I think that there needs to be a
bit of a mental reset as to how to validate settings on the
Mac as checking on-disk files doesn't actually verify much and
it really hasn't for some time now. For example let's take a
look at the loginwindow settings. The current tests would look
at a file to see if the settings are there.
On my test Mac I have the test profile that I made
installed. Because I'm doing things with policy, it doesn't
exist in the plists or domains.
server:~ localadmin$ defaults
-currentHost read com.apple.loginwindow
{
TALAppsToRelaunchAtLogin =
(
{
BackgroundState = 2;
BundleID =
"com.apple.terminal";
Hide = 0;
Path =
"/Applications/Utilities/Terminal.app";
},
{
BackgroundState = 2;
BundleID =
"com.apple.finder";
Hide = 0;
Path =
"/System/Library/CoreServices/Finder.app";
}
);
}
Lets try another!
server:~ localadmin$ defaults
read
/Library/Preferences/com.apple.loginwindow.plist
{
OptimizerLastRunForBuild =
25364928;
OptimizerLastRunForSystem =
168297216;
lastUser = loggedIn;
lastUserName = localadmin;
}
Hmm. Not there either. Maybe just the basic domain?
server:~ localadmin$ defaults
read com.apple.loginwindow
{
TALLogoutReason = Restart;
}
No. Not there either! Well crap. Logging out though
shows me that the settings are applied!
I can't really check the mobileconfig files either
since they get turned into a binary blob upon installation
in /var/db/ConfigurationProfiles/Store
So what can I do?
Well the first thing is that we can ask if there are
profiles installed!
server:~ localadmin$ profiles -H
profiles are installed on this
system
Sweet! But now what?
Now we actually have several options, the easiest is to
grab the profile data right from the profiles command as
XML. You can also get this from system_profiler, and if
you are using directory services based policy you can get
it from dscl or mcxquerey as well.
server:~ localadmin$ sudo
profiles -Pv -o Output.xml
profiles: verbose mode ON
profiles: outputPath = Output.xml
There are 1 configuration
profiles installed
pass
server:~ localadmin$ less
Output.xml
SNIP…
<dict>
<key>PayloadContent</key>
<dict>
<key>loginWindowIdleTime</key>
<integer>900</integer>
<key>loginWindowModulePath</key>
<string>/System/Library/Screen
Savers/Flurry.saver</string>
</dict>
<key>PayloadDisplayName</key>
<string>Login Window: Screen Saver
Preferences</string>
<key>PayloadIdentifier</key>
<string>com.apple.mdm.server.example.private.a55249a0-ab8d-0130-272f-001c42d3e5bf.alacarte.loginwindow.6e51c520-ab8e-0130-2731-001c42d3e5bf.screensaver</string>
<key>PayloadType</key>
<string>com.apple.screensaver</string>
<key>PayloadUUID</key>
<string>42a5182d-2af5-dfa8-16b8-d3a3a88c37fb</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
…SNIP
As we can see, the only way to tell if this policy has
been applied with a modern method like a configuration
profile is to check using tools that are configuration
profile aware.
For settings that use profiles this makes everything
much simpler. You can simply ask for the output of the
profiles command and then parse it with XPath or what not.
You get all the settings in one place and you don't need
to run around tracking down config files.
Thanks,
Josh
--
Josh Wisenbaker
Consulting Engineer - Apple U.S.
Commercial and Governmental Sales