=Start=
缘由:
macOS系统的隐私和权限控制做的其实还是可以的,把绝大多数敏感操作的授权都交给了终端用户进行处置。但是对于企业安全来说,前面所说的这个安全隐私特性又是存在很高风险的,比如公司配发的办公电脑上安装的杀毒软件或者数据防泄漏软件如果没有完全磁盘访问权限,则无法进行有效的扫描,从而无法发现和覆盖相关安全风险,存在很大的安全隐患。对于这种情况Apple提供了配置描述文件来控制和设置系统和应用的行为,与Windows中的组策略功能类似。
正文:
参考解答:
配置描述文件是什么?
配置描述文件是一个 XML 文件(以 .mobileconfig 结尾),其中包含将设置和授权信息载入到 Apple 设备的有效负载。这些文件可通过 MDM 解决方案或 Apple Configurator 创建,也可手动创建。
配置描述文件用于将配置信息分发到受管理的 Apple 设备。它会自动配置设置、帐户、访问限制和凭证。有三种类型的描述文件:用户、设备和移动设备管理 (MDM) 注册。如果看到配置描述文件,则你的 Mac 可能是受管理的电脑。
由于配置描述文件可被加密和签名,因此你可以将其限制用于特定的 Apple 设备,并阻止除拥有用户名和密码的用户外的任何人更改其中的设置。你还可以将配置描述文件标记为被锁定到设备。
如何查看安装的配置描述文件
用户可使用 profiles 命令行工具、“系统设置”(在 macOS 13 或更高版本中)或者“系统偏好设置”(在 macOS 12.0.1 或更低版本中)执行此操作。
图形化操作
- 【Monterey及早期macOS系统】在 Mac 上,选取苹果菜单 >“系统偏好设置”,然后点按“描述文件”。如果您未安装任何配置描述文件,“描述文件”偏好设置将不可用。
- 【Ventura】在 Mac 上,选取苹果菜单 >“系统设置”,点按边栏中的“隐私和安全性”,然后点按右侧的“描述文件”。(你可能需要向下滚动。)
- 在“描述文件”列表中,选择描述文件以【查看】相关信息。
- 【添加】描述文件:点按添加按钮 + 。
- 【删除】描述文件:选择描述文件,然后点按移除按钮 – 。如果无法移除描述文件,则你的 Mac 可能是受管理的电脑。请联系向你提供电脑的学校或机构的系统管理员以获得更多信息。部分描述文件只能由 Mac 的系统管理员移除。
命令行操作
man profiles
# 查看所有已安装的配置描述文件,返回的内容应该是最全最详细的
sudo profiles -P -o stdout
sudo profiles list -all
sudo profiles show
sudo profiles remove -identifier com.example.profile1 -password pass
如何删除受到密码保护的配置描述文件?
You can back up the Mac and then boot to recovery and erase it. The MDM profiles are designed to resist cracking so erase and restore is often the fastest method.
简单来说就是由MDM下发的受密码保护的配置描述文件设计上就考虑到了防异常删除等破解手段,因此你想达到此目的最快的方法就是备份Mac电脑上的文件,然后启动至恢复模式进行磁盘删除。
因为macOS系统的更新还是比较频繁的,所以你在网上搜到的那些解决办法很有可能只对老版本的macOS系统生效,如果你是较新版本的macOS系统,好像除了抹盘还真的没什么稳定可用的方法。
$ man profiles
...
EXAMPLES
profiles remove -path /profiles/testfile2.mobileconfig
Removes the configuration profile file '/profiles/testfile2.mobileconfig' into the current user.
profiles list -type provisioning
Displays a list of installed provisioning profiles.
profiles list -all
When running as root, this will list all configuration profiles on the system.
profiles show
Displays extended information for installed configuration profiles for the current user.
profiles status -type startup
Displays information on whether or not startup profiles are set up.
profiles remove -identifier com.example.profile1 -password pass
Removes any installed profiles with the identifier com.example.profile1 in the current user and using a removal password of 'pass'.
profiles show -type enrollment
Displays the current DEP configuration information.
profiles renew -type enrollment
Re-enables the DEP user notification enrollment messages.
profiles install -type bootstraptoken
Creates or updates the Bootstrap Token APFS record and escrows the information to the server.
profiles show -type enrollment -cached
Displays the cached information of an existing DEP enrollment configuration.
...
