Posted on 12-13-2023 11:09 AM
hello all, im trying to fix a compliance error from jamf protect where you need to enable filename extensions does anyone know of a way to do this using a profile/ policy.
Posted on 12-13-2023 11:31 AM
It can only be done with a policy with a script, and needs to be run as the logged in user. It can't be done with a profile, and in my experience, can't be run as root, since it has to make a change to the user's local plist file for .GlobalPreferences.plist. I wish it could be done in a profile, and seems like something that should work, but I've never been able to get a profile to do this.
Here is a general example of how to accomplish this.
#!/bin/zsh
logged_in_user=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ {print $3}')
logged_in_uid=$(/usr/bin/id -u "$logged_in_user")
/bin/launchctl asuser "$logged_in_user" /usr/bin/sudo -iu "$logged_in_user" /usr/bin/defaults write -g AppleShowAllExtensions -bool true
This will, of course, only work on the currently logged in user, not any other users that happen to have accounts on the system. Not sure if that's required in your case. If so, I'm not sure of the easiest way to accomplish that, other than to make the Jamf policy run per user login, not just per computer.
Two last things to keep in mind. Since this ISN'T applied via profile, it's not locked in place. That means your end users can easily turn this off. Therefore, it's a good idea to have this run once per week, or however frequently you feel is needed, not just one and done.
Second, this doesn't take effect until the Finder restarts, or the user logs out/reboots, etc. From a compliance checking standpoint, if all you need to know is that the setting is applied, the systems will pass the check. But until one of those things happens (Finder restart / Log out / System restart) file extensions will not show up in the Finder.
Posted on 12-13-2023 01:00 PM
I originally posted this from the wrong account (that post should be removed shortly):
You can download the guide from the macOS Security Compliance Project that will guide you through how to enable the CIS controls listed in Jamf Protect programmatically.
usnistgov/macos_security: macOS Security Compliance Project (github.com)
When you download the MCSP guide for whichever macOS release you're working with, go into the "CIS macOS Benchmark" folder in the download and choose CIS Level 1 or 2 based on which you're working on. There is a section on filename extensions with a script and how to use it.
Posted on 12-13-2023 03:00 PM
The mSCP rule does not include the final `sudo killall Finder` recommended by the CIS to make sure the setting works in the current log in session. They don't include it as it flashes the Finder.
You can get the actual benchmark from CIS https://www.cisecurity.org/ . You just give them your email address and they will send you a link to all of their benchmarks. The link doesn't expire so bookmark it and you can go back at any time.
Posted on 12-13-2023 01:27 PM
Do it through a config profile rather than script.
In a new config profile select Applications & Custom Settings > upload
set your preference domain as :
.GlobalPreferences
and upload file as:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AppleShowAllExtensions</key>
<true/>
</dict>
</plist>
scope that to the machines you want , and it should set it
Posted on 12-13-2023 01:36 PM
Hmm, you sure that works? Because I have a config profile with those exact same settings in it that I’ve applied in testing. And it never worked.
I’ll give it another try to see, but I recall that even rebooting after applying the profile, none of the files were showing extensions. Maybe it’s just me. I hope it is and I can get it work as I’d love to able to apply this with a profile.
12-13-2023 01:45 PM - edited 12-13-2023 02:10 PM
Its been a while since I tried it, the old script method I used to use was:
#!/bin/sh
user=`ls -l /dev/console | cut -d " " -f 4`
sudo -u $user /usr/bin/defaults write /Users/$user/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true
Which was still a bit different from yours. Unless something's changed, one of those should still work
Edit:
CIS recommendation now is:
sudo -u <username> /usr/bin/defaults write /Users/<username>/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true
sudo killall Finder
Which has a kill for finder (maybe getting around the need for the reboot)
Let me know if it no longer works, Der Flounder wrote the following about another setting using the same preference still working a little while back:
Setting user-level global preferences in a macOS configuration profile | Der Flounder (wordpress.com...
Posted on 12-14-2023 07:15 AM
Another option if you are comfortable with Apple Script;
tell application "Finder"
set all name extensions showing of Finder preferences to true
end tell