Skip to main content

I am posting yet another trying to pass the CIS audit message! This time I have and issue with Jamf Pro and the plist processing. It took me some time to figure out, but the CIS PDF "CIS Apple macOS 12.0
Monterey Benchmark" v3.0.0 makes for some hilarious reading on this and the other Safari controls. The main issue seems to be that my profile is quoting special characters in the keys, but the checks aren't expecting them. I used the Jamf Pro console to edit a plist scoped to com.apple.Safari and verified the settings are applied using System Preferences and the Safari UI. Still couldn't get all of the checks to pass, but then I realized all the checks that were failing used keys with a "." in them, which get quoted for some reason on the end-user mac and break the CIS regex match. Here is the content of my "Upload" text box for the Jamf Pro profile:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AutoOpenSafeDownloads</key>
<false/>
<key>WarnAboutFraudulentWebsites</key>
<true/>
<key>BlockStoragePolicy</key>
<integer>2</integer>
<key>WebKitPreferences.storageBlockingPolicy</key>
<integer>1</integer>
<key>WebKitStorageBlockingPolicy</key>
<integer>1</integer>
<key>WebKitPreferences.privateClickMeasurementEnabled</key>
<true/>
<key>ShowFullURLInSmartSearchField</key>
<true/>
<key>safariAllowPopups</key>
<false/>
<key>WebKitPreferences.javaScriptEnabled</key>
<true/>
<key>ShowOverlayStatusBar</key>
<true/>
</dict>
</plist>

 

Anyone else run into this? Is there any easy workaround, or do I need to dig into creating plists, signing them and all that other stuff instead of using the console upload/edit feature?

sure I've seen this and its more an issue with the reporting.. using JAMF Compliance editor https://trusted.jamf.com/docs/establishing-compliance-baselines Im sure the config profile it produces fails the test here.. 


plist from JAMF Compliance Editor: 


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AutoOpenSafeDownloads</key>
<false/>
<key>BlockStoragePolicy</key>
<integer>2</integer>
<key>ShowFullURLInSmartSearchField</key>
<true/>
<key>ShowOverlayStatusBar</key>
<true/>
<key>WarnAboutFraudulentWebsites</key>
<true/>
<key>WebKitPreferences.privateClickMeasurementEnabled</key>
<true/>
<key>WebKitPreferences.storageBlockingPolicy</key>
<integer>1</integer>
<key>WebKitStorageBlockingPolicy</key>
<integer>1</integer>
<key>safariAllowPopups</key>
<false/>
</dict>
</plist>

Thanks for a second set of eyes. I realized what was happening based on the verify command CIS has in their PDF and some other Safari control audits I have had never work in the past. Not sure, but it may be a quirk of system_profiler text output, which seems to quote anything that isn't alphanumeric.

 

CIS Check:

/usr/bin/sudo /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep WebKitPreferences.javaScriptEnabled | /usr/bin/tr -d ' '

 

Figured out how to fix it after a little man page reading followed by inspiration:

/usr/bin/sudo /usr/sbin/system_profiler SPConfigurationProfileDataType |
/usr/bin/grep WebKitPreferences.javaScriptEnabled | /usr/bin/tr -d '" '

 

That does strip the quotes off. I have no idea how to make Tenable.io change the audit, but it does look like the other strings the audit passes and matches the output they imagine in the PDF. Still interested if anyone else knows of some kind of workaround/miracle you can perform using Jamf Pro, but at least I have a better explanation than before.

Reply


Terms & ConditionsCookie settings