Jamf Nation Community

SeanRussell · ‎04-19-2017

Has anyone successfully found a way to do this? I believe I have created an extension attribute to check on the state, but I can't figure out for the life of me how to actually set the setting with a script or through JAMF. Sadly, we need it to meet our CIS requirements.

Thanks for any help!

cainehorr · ‎08-29-2017

I'm working on this EXACT same issue.

Here's what I've come up with thus far...

It's not perfect and it's still in its infancy stage. Salt to taste?

#!/bin/sh

######################################################################
#
# Center for Internet Security (CIS) Apple OS X 10.11 Benchmark
#     https://www.cisecurity.org/
#     v1.1.0
#     2016-11-04
#
######################################################################
#
# Script Change Control Log
#
# 2017-08-30 - v1.1
#     Updated by Caine Hörr
#     Streamlined device pairing check - less lines of code
#
# 2017-08-23 - v1.0
#     Written by Caine Hörr
#
######################################################################


######################################################################
#
# Section 2
#     System Preferences
#
######################################################################
#
# Sub-Section 2.1
#     Bluetooth
#
######################################################################
#
# 2.1.1 Turn off Bluetooth, if no paired devices exist (Scored)
# Profile Applicability: Level 1
#

# Check Bluetooth controller power state
BTpower=`defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState`

if [ "$BTpower" -eq "1" ]; then
  # Check to see if devices are paired...
  pairedDevices=`system_profiler SPBluetoothDataType | grep "Devices" | awk '{ print $1 }'`

  if [ "$pairedDevices" != "Devices" ]; then
    # Power down Bluetooth interface"
    sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0
    sudo killall -HUP blued
  fi
fi

echo "CIS Apple OS X 10.11 Benchmark 2.1.1: Enforced"

Let me know if you have questions...

PS - This script is for 10.11.x - I haven't written the 10.12.x counterpart yet. Nothing from CIS regarding High Sierra yet (as of this posting).

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

cainehorr · ‎08-30-2017

FYI - Updated Benchmark 2.1.1 script to v1.1

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

cainehorr · ‎08-30-2017

I realized after I posted my script that you're actually asking for CIS Benchmark 2.1.2 - Turn off Bluetooth "Discoverable" mode when not pairing devices.

I'm in the works of writing this script.

I'll post here once I've completed.

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

cainehorr · ‎08-31-2017

@SeanRussell

OS X 10.11
Here is my script for validating Center for Internet Security (CIS) Apple OS X 10.11 Benchmark v1.1.0 - Section 2.1.2 - Turn off Bluetooth "Discoverable" mode when not pairing devices.

OS X 10.12
I cross referenced with the Center for Internet Security (CIS) Apple OS X 10.12 Benchmark v1.0.0 - Section 2.1.2 - Turn off Bluetooth "Discoverable" mode when not pairing devices. The procedure is the same.

REMEDIATION
According to CIS, here is the procedure for remediation...

Remediation: Perform the following to implement the prescribed state: Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. To ensure that the computer is not Discoverable do not leave that preference open.

In other words, the only way to "remediate" is to NOT have the BlueTooth preference pane open. You need to open the preference pane in order to pair a device.

So as long as the preference pane is close, you are compliant. If the preference pane is open, no matter the reason, you're out of compliance. At some point, someone is going to want to pair a device or two.

As I see it (right now), you essentially have four options...

Not worry so much about this as most user's are not going to keep the BlueTooth preference pane open at all times.
Disable Bluetooth entirely and disable/remove the Bluetooth preference pane entirely.
Write some kind of timer script that monitors the Bluetooth preference pane and kills it after a specified duration.
A hybrid of Options 2 & 3 - You could conceivably write a script for use in Self Service that temporarily enables BlueTooth by making the BlueTooth preference pane available to the user for a specified duration (ie 30 minutes, etc.). Once the timer has hit it's mark, the BlueTooth preference pane is shut down and is disabled/removed from System Preferences.

