CIS Benchmark control 6.3.6: Ensure Advertising Privacy Protection in Safari Is Enabled

obi-k
Valued Contributor II

Hi,

I'm trying to set the preference for Safari via a configuration profile. Is this possible with a config profile? I can't get it to take on Ventura.

Many thanks in advance.

Screenshot_2023-01-24_at_4_44_14_PM.png

Screenshot 2023-01-24 at 4.45.16 PM.png

1 ACCEPTED SOLUTION

jmahlman
Valued Contributor

Hey there, the CIS page actually shows that this can indeed be set with a config profile like yours. Note that the checkbox will not be disabled but if you uncheck it and relaunch Safari it'll be checked again.

View solution in original post

3 REPLIES 3

jmahlman
Valued Contributor

Hey there, the CIS page actually shows that this can indeed be set with a config profile like yours. Note that the checkbox will not be disabled but if you uncheck it and relaunch Safari it'll be checked again.

obi-k
Valued Contributor II

Oh. I was off because I thought the box would be grayed out. Thanks, I tried it again and your right: It is checked again. Thanks, @jmahlman 

I did a script below, but the config profile is better.

 

#!/bin/sh

currentUser=$(ls -l /dev/console | awk '{print $3}')

sudo -u $currentUser /usr/bin/defaults write /Users/$currentUser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.privateClickMeasurementEnabled -bool true


exit 0

 

cmccormack
New Contributor II

Wanted to put it out there that there is a bug with the current version of Jamf Compliance Editor which renders this control broken.  Took me quite a bit of time to solve this, going to report it to the GitHub to have their documentation updated.

You need to modify the Audit with this after the "result_value=$("

/usr/bin/profiles -P -o stdout | /usr/bin/grep '"WebKitPreferences.privateClickMeasurementEnabled" = 1' | /usr/bin/awk '{ if ($1) {print "1"} else {print "0"}}

 

#!/bin/bash

#####----- Rule: os_safari_advertising_privacy_protection_enable -----#####
## Addresses the following NIST 800-53 controls: 
# * N/A
rule_arch=""
if [[ "$arch" == "$rule_arch" ]] || [[ -z "$rule_arch" ]]; then
	#echo 'Running the command to check the settings for: os_safari_advertising_privacy_protection_enable ...' | tee -a "$audit_log"
	unset result_value
	result_value=$(/usr/bin/profiles -P -o stdout | /usr/bin/grep '"WebKitPreferences.privateClickMeasurementEnabled" = 1' | /usr/bin/awk '{ if ($1) {print "1"} else {print "0"}}'
)
		# expected result {'integer': 1}
		
		
		# check to see if rule is exempt
		unset exempt
		unset exempt_reason
		
		exempt=$(/usr/bin/osascript -l JavaScript << EOS 2>/dev/null
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('org.cis_lvl1.audit').objectForKey('os_safari_advertising_privacy_protection_enable'))["exempt"]
EOS
)
		exempt_reason=$(/usr/bin/osascript -l JavaScript << EOS 2>/dev/null
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('org.cis_lvl1.audit').objectForKey('os_safari_advertising_privacy_protection_enable'))["exempt_reason"]
EOS
)
		
		if [[ $result_value == "1" ]]; then
			/bin/echo "$(date -u) os_safari_advertising_privacy_protection_enable passed (Result: $result_value, Expected: "{'integer': 1}")" | /usr/bin/tee -a "$audit_log"
			/usr/bin/defaults write "$audit_plist" os_safari_advertising_privacy_protection_enable -dict-add finding -bool NO
			/usr/bin/logger "mSCP: cis_lvl1 - os_safari_advertising_privacy_protection_enable passed (Result: $result_value, Expected: "{'integer': 1}")"
		else
			if [[ ! $exempt == "1" ]] || [[ -z $exempt ]];then
				/bin/echo "$(date -u) os_safari_advertising_privacy_protection_enable failed (Result: $result_value, Expected: "{'integer': 1}")" | /usr/bin/tee -a "$audit_log"
				/usr/bin/defaults write "$audit_plist" os_safari_advertising_privacy_protection_enable -dict-add finding -bool YES
				/usr/bin/logger "mSCP: cis_lvl1 - os_safari_advertising_privacy_protection_enable failed (Result: $result_value, Expected: "{'integer': 1}")"
			else
				/bin/echo "$(date -u) os_safari_advertising_privacy_protection_enable failed (Result: $result_value, Expected: "{'integer': 1}") - Exemption Allowed (Reason: "$exempt_reason")" | /usr/bin/tee -a "$audit_log"
				/usr/bin/defaults write "$audit_plist" os_safari_advertising_privacy_protection_enable -dict-add finding -bool YES
				/usr/bin/logger "mSCP: cis_lvl1 - os_safari_advertising_privacy_protection_enable failed (Result: $result_value, Expected: "{'integer': 1}") - Exemption Allowed (Reason: "$exempt_reason")"
				/bin/sleep 1
			fi
		fi
		
		
	else
		/bin/echo "$(date -u) os_safari_advertising_privacy_protection_enable does not apply to this architechture" | tee -a "$audit_log"
		/usr/bin/defaults write "$audit_plist" os_safari_advertising_privacy_protection_enable -dict-add finding -bool NO
	fi