Posted on 04-25-2012 02:51 PM
Hi folks,
I am looking for a way to prohibit enabling of Internet Sharing since it can be a pretty serious security risk. I was able to do it with Quest's QAS group policies, but we've stopped using that product.
Is there a way to granularly disable Internet Sharing permanently using managed preferences?
Thanks!
Solved! Go to Solution.
Posted on 04-25-2012 03:09 PM
Is this assuming your users are admins on their own machines? If they're Standard users then they cannot enable this feature.
You can use MCX to force Internet Sharing off.
Apply Setting To: System Level Enforced
Domain: com.apple.MCX
Key Name: forceInternetSharingOff
Key Type: boolean
Value: true
Posted on 04-25-2012 03:09 PM
Is this assuming your users are admins on their own machines? If they're Standard users then they cannot enable this feature.
You can use MCX to force Internet Sharing off.
Apply Setting To: System Level Enforced
Domain: com.apple.MCX
Key Name: forceInternetSharingOff
Key Type: boolean
Value: true
Posted on 04-25-2012 03:26 PM
Thanks, I'll give this a try, I'm surprised it's not listed in the existing preferences for com.apple.MCX.
Edit: Worked like a champ! I appreciate the quick and accurate response.
Posted on 04-25-2012 03:31 PM
I used Workgroup Manager on my own computer and found I could set this specific preference via the GUI. Once I did that I went to the Details tab to view the actual preference settings.
The JSS has lots of templates but not everything.
Posted on 04-25-2012 03:36 PM
Good to know, I've never used Workgroup Manager before so I know where to go now. Teach a man to fish, and all that.
Posted on 04-25-2012 03:36 PM
Is there a document outlining the other keys to manage the other shared services in the same way?
Posted on 04-26-2012 12:58 PM
That's part of what manifests do. They're not straight-forward documentation but they allow you to view your options. They should contain human readable descriptions of each preference setting. (Not all applications include their own manifest files and not all manifest files contain a complete list of keys and value settings.)
For most of the Mac OS X system and application settings Casper users can do this:
This particular manifest contains about 25 settings such as:
In this case note that the forceInternetSharingOff key isn't even mentioned in the manifest. It's undocumented. I only found this because I used Workgroup Manager to make the setting and then looked under the Details tab to see what changed.
Posted on 07-20-2012 09:54 AM
I imported com.apple.MCX.manifest but I do not see the ForceIntenetSharingOff key. Am I looking at the wrong place?
I pulled up Workgroup Manager and saw the detail does point to com.apple.MCX. I just do not see it in JSS when I import the manifest.
Can someone please point me to the right place to find this key? Thanks.
Posted on 07-20-2012 10:12 AM
See William's first post above (the one marked as the Answer) You can set this manually in the JSS rather than importing it. He mentions above that importing com.apple.MCX doesn't actually show the forceInternetSharingOff key.
Just choose "Create Managed Preference" in your JSS and then set up the options as outlined above.
Posted on 07-21-2012 03:46 PM
I just wrote a script/LaunchDaemon that checks if Ethernet is connected then it turns off the power to the airport. Not exactly what you are looking for but will accomplish this. Let me know if you would like it.
Posted on 07-22-2012 11:12 AM
Hi Matt, I would be interested in the script you wrote - thanks!
Susan Spanovich
sspanovich@lifetimefitness.com
Posted on 07-24-2012 12:02 PM
Matt,
Are you able to share your script/launch damon? That sounds exactly like what I've been looking for.
Thanks!
-Greg K
Posted on 04-10-2014 03:36 PM
Hi Matt, I would be interested in the script you wrote Please and thank you in advance
Posted on 02-20-2015 11:05 AM
Thread resurrection, I know, but I wanted to add that you can also do this with Profile Manager with the Custom Settings payload. com.apple.MCX for the preference domain, "forceInternetSharingOff" for the key, "Boolean" for the type and then check the box.
Posted on 02-22-2016 09:34 AM
Is there a way to do this using MDM Configuration profile.
Posted on 02-22-2016 09:41 AM
Yes, however it's effectively doing it in the same manner.