$ /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudDocumentSync = 0'
$ /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudKeychainSync = 0'
$ /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudDesktopAndDocuments = 0'
参考链接:
在 Mac 电脑上使用配置描述文件以标准化设置
https://support.apple.com/zh-cn/guide/mac-help/mh35561/mac
Mac苹果电脑的描述文件在哪里找呢?
https://www.jianshu.com/p/7e033921d4e8
iMazing Profile Editor 创建、编辑和签署 Apple 配置描述文件
https://imazing.com/zh/profile-editor
安装了不受苹果认证的描述性文件有哪些风险?
https://www.zhihu.com/question/46343793
MacBook macOS系统 无法删除描述文件,需要密码,来大神!!??
https://www.zhihu.com/question/389672632
iOS 的「描述文件」是什么?
https://www.zhihu.com/question/19899208
CIS-macOS-Security/custom/rules/cisicloud/cisicloud_drive_disable.yaml
https://github.com/mvdbent/CIS-macOS-Security/blob/main/custom/rules/cisicloud/cisicloud_drive_disable.yaml
macOS, delete profiles that need password
https://apple.stackexchange.com/questions/411065/macos-delete-profiles-that-need-password
如果你无法从“macOS 恢复”启动
https://support.apple.com/zh-cn/HT201314
=END=
《 “macOS上的配置描述文件” 》 有 5 条评论
通过MDM管理Mac上的登录项
在 Mac 上管理登录项和后台任务
https://support.apple.com/zh-cn/guide/deployment/depdca572563/web
针对 Apple 设备的“管理式登录项” MDM 有效负载设置
https://support.apple.com/zh-cn/guide/deployment/dep07b92494/1/web/1.0
macOS Ventura 适用于企业的新功能
https://support.apple.com/zh-cn/HT213327
`
macOS Ventura 13.0
…
* MDM 可以通过“系统设置”来管理能不能停用登录项和后台项目,并可以减少通知。
* MDM 设置可用于限制蓝牙修改、描述文件的手动安装、“通用控制”以及“配件安全性”。
…
`
Managing “Login Items” for macOS Ventura
https://hammen.medium.com/managing-login-items-for-macos-ventura-e78d627f88b6
Login and Background Item Management in macOS Ventura 13
https://n8felton.wordpress.com/2022/10/24/login-and-background-item-management-in-macos-ventura-13/
com.apple.servicemanagement.yaml
https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.servicemanagement.yaml
macOS Ventura and the story about what’s run on the back (background item)
https://blog.mobinergy.com/macos-ventura-and-the-story-about-whats-run-on-the-back-background-item/
Controlling Login and Background Items in Ventura
https://eclecticlight.co/2023/02/15/controlling-login-and-background-items-in-ventura/
在 macOS Ventura 13.x 或更高版本上,在“登录项”中启用 Norton
https://support.norton.com/sp/zh/cn/home/current/solutions/v20220916232603380
com.apple.servicemanagement.plist
https://gist.githubusercontent.com/n8felton/138a03981673f45af46adc445fa820f5/raw/4d87835b6878c437a0f119a5d067c1c7628e703c/com.apple.servicemanagement.plist
后台任务管理示例
https://support.apple.com/zh-cn/guide/deployment/dep91dff5936/1/web/1.0
macOS_Login_and_Background_Item_Management.md
https://github.com/vmware-samples/euc-samples/blob/master/UEM-Samples/Profiles/macOS/Fall-2022/macOS_Login_and_Background_Item_Management.md
你应该知道的macOS术语和趋势
https://www.huntress.com/blog/macos-terms-and-trends-you-should-know-about
`
为了帮助你理解这一切,我们希望下面的列表能为你提供你应该知道的macOS常用术语和缩略词的一站式服务。
To help you make sense of it all, we hope the following list provides you with a one-stop shop of common macOS terms and acronyms you should know about.
* App Sandbox: provides protection to system resources and user data by limiting your app’s access to resources requested through entitlements. If you desire to have your application distributed through the Mac App Store, you’ll need to enable this feature.
* Application bundle: a common way you package applications for installation/distribution. The extension of this file type is usually .app.
* Bundle ID: a resource that represents the app’s unique identifier that you can register, modify, and delete. Naming convention generally follows com.companyName.applicationName.
* Codesigning: applying a developer’s developer/team ID (see below) to an application, so people know who the owner is and not a spoofed/faked copy. Also leveraged by Gatekeeper/File Quarantine/Notarization to look for and detect malicious content.
* Daemon: a process that runs in the background, typically with “root” (i.e., administrator) privileges. The Huntress Agent would be an example of a daemon.
* Developer ID (aka Team ID): a ten-character alphanumeric string that is associated with an application (and is assigned by Apple). It’s how you claim an application as your own.
* Entitlement: a privilege that grants a program a specific capability on a Mac, such as accessing a user’s Documents directory or (in some cases) installing system extensions. The latter is an example of a restricted entitlement, which requires users to distribute a provisioning profile with our app specifying the entitlements it has been granted.
* ES (often called ESF): Endpoint Security (Framework): a low-level C API provided by Apple designed for monitoring system events for potentially malicious activity.
* File Quarantine: file quarantine is part of built-in macOS security. It assigns an extended attribute to newly downloaded files. It then moves them to a temporary folder, where it then prompts the end user if they trust the file or not.
* FileVault: Provides full-disk encryption for a user’s data. Ensures that the user’s data is securely protected from unauthorized access in case their Mac is lost or stolen, adding an extra layer of security to their files and information.
* Finder: similar to Windows Explorer start menu. It is an easy way to search through files, launch applications, and other basics. Similar to how the macOS Launchpad/Dock is equal to the Windows Start Menu.
* Full Disk Access (FDA): to access features such as directories with user (or sensitive) data, library directories, etc, without having to explicitly approve each directory. This is part of Transparency, Consent, and Control (TCC).
