Skip to main content
Question

Using Jamf to security write new configuration to managed application.

I
Forum|alt.badge.img+3

I've learned that it's possible to inject new configuration to MDM managed application using MDM so that the managed app configuration changes that are pushed down from an MDM server appear in NSUSerDefaults.

This capability is described here : https://developer.jamf.com/developer-guide/docs/application-and-custom-settings

 

Then I can add an observer to be notified of any changes occurs in NSUserDefaults.

The app configuration will be stored in the following key:com.apple.configuration.managed A usage example can be look like this :

if let managedConf = UserDefaults.standard.object(forKey: "com.apple.configuration.managed") as? [String:Any?] {
    if let serverURL = managedConf["serverURL"] as? String{
        return serverURL
    }
}

However, what prevent another entity from modifying the configuration outside the MDM... as I understand NSUserDefaults are writable even from terminal so there's no limitation to just push new configuration which are unauthorized.

an example of changing configuration can be:

managedConf["serverURL"] = "BAD_SERVER_NAME"
let defaults = UserDefaults.standard
defaults.set(managedConf, forKey: "com.apple.configuration.managed")

Perhaps it's only possible for writing the application's userDefault from within the application ?

 

    3 replies

    howie_isaacks
    Forum|alt.badge.img+23
    • howie_isaacks
    • Esteemed Contributor
    • 777 replies
    • December 18, 2023

    There are some settings that users can still alter. One setting I recently pushed out with a profile was to change the "click wallpaper to reveal desktop" setting in macOS Sonoma to "Only in Stage Manager". If a user likes to have the desktop revealed when they click the wallpaper, they can change it back to the default. Other settings like setting the Microsoft AutoUpdate app to automatically check for and install updates cannot be altered by the user. I suggest doing some experimenting to learn more about what you can and cannot do. In the past, I have used scripts to directly modify plist files instead of using a profile.

    I
    Forum|alt.badge.img+3
    • iradization
    • Author
    • New Contributor
    • 2 replies
    • December 19, 2023

    But what if I want to create new configuration with settings that are only relevant by my application ... do you think those may be altered by the user - I wonder if it's possible to define in the MDM non-modifiable attribute for specific fields ?

    howie_isaacks
    Forum|alt.badge.img+23
    • howie_isaacks
    • Esteemed Contributor
    • 777 replies
    • December 19, 2023

    I would recommend experimenting. I honestly don't know in what cases users can change the settings versus having them be unchangeable. I have noticed that when I use a plist file in Application & Custom Settings the users can change the settings.

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings