Enforce Hiding Specific System Preference items

Jason
Contributor II

I know hiding a preference pane has been discussed in other threads. Generally the method used is:

Create a Custom Settings Payload using com.apple.systempreferences.plist where HiddenPreferencePanes references the pane you'd like to hide.

This is effectively the same as opening System Preferences as a user and clicking View > Customize, then unchecking an item. But using the Configuration Profile does not prevent a user from simply re-checking it from what i'm seeing. Is there a method that hides a pane in System Preferences, and also prevents a user from going to View > Customize and selecting it again?

I have also deployed a Restrictions payload which effectively greys out the pane if it is visible, but i'd also like to enforce that it cannot be visible.

Today this is all scoped to the user level, since we want certain support users to see these items, but prevent others from seeing or having access to them.

2 ACCEPTED SOLUTIONS

mm2270
Legendary Contributor III

The only way I know of to get around this bug (Apple doesn't see this as a bug believe it or not) is to set a blank array for the HiddenPreferencePanes, and also set up a Blacklist or Whitelist for allowed Preference Panes, which grays out the ones you don't want users to be able to access, just as you have now.
This does not allow you to hide any of the Preference panes as you're looking to do, so its not really an answer, other than the fact that there is no way I'm aware of to keep them hidden.

But what it means is, the user can't override the blank array by checking specific items inside System Preferences. They can check them, but once they quit and relaunch Sys Prefs to access them from the menu, they will be visible again in System Preferences, but grayed out. The known trick to bypass the disabled items only works when you check an item to be hidden and then quit/relaunch System Preferences, and then access it from the menu.

I do wish Apple would address this issue. Its been widely reported by many folks out there to Apple submitted as a bug, but they just don't see it as an issue. Their explanation is that Config Profiles and Disabled Preference Pane options are only meant as "guidance" and not as an unbreakable rule.

View solution in original post

jennifer
Contributor

I created my configuration profile for this item in Profile Manager, as there wasn't an item to exclude specific system preference panes in the JSS templates for profiles.

This option allows me to 'grey out' the preferences I do not want users to have access to. Checking the box under 'Customize' does not make any changes to this setting.

However, this profile will leave the item visible, just greyed out. But you may be able to combine a profile that keeps the items turned off, with your current plist to keep them from being visible.

EDIT: Here is an excerpt of the configuration profile:

<dict>
    <key>PayloadUUID</key>
        <string>personaluuidhere</string>
    <key>PayloadType</key>
        <string>com.apple.systempreferences</string>
    <key>PayloadOrganization</key>
        <string>myorganizaion</string>
    <key>PayloadIdentifier</key>
<string>com.apple.mdm.myserver.myorganization.stringoflettersandnumbers.alacarte.macosxrestrictions.morelettersandnumbers.systempreferences</string>
    <key>PayloadDisplayName</key>
        <string>System Preferences</string>
    <key>PayloadDescription</key>
        <string/>
        <key>PayloadVersion</key>
        <integer>1</integer>
    <key>PayloadEnabled</key>
        <true/>
    <key>DisabledPreferencePanes</key>
        <array>
            <string>com.apple.preferences.appstore</string>
            <string>com.apple.preferences.icloud</string>
            <string>com.apple.preferences.internetaccounts</string>
            <string>com.apple.preferences.sharing</string>
        </array>
</dict>

View solution in original post

4 REPLIES 4

mm2270
Legendary Contributor III

The only way I know of to get around this bug (Apple doesn't see this as a bug believe it or not) is to set a blank array for the HiddenPreferencePanes, and also set up a Blacklist or Whitelist for allowed Preference Panes, which grays out the ones you don't want users to be able to access, just as you have now.
This does not allow you to hide any of the Preference panes as you're looking to do, so its not really an answer, other than the fact that there is no way I'm aware of to keep them hidden.

But what it means is, the user can't override the blank array by checking specific items inside System Preferences. They can check them, but once they quit and relaunch Sys Prefs to access them from the menu, they will be visible again in System Preferences, but grayed out. The known trick to bypass the disabled items only works when you check an item to be hidden and then quit/relaunch System Preferences, and then access it from the menu.

I do wish Apple would address this issue. Its been widely reported by many folks out there to Apple submitted as a bug, but they just don't see it as an issue. Their explanation is that Config Profiles and Disabled Preference Pane options are only meant as "guidance" and not as an unbreakable rule.

jennifer
Contributor

I created my configuration profile for this item in Profile Manager, as there wasn't an item to exclude specific system preference panes in the JSS templates for profiles.

This option allows me to 'grey out' the preferences I do not want users to have access to. Checking the box under 'Customize' does not make any changes to this setting.

However, this profile will leave the item visible, just greyed out. But you may be able to combine a profile that keeps the items turned off, with your current plist to keep them from being visible.

EDIT: Here is an excerpt of the configuration profile:

<dict>
    <key>PayloadUUID</key>
        <string>personaluuidhere</string>
    <key>PayloadType</key>
        <string>com.apple.systempreferences</string>
    <key>PayloadOrganization</key>
        <string>myorganizaion</string>
    <key>PayloadIdentifier</key>
<string>com.apple.mdm.myserver.myorganization.stringoflettersandnumbers.alacarte.macosxrestrictions.morelettersandnumbers.systempreferences</string>
    <key>PayloadDisplayName</key>
        <string>System Preferences</string>
    <key>PayloadDescription</key>
        <string/>
        <key>PayloadVersion</key>
        <integer>1</integer>
    <key>PayloadEnabled</key>
        <true/>
    <key>DisabledPreferencePanes</key>
        <array>
            <string>com.apple.preferences.appstore</string>
            <string>com.apple.preferences.icloud</string>
            <string>com.apple.preferences.internetaccounts</string>
            <string>com.apple.preferences.sharing</string>
        </array>
</dict>

Jason
Contributor II

Perfect, thanks @mm2270 and @jennifer . For the time being I've combined the Restrictions payload and a Custom Settings payload that does what you're both doing, and i'm seeing the same result. System Preference items greyed out and View > Customize can be modified by the user, but it's re-selected items are still grey, and next time it's launched those items are hidden again. I think that's the best it's going to be today.

matt_jamison
Contributor

@Jason Can you post the custom settings payload you used?

Also, I did find that if you chmod 700 on /System/Library/PreferencePanes/"DIRECTORY" the pane you want to disable, it'll stop it from appearing in System Preferences. However, someone could change the permissions and view it again.