* Gatekeeper: a security feature in macOS that controls and verifies the authenticity of applications before they are allowed to run, preventing the execution of unauthorized software.
* Hardened Runtime: a macOS security feature that restricts and monitors an application’s behavior. It enforces runtime protections, including code signing and runtime code integrity checks, and prevents code injection, DLL hijacking, and memory tampering.
* Keychain: a macOS app that stores your passwords and account information, and reduces the number of passwords you have to remember and manage. Stored in the secure enclave.
* LaunchAgent: a persistence item that will execute a binary once a user session has started
* LaunchDaemon: a persistence item that will execute a binary once the system starts (does not require an interactive user session)
* M1/M2: series of ARM-based systems-on-a-chip designed by Apple Inc. as a central processing unit and graphics processing unit for its Mac desktops and notebooks, and the iPad Pro and iPad Air tablets
* Mobile Device Management (MDM): enables administrators to remotely configure settings, enforce security policies, distribute apps, and secure device usage within the organization. Apple is moving heavily toward this model of security by declarative configuration. Examples of MDMs are Addigy, Intune, Jamf, or Kandji.
* Notarization: similar to codesigning, it is a security mechanism provided by Apple that involves submitting your application to Apple to be reviewed (they’re looking for malware)
* pkg: the file type of an installer. Generally contains a pre-install and/or post-install script
* Plist: a structured file format that typically contains settings, preferences, or metadata for applications. This is the file structure for LaunchItems (LaunchAgents, LaunchDaemons).
* PPPC Payload: PPPC stands for ‘Privacy Preferences Policy Control’. When using an MDM, administrators can deploy a PPPC payload (or policy). This can specify TCC permissions for applications without requiring explicit approval from the end user. An example would be giving the HuntressAgent full disk access. This is only available when using an MDM to deploy.
* Provisioning Profile: a sort of manifest distributed with third-party apps, describing, among other things, which entitlements the app requires and where it is allowed to run (for example, only on select development/testing machines, or anywhere). macOS apps do not typically require provisioning profiles, but there can be a need to include one if you are making use of restricted entitlements (see entitlement).
* Secure Enclave: a secure separate co-processor found in some Macs and iOS devices that handles sensitive operations like biometric data (Touch/Face ID) and encryption keys.
* System Integrity Protection (SIP): a system of security features that prevent modification of system files.
* System Extension: similar to the OSR driver on Windows. It’s the way you can communicate with the low levels of the operating system.
* TCC: Transparency, Consent, & Control (database on disk). This is a common location to begin troubleshooting after installation or application functionality issues.
* Unified Logging: provides a comprehensive and performant API to capture telemetry across all levels of the system
* XPC: an Apple-specific protocol for communicating between low levels of the operating system. It allows for bidirectional communication between processes.
`
How to determine details of backgound process?
https://apple.stackexchange.com/questions/465920/how-to-determine-details-of-backgound-process
https://github.com/luckman212/login-items-dump
`
解析命令 `sfltool dumpbtm` 的输出内容。
`
可怕!字节的飞连原来真的在后台明目张胆的截屏
https://v2ex.com/t/1050989?p=2
`
叹了口气,我之前在某个大厂做这个产品我也做过类似的功能,我来简单的说说这个东西是什么吧,我们也看过飞连的产品,这个功能叫做截屏取证,一般来说他不会随时随地 screenshot ,只有在飞连 DLP 系统发现一些高危行为的时候才会 screenshot ,这个功能一般来说会跟随 macos 的 ABM+MDM 下发到终端上,这样权限设置对于用户来说就是无感的了,这个功能其实是为了 DLP 数据防泄漏系统做证明用的,因为当前的 DLP 有大量的误报和漏报这个问题一直解决不好,我们算是国内 DLP 的头部能力了,但是这个问题我们依然解决不好,于是在发生疑似高危行为的时候就是 screenshot 下,漏报误报就算了,他们怕的是你不承认大概就是这么个逻辑
==
为什么楼上这么多人对公司用审计软件审计自己的设备、自己的资产认为有问题?
楼上这么多人都认为很奇怪,甚至还搁这阴阳怪气了?
是没进过带有审计设备的企业还是被审计了都不知道啊?
国外玩这套的软件不一抓也一大把吗,而且一个比一个权限高?
别的不说,就 Apple 的设备上了 MDM 管理的话,那权限高到不知道哪里去了。
哪家稍微有点规模的企业不做合规处理?
往小了说假如某位程序员把公司内部的付费商业软件 git 或者 svn pull 下来然后往外发了咋整;如果某个财务或者有权限的员工把内控系统的机密内容或者供应链信息截图或者拍下来往其他地方发了咋整?
==
企业环境下,配置了 MDM 和 ABM 后用户是无法修改这些设置的。常用的企业级 Mac 端桌面控制软件有 jamf ,Ivanti ,VMware workspace 等,他们也都是海外的。其他的比如蓝牙,定位服务,AirDrop ,App Store 等都可以直接关闭。需要安装的软件会有一个企业内部的应用市场已经非常成熟了。
`