Restricted Preference Panes being applied to Root

tuinte
Contributor III

JSS 9.24, OS X 10.9.2

We install our config profiles via script (i.e., create and download from the JSS and use /usr/bin/profiles to install). When doing this, the restricted pref pane gets applied to root and, unlike our management admin account, root does not receive the prompt to enable/disable the restrictions at login as per our login window config profile.

Question one: anyone else seeing this? Any way to omit root from the restriction or at least get it the login window prompt we're seeing with regular admin accounts?

Additionally, if I remove all the config profiles, unenroll and removeFramework on a machine, the restrictions are still getting applied for root.

Question two: how is that happening? Where might root be getting its restriction from in this case?

Thank you very much for any insight.

3 REPLIES 3

nessts
Valued Contributor II

Sorry i dont have an answer, but I am really interested in what possible reason you could have for logging in as root.
how are you removing the profiles?

tuinte
Contributor III

Ooh, so exciting, I get to follow up to my own question.

When the restricted pref panes config profile is applied, the Managed Preferences folder ( /Library/Managed Preferences) gets the plists for the restrictions plus a folder called root for root's managed preferences.

When removing the profile, the Managed Preferences folder gets emptied but it "forgets" to delete the root folder, so root's restrictions are still getting applied.

I don't see that root folder getting created in 10.7 or 10.8, nor is the pref pane being restricted for root for those OSes, which makes sense. I'm assuming, while the installation of restriction profiles has been modified to handle root, the removal of profiles didn't get the update to unhandle root. 10.9 bug?

Regardless, deleting the root folder with the profile installed seems to remove the restrictions for root while keeping it for other users, so that's a workaround (warning: I've only tested it briefly). And if you find yourself with a profileless 10.9 machine that is still restricting root, delete the root folder in /Library/Managed Preferences/.

tuinte
Contributor III

@nessts

A bad company support habit that I'm actually going to use this "bug" to deter.