Help

Using Jamf to security write new configuration to managed application.

iradization
New Contributor

Posted on ‎12-18-2023 02:25 AM

I've learned that it's possible to inject new configuration to MDM managed application using MDM so that the managed app configuration changes that are pushed down from an MDM server appear in NSUSerDefaults.

This capability is described here : https://developer.jamf.com/developer-guide/docs/application-and-custom-settings

 

Then I can add an observer to be notified of any changes occurs in NSUserDefaults.

The app configuration will be stored in the following key:com.apple.configuration.managed A usage example can be look like this :

if let managedConf = UserDefaults.standard.object(forKey: "com.apple.configuration.managed") as? [String:Any?] {
    if let serverURL = managedConf["serverURL"] as? String{
        return serverURL
    }
}

However, what prevent another entity from modifying the configuration outside the MDM... as I understand NSUserDefaults are writable even from terminal so there's no limitation to just push new configuration which are unauthorized.

an example of changing configuration can be:

managedConf["serverURL"] = "BAD_SERVER_NAME"
let defaults = UserDefaults.standard
defaults.set(managedConf, forKey: "com.apple.configuration.managed")

Perhaps it's only possible for writing the application's userDefault from within the application ?

 
0 Kudos
3 REPLIES 3

howie_isaacks
Valued Contributor II

‎12-18-2023 02:44 PM - edited ‎12-18-2023 02:45 PM

There are some settings that users can still alter. One setting I recently pushed out with a profile was to change the "click wallpaper to reveal desktop" setting in macOS Sonoma to "Only in Stage Manager". If a user likes to have the desktop revealed when they click the wallpaper, they can change it back to the default. Other settings like setting the Microsoft AutoUpdate app to automatically check for and install updates cannot be altered by the user. I suggest doing some experimenting to learn more about what you can and cannot do. In the past, I have used scripts to directly modify plist files instead of using a profile.

0 Kudos

iradization
New Contributor

Posted on ‎12-19-2023 12:25 AM

But what if I want to create new configuration with settings that are only relevant by my application ... do you think those may be altered by the user - I wonder if it's possible to define in the MDM non-modifiable attribute for specific fields ?

0 Kudos

howie_isaacks
Valued Contributor II

Posted on ‎12-19-2023 07:45 AM

I would recommend experimenting. I honestly don't know in what cases users can change the settings versus having them be unchangeable. I have noticed that when I use a plist file in Application & Custom Settings the users can change the settings.

0 Kudos