Setting Safari Homepage in Mojave with SIP

brian_eybs
New Contributor III

I'm hoping that someone can confirm what I'm seeing. We were hoping to set the safari homepage on our macs through Jamf Pro. But it appears that in Mojave (earlier?), Safari has been containerized so the plist that has the homepage is now under /users/*/library/containers/.... There doesn't appear to be anyway to modify the setting(not via script or configuration profile) unless you turn off SIP first. Is that correct? Or is there something I'm missing?

39 REPLIES 39

cbrewer
Valued Contributor II

In my experience, you can update ~/Library/Preferences/com.apple.Safari.plist HomePage value with a script or config profile and it still works fine in Mojave. If you update it with a script, use a defaults write command and don't forget to give ownership to the user that is logging in.

You may also want to set NewWindowBehavior and NewTabBehavior

Example:

defaults write /Users/$3/Library/Preferences/com.apple.Safari HomePage -string "$homePage"
defaults write /Users/$3/Library/Preferences/com.apple.Safari NewWindowBehavior -int 0
defaults write /Users/$3/Library/Preferences/com.apple.Safari NewTabBehavior -int 0
chown $3 /Users/$3/Library/Preferences/com.apple.Safari.plist

brian_eybs
New Contributor III

Ah, didn't give ownership when I tried before. Will try that. Thanks

brian_eybs
New Contributor III

@cbrewer

Still not working. com.apple.safari that is in /library/preferences is edited successfully and ownership is set, however, safari is not reading the setting from that plist file. It is still pulling the safari homepage from /library/containers/com.apple.safari/data/library/preferences/com.apple.safari.plist.

Sichas
Contributor

Ah, I’ve got ya :)

Run these two commands in Terminal:

defaults write ~/Desktop/com.apple.Safari.SandboxBroker.plist Homepage “https://jamf.com”

defaults write ~/Desktop/com.apple.Safari.plist HomePage “https://jamf.com”

(Certainly swap out jamf.com for whatever you want your homepage to be!)

Then upload both of those plists to a Configuration Profile, using the Custom Settings payload. (Upload both Plists to the same profile) You’ll get an error about their formatting, just run the command Jamf tells you to in Terminal. (plutil -convert xml1 /path/to/file.plist)

Deploy the profile out, and that’ll set AND enforce Safari’s homepage, so the user can’t change it.

brian_eybs
New Contributor III

I've also tried to go with it and test

defaults write ~/library/containers/com.apple.safari/data/library/preferences/com.apple.safari.plist HomePage -string http://home

It gets set in the plist but again safari does not appear to read that setting.

I used composer and monitored changes, changed the homepage in safari>preferences and what it found was that /library/preferences/com.apple.Safari.SandboxBroker.plist was changed.

Any Thoughts?
Thanks

cbrewer
Valued Contributor II

@brian.eybs You may need to uncheck "Perform login hook actions in background" in Jamf > Settings > Computer > Check-In. That will cause login scripts to complete before the login session happens.

brian_eybs
New Contributor III

@iMatthewCM

Thanks

I'll try that.

jconte
Contributor II

I am deploying this through a configuration profile without any issues.

Preference Domain for config profile is: com.apple.Safari

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> 
    <key>NewWindowBehavior</key>
    <integer>0</integer>
    <key>NewTabBehavior</key>
    <integer>0</integer>
    <key>HomePage</key>
    <string>https://inside.companyname.com/wps/myportal/</string>
    <key>AutoFillCreditCardData</key>
    <false/>
    <key>AutoFillPasswords</key>
    <false/>
    <key>AutoFillMiscellaneousForms</key>
    <false/>
    <key>AutoFillFromAddressBook</key>
    <false/>
    <key>AlwaysShowTabBar</key>
    <true/>
</dict>
</plist>

mbezzo
Contributor III

Any ideas on how to set an initial homepage but not force it for Mojave?

mainelysteve
Valued Contributor

You could use Outset and place a script in the login-once directory with the above defaults write commands. That in practice should set but not enforce the homepage setting.

rhoward
Contributor

If you are changing it by commands you would also recommend running a "killall cfprefsd" as you are changing preferences.

woodsb
Contributor

After scouring multiple jamf nation posts and blogs, I think I've finally figured out how to do this. The Safari homepage is changed without being locked by a configuration profile. Oddly enough, the GUI doesn't change the homepage URL. Oh well, this is probably as good as it's going to get.

Note: Make sure that safari is closed before running the script. When the script is finished, Safari should open your new homepage. As I mentioned above, the URL in the General Tab will not change. As of now, this works on Mojave and Catalina.

Note 2: If you attempt to check the URL in the General Tab, the browser will default to the listed URL. The next time Safari is opened it will open the listed URL. Basically, don't check the General Tab.