Anyway - here's a simple script to detect compliancy - it does not enforce.

#!/bin/sh

######################################################################
#
# Center for Internet Security (CIS) Apple OS X 10.11 Benchmark
#     https://www.cisecurity.org/
#     v1.1.0
#     2016-11-04
#
######################################################################
#
# Script Change Control Log
#
# 2017-08-31 - v1.0
#     Written by Caine Hörr
#
######################################################################


######################################################################
#
# Section 2
#     System Preferences
#
######################################################################
#
# Sub-Section 2.1
#     Bluetooth
#
######################################################################
#
# 2.1.2 Turn off Bluetooth "Discoverable" mode when not 
#       pairing devices
# Profile Applicability: Level 1
#

######################################################################
#
# Remediation 
# Starting with OS X (10.9), Bluetooth is only set to Discoverable when
# the Bluetooth System Preference is selected. To ensure that the 
# computer is not Discoverable do not leave that preference open.
#

# Validate Bluetooth "Discoverable" mode status when not pairing devices
validate212=`/usr/sbin/system_profiler SPBluetoothDataType | grep -i discoverable | grep -i discoverable | awk '{ print $2 }'`

if [ "$validate212" = "Off" ]; then
  echo "CIS Apple OS X 10.11 Benchmark 2.1.2: Enabled"
else
  echo "CIS Apple OS X 10.11 Benchmark 2.1.3: Not Enabled"
fi

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

cainehorr · ‎08-31-2017

@SeanRussell

I decided to run with the Option 4... Here's what I've come up with thus far...

Instead of re-inventing the wheel... I did some Interweb sleuthing.

I found this...
DISABLING SYSTEM PREFERENCE PANES – THE HARD/WRONG WAY.

This let me to the author's GitHub repository...
hunty1/Scripts

He's written a script that allows you to enable/disable preference panes on the fly.

I'm currently updating his script so it's compatible with 10.11 and 10.12

I'll then be working on a timer piece and then creating a JAMF Self Service workflow.

Once done, I'll post here.

This should be a nice middle ground for both of our mutual CIS 2.1.2 related issues!

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

cainehorr · ‎09-08-2017

@SeanRussell

Haven't forgotten about you. I'm pretty close to wrapping up this script and JAMF workflow. I'll be sharing it here once it's complete. I expect to have it deployed and tested some time today.

In the interim, here is a portion of the workflow to get you started.

The following script will disable the Bluetooth preference pane, thereby meeting the requirements of CIS Benchmark 2.1.2. The script is also compatible with all current versions of OS X (not tested with High Sierra).

#!/bin/sh


######################################################################
#
# Stand_Alone_Bluetooth_Pref_Pane_DISABLE.sh v2.1
# Written by Caine Hörr <caine@cainehorr.com>
# Script Inspired by Calum Hunter
#     * https://github.com/hunty1/Scripts/blob/master/Enable:Disable%20System%20Preference%20Panes/set_panes.sh
#
######################################################################
#
# Change Control Log
#
# 2017-09-08
#     Version 2.1
#     Updated by Caine Hörr
#       * Added call to CIS_check sub-routine within the
#         disable_pref() sub-routine.
#       * Added a 5-second sleep timer to allow delay querying of CIS
#         bench mark allowing cfprefs to complete in the event of
#         latency.
#
# 2017-09-07
#     Version 2.0
#     Updated by Caine Hörr
#
#     There are 4 unique scripts. 
#     2 stand-alone scripts and 2 scripts that correspond with a 
#     Jamf Pro Self-Service workflow.
#
#       * Jamf_Pro_Bluetooth_Pref_Pane_ENABLE.sh
#           Works in conjunction with a Jamf Pro Self Service workflow
#           that allows the end user to enable the Bluetooth preference
#           pane for a duration of 15-minutes.
#       * Jamf_Pro_Bluetooth_Pref_Pane_DISABLE.sh
#           Disables the Bluetooth preference pane after the 15-minute
#           window of opportunity has expired.
#       * Stand_Alone_Bluetooth_Pref_Pane_ENABLE.sh
#           Enables the Bluetooth preference pane immediately with
#           extreme prejudice.
#       * Stand_Alone_Bluetooth_Pref_Pane_DISABLE.sh
#           Disables the Bluetooth preference pane immediately with
#           extreme prejudice.
#
# 2017-08-31
#     Version 1.0
#     Written by Caine Hörr
#
######################################################################


