Remove configuration profiles?

This is not a security question per se, although it does have security implications and there doesn't seem to be a better place to ask.


It is possible to remove configuration profiles programmatically? An example of what I'm talking about would be all the profiles listed here:


https://github.com/rtrouton/profiles


I know that this can be done via the Terminal, using a command like this:


sudo profiles remove -identifier someIdentifier


However, I'd prefer not to shell out to do this, and would like to find the correct APIs for the task. Any advice?

Replies

macOS has no APIs for installing or removing configuration profiles. The

profiles
tool is one way to do this but I understand your reluctance to use that approach.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

That's disappointing.


Do you have any advice for some way of doing this in the most secure manner possible? We're reluctant to shell out in our software, since that could open up a potential attack vector for malicious software to use us for root escalation and the like. Is there a way you'd recommend to do that securely?

It’s hard to answer this without more context. Most folks manage profiles via MDM, and that’s the approach I recommend in general. If you need to do this from an app running on the Mac, you can have your app talk to your MDM server talk to your Mac. It’s kinda roundabout, but it’s both supported and secure.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

The problem is that there are some adware programs that are instaling config profiles to force the browser to a particular home page. This prevents the average user from correcting the issue, since they don't know that these profiles even exist. We want to help remove those, but without damaging other legitimate profiles that may be installed.

If you can’t rely on MDM then your only option is the

profiles
tool. Two things:
  • In various places above you wrote “shell out”. I’m hoping you’re using that generically, and not literally using a shell (for example, via the

    system
    routine). If you run command line tools from code, you should always run them directly (using
    NSTask
    ,
    posix_spawn
    ,
    fork
    /
    exec
    , and so on) rather than invoking a shell.
  • If you’d like to see an API for this sort of thing, I encourage you to file an enhancement request describing your requirements.

    Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Yup, I didn't mean literally invoking a shell.


Thanks for your assistance! I'll file an enhancement request, although I'm not going to get high hopes... in fact, I'm hoping that Apple will instead lock down profiles more tightly in the future to prevent these attacks and eliminate the need for this kind of remediation. (Perhaps that should be the essence of my enhancement request, actually.)

(Perhaps that should be the essence of my enhancement request, actually.)

You can always file two!

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"