#!/bin/bash

HomePage='https://www.jamf.com/jamf-nation/'

CurrentUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`


# Set Safari Homepage

defaults write /Users/$CurrentUser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist HomePage -string $HomePage
defaults write /Users/$CurrentUser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist NewWindowBehavior -int 0
defaults write /Users/$CurrentUser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist NewTabBehavior -int 0
chown $CurrentUser /Users/$CurrentUser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist

#Flush Preference Cache
killall cfprefsd

a_holley
Contributor

I cannot get this to work. I have copied @woodsb script above verbatim and keep getting errors. Unexpected arguments, illegal usernames etc.

julienvs
New Contributor III

@a.holley, the commands from @woodsb worked for me when I hard-coded the user and the homepage. I guess there's something wrong there.
I'll post an update when if I find it.

julienvs
New Contributor III

@a.holley , I got it to work with the following code:

#!/bin/bash
#variable for storing the current users name
currentuser=`stat -f "%Su" /dev/console`

#substituting as user stored in variable to modify plist
#echo "$currentuser"

defaults write /Users/$currentuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist HomePage www.jamf.com
defaults write /Users/$currentuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist NewWindowBehavior -int 0
defaults write /Users/$currentuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist NewTabBehavior -int 0
chown $currentuser /Users/$currentuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist

killall cfprefsd

a_holley
Contributor

@julienvs You are amazing, thanks! Off to test this now

a_holley
Contributor

@julienvs , still get unexpected arguments. I'll keep playing.

julienvs
New Contributor III

Worked on one machine but then not on another one.
Super frustrating.
I manage to change most preferences but just not the ones of macOS apps such as Safari or Calendar.

RJH
Contributor

hi all - id be interested to understand why if you want to deploy this via JAMF, you wouldn't just set this via a config profile - computer level, with com.apple.safari as pref domain, and PLIST file, with entry {HomePage=http://yourhomepage} ?
We do it this way, but curious as to other methods, or perhaps a different use case where this wouldn't meet your requirements.

julienvs
New Contributor III

Hi @RJH , The idea is to prepare a computer for its users without enforcing settings.
We want new users to see the company's homepage, but if they want to change it, they should be able to do so.
Or is that also possible with Configuration Profiles?

Julien

sdagley
Honored Contributor II

@julienvs If you set the homepage with a Configuration Profile the user can not change it

julienvs
New Contributor III

Thanks for your reply @sdagley ,
That's why we're looking for a solution to make it work through a policy.

sdagley
Honored Contributor II

@julienvs The approach I take for this is to have a Self Service policy that will allow the user to exclude their Mac from Configuration Profiles which are considered "options". As an example, we have a Configuration Profile that sets the desktop background, and a Self Service policy named "Unlock Desktop Background" that adds the computer to a Static Group which is used as a Scope Exclusion for that Configuration Policy.

julienvs
New Contributor III

Thanks @sdagley

jhorn
New Contributor

For those that have a working Safari Prefs policy/Config Policy, What is the OS version that you working on? Is SIP disabled? Thanks

bwoods
Valued Contributor

@sdagley and @a.holley. Apologies for not responding. Jamf created a Jamf ID for me and I can't access my old account. I'm noticing that my script above doesn't work anymore until I grant full disk access to my Code Runner in 10.15.5. I still need to test it while running from Jamf. This post gave me some help with this https://discussions.apple.com/thread/8637915.

bwoods
Valued Contributor

@a.holley just tested, my original script using Jamf, it still works. I think you may need to reconfigure your PPPC settings to give the jamf binary full disk access to your builds. You should be able to fix this with the PPPC utility. @jhorn SIP is still enabled on all of my builds.

When testing with Code Runner, remember to add "sudo" to the commands. You also need to ensure that safari is closed during testing. Please reach out if you need any help with this. I am now @bwoods.

T_Armstrong
Contributor

Anyone confirm this is working for them with Safari 14.x? I get:

2021-05-12 15:37:27.894 defaults[46370:361899] Rep argument is not a dictionary Defaults have not been changed.

even when running locally….

bwoods
Valued Contributor

Script above is still working.

user-aj
New Contributor II

@bwoods, If we relaunch the safari again it opens with the default apple page. 

bwoods
Valued Contributor

@user-aj what OS version are you running? What is the output of the script?

user-aj
New Contributor II
MacOS Monterey, it relaunched once with the correct homepage and in safari preferences it shows the default one. After quitting the safari and relaunch it going to the default again.

bwoods
Valued Contributor

Will do some testing. Haven't looked into this on Monterey yet. Will get back to you.

bwoods
Valued Contributor

@user-aj It works the same for me on Monterey, but I do understand what you're saying. I mentioned this behavior when I initially created the script. You can't check the safari preferences, or it will revert. Haven't figured a way around this.

bwoods_0-1645716302489.png

 

sdagley
Honored Contributor II

@user-aj Unless you're looking to set the Safari home page and not prevent your users from (easily) changing it the Configuration profile approach mentioned by @jconte earlier in this post works in Monterey.

bwoods
Valued Contributor

Yeah, a configuration profile is the way to go if you don't want them to change it. My org just wants the landing page for the initial setup. They can change it whenever they like afterward.

user-aj
New Contributor II

Our requirement is to land the home page for initial setup and change it afterward. After testing it listed the homepage once launched, but gone without changing it

sdagley
Honored Contributor II

@user-aj You could use a Configuration Profile to make the initial setting, and then provide a Self Service mechanism to exclude the user from that Configuration Profile to "unlock" the setting.

bwoods
Valued Contributor

For my script, you basically just have to avoid checking the URL in Safari preferences. If you don't check, it'll open on your page every time. I figured if a user is going into Sefari prefs and checking the URL, they're going to change it anyway.