######################################################################
#
# Center for Internet Security (CIS) Apple OS X 10.11 Benchmark
#     https://www.cisecurity.org/
#     v1.1.0
#     2016-11-04
#
######################################################################
#
# Section 2
#     System Preferences
#
######################################################################
#
# Sub-Section 2.1
#     Bluetooth
#
######################################################################
#
# 2.1.2 Turn off Bluetooth "Discoverable" mode when not 
#       pairing devices
#
# Profile Applicability: Level 1
#


######################################################################
#
# Remediation 
# Starting with OS X (10.9), Bluetooth is only set to Discoverable when
# the Bluetooth System Preference is selected. To ensure that the 
# computer is not Discoverable do not leave that preference open.
#


# Set Standard variables
sys_prefs_plist="/Library/Preferences/com.apple.systempreferences.plist"
pref="com.apple.preferences.Bluetooth"
script_name=$0


main(){
  sanity_checks
  disable_pref
  CIS_check
  Quit_Notice
}


sanity_checks(){
  # Check for admin/root permissions
  if [ "$(id -u)" != "0" ]; then
    echo "*** Script must be run as root, or have root privileges (ie. sudo)." 1>&2
    Quit_Notice
    exit 1
  fi

  # Validate that /Library/Preferences/com.apple.systempreferences.plist exists
  if [ -f "$sys_prefs_plist" ]; then
    echo "*** ${sys_prefs_plist} exists. Continuing..."
  else
    echo "*** ${sys_prefs_plist} does not exist!"
    Quit_Notice
    exit 1
  fi

  # Close System Preferences
  SysPref_check
}


disable_pref(){
  Binary_to_XML

  grep "${pref}" "${sys_prefs_plist}" > /dev/null
  pref_status=$?

  if [ ${pref_status} = 0 ]; then
    echo "*** Warning - ${pref} is already disabled!"
    XML_to_Binary
    CIS_check
    Quit_Notice
    exit 1
  else
    echo "*** Disabling ${pref}"
    defaults write $sys_prefs_plist DisabledPreferencePanes -array-add '<string>'"${pref}"'</string>' 
    refresh_cfprefs
    XML_to_Binary
  fi
}


CIS_check(){
  # Wait 5 seconds - give the system a chance to catch up with the changes to cfprefs
  sleep 5

  # Validate Bluetooth "Discoverable" mode status when not pairing devices
  validate212=`/usr/sbin/system_profiler SPBluetoothDataType | grep -i discoverable | grep -i discoverable | awk '{ print $2 }'`

  if [ "$validate212" = "Off" ]; then
    echo "*** CIS Apple OS X 10.11 Benchmark 2.1.2: Enforced"
  else
    echo "*** CIS Apple OS X 10.11 Benchmark 2.1.2: Not Enforced"
  fi
}


Quit_Notice(){
  echo "*** Quitting..."
  echo ""
}


SysPref_check(){
  # Check to see if System Preferences is open
  check_SysPref=`ps -A | grep -m1 "System Preferences" | awk '{print $4}'`

  if [ "$check_SysPref" = "/Applications/System" ]; then
    # Close System Preferences
    echo "*** Closing System Preferences..."

    osascript -e 'if application "System Preferences" is running then
      tell application "System Preferences" to quit
    end if'
  fi
}


refresh_cfprefs(){
  echo "*** Restarting preferences services..."
  killall cfprefsd
  chmod 644 $sys_prefs_plist
}


