary files to XML then you can use any comparison tool you prefer.Like the command line diff tool:

    For example:

Examples & Resources


Here are some resources that give you examples of property list, application or process settings modification and examples.

  • TinkerTool
    TinkerTool is a macOS freeware application, which allows modifications to some preferences for Apple applications and operating system. All preferences settings can be reset to previous state.

  • defaults-write.com
    defaults-write.com is a web site that outlines macOS preference modifications. It covers multiple OS versions (OS X 10.5 – OS X 10.11), searchable and includes command line examples.

  • GitHub
    GitHub is web-based version control & Internet hosting service. It uses Git for version control & source code management and allows the community share code, etc.


  • Google-fu
    Simply do a internet search for the property list or configuration profile, key/values or setting you want to modify.

Summary


Here is the summary of the basic process of managing settings:

  • Define Setting(s) You Want to Manage
    This depends on many factors like culture at your organization, policies, end-users, administrator, etc.
  • Find Property List(s) that Manages Setting(s)
    This could be using online resources, finding the property list preference domain, etc.Use online resources:
    Find Preference Domain:
    Use tools to track down application or process preference domain.

    Monitor Filesystem:
    You can monitor the filesystem like file reads & writes to track down property lists responsible for setting.

    For example, using opensnoop  to monitor an application…

    opensnoop  tracks file opens and uses DTrace . As a process issues a file open, details such as UID, PID and pathname are printed out.

    For example, using fs_usage  to monitor an application…

    fs_usage  utility presents an ongoing display of system call usage information pertaining to filesystem activity.

    These tools output an extreme amount of data like drinking from a firehose, but can get the job done.

    There is a command line tool that is an FSEvents  client called filemon that is useful tracking down activity associated with property lists.


    For example, using filemon to monitor and only output cfprefsd activity:

    There are graphical applications that can monitor the file system like Jamf Composer:

    A popular application with MacAdmins called fseventer is no longer being developed and doesn’t support newer operating systems.

  • Modified Files
    You can search known locations for property lists files and track modifications.For example, you can use the ls  or find  commands to output last modified files:

    Or you could use Finder and setup an advanced search:

  • Snapshot
    A snapshot is the state of a system at a particular point in time. The term was coined as an analogy to that in photography.Manual – You can manually backup know locations or specific property list files at the before state and then compare them to the after state.Tripwire – You can use a tripwire system, like radmind, to track the known state of the entire filesystem, directories or specific files to find modified property list files.


    Jamf Composer
    also has the ability to snapshot the filesystem.

  • Find Modified Keys & Values
    Manually – Review property list file key/value pairs and test modifications.Compare – Use a tools like BBEdit, bbdiff  or diff to compare the before & after states of property lists.

    For example, using the BBEdit bbdiff command to compare before & after property list files:

    For example, using diff command to compare before & after property list files:
  • Test
    Use tool to test key/value modification works correctly. If it does, then create skeleton property list with keys/values.

    For example, here is a skeleton property list with only the key/value to enable the Dock’s autohide feature.

    Next, you are ready to create/test a configuration profile. The configuration profile process/details will be presented at our next campus MacAdmin meeting and blog will follow.
No Comments

Leave a Reply