Skip to main content

Hi,



One of our users has found a way to bypass the restrictions payload we use to prevent access to certain preference panes in System Preferences.



The way they're doing this is by going to View > Customise, hiding panes and then using the Search box to find them. This allows them to get into the pane without the configuration profile blocking it. It's not the end of the world since these users aren't admins and they're limited in what they can do, but there's still a few things they can do that we don't want them modifying.



Previously it seems you could have stopped this by changing the permissions of the individual panes you don't want users accessing, but now SIP stops you from doing this even as root.



MyMac:~ root# chmod 750 /System/Library/PreferencePanes/Sound.prefPane/

chmod: Unable to change file mode on /System/Library/PreferencePanes/Sound.prefPane/: Operation not permitted


I've seen from another thread on here that "Apple is aware of it, but has decided not to address it. They say the restrictions are only meant as a "guideline" for users and not as a strict enforcement policy." which is less than helpful on Apple's part, especially in a corporate environment.



Does anyone know of a workable fix for this flaw?

Yes, this has been a bug/workaround for years now. And yes, Apple knows about it, but never released a fix, because you know, we enterprise admins don't really matter to them, no matter what they say in public.



As for a fix, you will need to deploy another Config Profile that enforces an empty array for the hidden preference panes for com.apple.systempreferences



Take something like this, save it to a local plist file on your Desktop. It must be named com.apple.systempreferences.plist



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>HiddenPreferencePanes</key>

    <array/>

</dict>

</plist>


Then run a convert command on it to be sure it's in the right format for Jamf Pro.



plutil -convert xml1 ~/Desktop/com.apple.systempreferences.plist



Then upload that to a new Config Profile, under the Custom Settings payload. It should read the settings in and look something like this when it does:



Then test deploy to a machine, like your own for example. After it's in place, although the System Preferences UI will still allow you to uncheck panes in the Custom view, when you close System Prefs and reopen it, they should still be enabled. The setting becomes forced by the Config Profile and can't be overwritten by the end user.

Thanks for the comprehensive post, I'll give that a try. Much appreciated!



EDIT: Worked a treat, you're a star.

Will that also fix the work around where they can make a copy of the system prefs app and delete the NSPrefsPaneGroups.xml then search for the pane they want access to?

@hkabik I can't say. I've never used that workaround myself, although I've heard about it. I kind of don't believe it will, because this just prevents users from adding Pref Panes into the HiddenPreferencePanes array.

Thanks, I'll test it in a bit.

Terms & ConditionsCookie settings