Binary_to_XML(){
    # Convert plist format from binary to XML (Compatibility for OS X 10.4 and later)
    echo "*** Converting $sys_prefs_plist from binary to XML..."
    sudo /usr/bin/plutil -convert xml1 "${sys_prefs_plist}"
}


XML_to_Binary(){
    # Convert plist format from binary to XML (Compatibility for OS X 10.4 and later)
    echo "*** Converting $sys_prefs_plist from XML to binary..."
    sudo /usr/bin/plutil -convert binary1 "${sys_prefs_plist}"
}


main


exit 0

Special thanks to @hunty for writing the original script that inspired this script and forthcoming workflow.

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

cainehorr · ‎09-08-2017

@SeanRussell

FYI and all...

Please note, the script in the previous post ONLY disables the Bluetooth Preference Pane within System Preferences.

By disabling the Bluetooth Preference Pane, one can not enter into "Discoverable Mode" via the GUI.

This of course meets CIS 2.1.2 Benchmarks but makes it darn near impossible for a [normal] user to pair up a Bluetooth device on their own.

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

cainehorr · ‎09-08-2017

@SeanRussell

And now, for the Stand_Alone_Bluetooth_Pref_Pane_ENABLE.sh v1.0 script...

#!/bin/sh


######################################################################
#
# Stand_Alone_Bluetooth_Pref_Pane_ENABLE.sh v1.0
# Written by Caine Hörr <caine@cainehorr.com>
# Script Inspired by Calum Hunter
#     * https://github.com/hunty1/Scripts/blob/master/Enable:Disable%20System%20Preference%20Panes/set_panes.sh
#
######################################################################
#
# Change Control Log
#
# 2017-09-07
#     Version 1.0
#     Written by Caine Hörr
#
#     There are 4 unique scripts. 
#     2 stand-alone scripts and 2 scripts that correspond with a 
#     Jamf Pro Self-Service workflow.
#
#       * Jamf_Pro_Bluetooth_Pref_Pane_ENABLE.sh
#           Works in conjunction with a Jamf Pro Self Service workflow
#           that allows the end user to enable the Bluetooth preference
#           pane for a duration of 15-minutes.
#       * Jamf_Pro_Bluetooth_Pref_Pane_DISABLE.sh
#           Disables the Bluetooth preference pane after the 15-minute
#           window of opportunity has expired.
#       * Stand_Alone_Bluetooth_Pref_Pane_ENABLE.sh
#           Enables the Bluetooth preference pane immediately with
#           extreme prejudice.
#       * Stand_Alone_Bluetooth_Pref_Pane_DISABLE.sh
#           Disables the Bluetooth preference pane immediately with
#           extreme prejudice.
#
######################################################################


######################################################################
#
# Center for Internet Security (CIS) Apple OS X 10.11 Benchmark
#     https://www.cisecurity.org/
#     v1.1.0
#     2016-11-04
#
######################################################################
#
# Section 2
#     System Preferences
#
######################################################################
#
# Sub-Section 2.1
#     Bluetooth
#
######################################################################
#
# 2.1.2 Turn off Bluetooth "Discoverable" mode when not 
#       pairing devices
#
# Profile Applicability: Level 1
#


######################################################################
#
# Remediation 
# Starting with OS X (10.9), Bluetooth is only set to Discoverable when
# the Bluetooth System Preference is selected. To ensure that the 
# computer is not Discoverable do not leave that preference open.
#


# Set Standard variables
sys_prefs_plist="/Library/Preferences/com.apple.systempreferences.plist"
pref="com.apple.preferences.Bluetooth"
script_name=$0


main(){
  sanity_checks
  enable_pref
  SysPref_open
  CIS_check
  Quit_Notice
}


sanity_checks(){
  # Check for admin/root permissions
  if [ "$(id -u)" != "0" ]; then
    echo "*** Script must be run as root, or have root privileges (ie. sudo)." 1>&2
    Quit_Notice
    exit 1
  fi

