Help

Users bypassing System Prefs restrictions payload

Go to solution
gmce87
New Contributor III

Posted on ‎08-09-2018 05:50 AM

Hi,

One of our users has found a way to bypass the restrictions payload we use to prevent access to certain preference panes in System Preferences.

The way they're doing this is by going to View > Customise, hiding panes and then using the Search box to find them. This allows them to get into the pane without the configuration profile blocking it. It's not the end of the world since these users aren't admins and they're limited in what they can do, but there's still a few things they can do that we don't want them modifying.

Previously it seems you could have stopped this by changing the permissions of the individual panes you don't want users accessing, but now SIP stops you from doing this even as root.

MyMac:~ root# chmod 750 /System/Library/PreferencePanes/Sound.prefPane/
chmod: Unable to change file mode on /System/Library/PreferencePanes/Sound.prefPane/: Operation not permitted

I've seen from another thread on here that "Apple is aware of it, but has decided not to address it. They say the restrictions are only meant as a "guideline" for users and not as a strict enforcement policy." which is less than helpful on Apple's part, especially in a corporate environment.

Does anyone know of a workable fix for this flaw?

1 ACCEPTED SOLUTION

Go to solution
mm2270
Legendary Contributor III

Posted on ‎08-09-2018 08:00 AM

Yes, this has been a bug/workaround for years now. And yes, Apple knows about it, but never released a fix, because you know, we enterprise admins don't really matter to them, no matter what they say in public.

As for a fix, you will need to deploy another Config Profile that enforces an empty array for the hidden preference panes for com.apple.systempreferences

Take something like this, save it to a local plist file on your Desktop. It must be named com.apple.systempreferences.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>HiddenPreferencePanes</key>
    <array/>
</dict>
</plist>

Then run a convert command on it to be sure it's in the right format for Jamf Pro.

plutil -convert xml1 ~/Desktop/com.apple.systempreferences.plist

Then upload that to a new Config Profile, under the Custom Settings payload. It should read the settings in and look something like this when it does:
c36c7236270e4216acd81db48d21200d

Then test deploy to a machine, like your own for example. After it's in place, although the System Preferences UI will still allow you to uncheck panes in the Custom view, when you close System Prefs and reopen it, they should still be enabled. The setting becomes forced by the Config Profile and can't be overwritten by the end user.

View solution in original post

5 REPLIES 5

Go to solution
mm2270
Legendary Contributor III

Posted on ‎08-09-2018 08:00 AM

Yes, this has been a bug/workaround for years now. And yes, Apple knows about it, but never released a fix, because you know, we enterprise admins don't really matter to them, no matter what they say in public.

As for a fix, you will need to deploy another Config Profile that enforces an empty array for the hidden preference panes for com.apple.systempreferences

Take something like this, save it to a local plist file on your Desktop. It must be named com.apple.systempreferences.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>HiddenPreferencePanes</key>
    <array/>
</dict>
</plist>

Then run a convert command on it to be sure it's in the right format for Jamf Pro.

plutil -convert xml1 ~/Desktop/com.apple.systempreferences.plist

Then upload that to a new Config Profile, under the Custom Settings payload. It should read the settings in and look something like this when it does:
c36c7236270e4216acd81db48d21200d

Then test deploy to a machine, like your own for example. After it's in place, although the System Preferences UI will still allow you to uncheck panes in the Custom view, when you close System Prefs and reopen it, they should still be enabled. The setting becomes forced by the Config Profile and can't be overwritten by the end user.

Go to solution
gmce87
New Contributor III

Posted on ‎08-09-2018 09:07 AM

Thanks for the comprehensive post, I'll give that a try. Much appreciated!

EDIT: Worked a treat, you're a star.

0 Kudos

Go to solution
hkabik
Valued Contributor

Posted on ‎08-09-2018 09:45 AM

Will that also fix the work around where they can make a copy of the system prefs app and delete the NSPrefsPaneGroups.xml then search for the pane they want access to?

0 Kudos

Go to solution
mm2270
Legendary Contributor III

Posted on ‎08-09-2018 09:58 AM

@hkabik I can't say. I've never used that workaround myself, although I've heard about it. I kind of don't believe it will, because this just prevents users from adding Pref Panes into the HiddenPreferencePanes array.

0 Kudos

Go to solution
hkabik
Valued Contributor

Posted on ‎08-09-2018 10:00 AM

Thanks, I'll test it in a bit.

0 Kudos