Custom Settings
com.apple.MCX
Property List File
PLIST file containing key value pairs for settings in the specified domain
{forceInternetSharingOff=true}
Posted on 11-20-2018 07:35 AM
Can you think of a reason why the JSS would not allow the plist file to be uploaded?
I copied the .plist file directly from its location in the Finder, but I keep receiving format errors from the JSS.
Posted on 11-20-2018 08:12 AM
@Mr.Einstein, when you attempt to upload the plist and it fails, do you see any text in red? If so, it's telling you what you need to do. Run the command to correctly format the file.
Posted on 11-28-2018 07:23 PM
This came up today, so figured I'd search here first to see if what we've done in the past is still the right approach.
Found this thread, and these last two posts...you've GOT to appreciate the subtle irony and humor. :) #priceless
We've had a Configuration Profile in place for some time...it greys out the box service box, but does not uncheck the network interface boxes:
Seems to do what it is advertised to do...however the bigger question (at least on our side) is how to disable it if it is already on.
We use an EA to determine if Internet Sharing is (or was) enabled:
#!/bin/bash
#
# Check Internet Sharing.
#
# FileDoesNotExist = /Library/Preferences/SystemConfiguration/com.apple.nat.plist does not exist
# (was never enabled, or a clever user enabled it and is covering his/her tracks)
#
# Enabled = enabled
# (/Library/Preferences/SystemConfiguration/com.apple.nat.plist exists, and it is enabled)
#
# Disabled = disabled
# (/Library/Preferences/SystemConfiguration/com.apple.nat.plist exists, so it was enabled in the past)
if [ -e /Library/Preferences/SystemConfiguration/com.apple.nat.plist ]; then
if [ $( /usr/libexec/PlistBuddy -c "Print :NAT:Enabled" /Library/Preferences/SystemConfiguration/com.apple.nat.plist ) == 1 ]; then
echo "<result>Enabled</result>"
else
echo "<result>Disabled</result>"
fi
else
echo "<result>FileDoesNotExist</result>"
fi
Ok, so now you can tell who has it enabled, or who had it enabled. What if you want to uncheck the network interface cards, IOW delete the plist file that the EA checks? Trust me, you don't want to know...
Posted on 10-07-2019 02:09 PM
@donmontalvo do you care to share the contents of your plist file to disable internet sharing?
Posted on 01-10-2020 04:51 AM
All,
I have added the key to my com.Apple.MCX but Still it doent stop or prevent the user from turning on Internet sharing .. is there something im doing wrong?
I have created a com.apple.MCX.plist - It contains some more settings.
Deployed it via customer setting config profile.
I can see its deployed to the system
but when i close and open systems preferences / Sharing / I can still select Internet sharing and the 2 adapters that I want to share..
Is there something im missing?
Thanks
yesterday
Speaking as one who recently struggled with this -- there are two payloads to configure to get the desired result:
Example profile below (I haven't seen another one online yet that combines both payloads):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadUUID</key>
<string>UUID1</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Your Organization Name</string>
<key>PayloadIdentifier</key>
<string>UUID1</string>
<key>PayloadDisplayName</key>
<string>Disable Internet Sharing</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>UUID2</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadOrganization</key>
<string>Your Organization Name</string>
<key>PayloadIdentifier</key>
<string>UUID2</string>
<key>PayloadDisplayName</key>
<string>Restrictions</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>allowInternetSharingModification</key>
<false/>
</dict>
<dict>
<key>PayloadUUID</key>
<string>UUID3</string>
<key>PayloadType</key>
<string>com.apple.MCX</string>
<key>PayloadOrganization</key>
<string>Your Organization Name</string>
<key>PayloadIdentifier</key>
<string>UUID3</string>
<key>PayloadDisplayName</key>
<string>MCX</string>
<key>PayloadDescription</key>
<string></string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>forceInternetSharingOff</key>
<true/>
</dict>
</array>
</dict>
</plist>
Posted on 01-31-2020 01:36 PM
Looks like you typo'd the key name. The F in forced should be lowercase.
Posted on 12-02-2021 12:45 PM
is there a way to toggle ON the internet sharing via script or profile?