  # Validate that /Library/Preferences/com.apple.systempreferences.plist exists
  if [ -f "$sys_prefs_plist" ]; then
    echo "*** ${sys_prefs_plist} exists. Continuing..."
  else
    echo "*** ${sys_prefs_plist} does not exist!"
    Quit_Notice
    exit 1
  fi

  # Close System Preferences
  SysPref_check
}


enable_pref(){
  Binary_to_XML

  grep "${pref}" "${sys_prefs_plist}" > /dev/null
  pref_status=$?

  if [[ ${pref_status} -ne 0 ]]; then
    echo "*** ${pref} is not disabled! Nothing to do."
    XML_to_Binary
    CIS_check
    Quit_Notice
    exit 1
  elif [[ ${pref_status} = 0 ]]; then 
    echo "*** Enabling ${pref}"
    sed -i '' '/'"${pref}"'/d' "${sys_prefs_plist}"
    refresh_cfprefs
    XML_to_Binary
  fi
}


CIS_check(){
  # Wait 5 seconds - give the system a chance to catch up with the changes to cfprefs
  sleep 5

  # Validate Bluetooth "Discoverable" mode status when not pairing devices
  validate212=`/usr/sbin/system_profiler SPBluetoothDataType | grep -i discoverable | grep -i discoverable | awk '{ print $2 }'`

  if [ "$validate212" = "Off" ]; then
    echo "*** CIS Apple OS X 10.11 Benchmark 2.1.2: Enforced"
  else
    echo "*** CIS Apple OS X 10.11 Benchmark 2.1.2: Not Enforced"
  fi
}


SysPref_open(){
  echo "*** Open System Preferences: Bluetooth..."
  open -b com.apple.systempreferences /System/Library/PreferencePanes/Bluetooth.prefPane
}


Quit_Notice(){
  echo "*** Quitting..."
  echo ""
}


SysPref_check(){
  # Check to see if System Preferences is open
  check_SysPref=`ps -A | grep -m1 "System Preferences" | awk '{print $4}'`

  if [ "$check_SysPref" = "/Applications/System" ]; then
    # Close System Preferences
    echo "*** Closing System Preferences..."

    osascript -e 'if application "System Preferences" is running then
      tell application "System Preferences" to quit
    end if'
  fi
}


refresh_cfprefs(){
  echo "*** Restarting preferences services..."
  killall cfprefsd
  chmod 644 $sys_prefs_plist
}


Binary_to_XML(){
    # Convert plist format from binary to XML (Compatibility for OS X 10.4 and later)
    echo "*** Converting $sys_prefs_plist from binary to XML..."
    sudo /usr/bin/plutil -convert xml1 "${sys_prefs_plist}"
}


XML_to_Binary(){
    # Convert plist format from binary to XML (Compatibility for OS X 10.4 and later)
    echo "*** Converting $sys_prefs_plist from XML to binary..."
    sudo /usr/bin/plutil -convert binary1 "${sys_prefs_plist}"
}


main


exit 0

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

cainehorr · ‎09-08-2017

@SeanRussell

FYI and all...

Please note, the script in the previous post ONLY enables the Bluetooth Preference Pane within System Preferences.

By enabling the Bluetooth Preference Pane, one can enter into "Discoverable Mode" via the GUI.

This of course fails the CIS 2.1.2 Benchmarks but makes it possible for a user to pair up a Bluetooth device on their own.

Use this in conjunction with the DISABLE script and now you have a manual toggle.

You can also put these into JAMF with a Policy for disable and a Self Service Policy for Enable.

...OR...

Wait a bit longer for my fully automated solution...

Cheers!

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

jimmy-swings · ‎08-28-2021

Hey @cainehorr

How has your automation held up over successive macOS releases? We’d love an update!

achristoforatos · ‎02-10-2022

Have you had any luck getting this done for Big Sur?