7 Replies
      Latest reply on Aug 8, 2018 2:15 AM by eskimo
      thomasareed Level 1 Level 1 (0 points)

        This is not a security question per se, although it does have security implications and there doesn't seem to be a better place to ask.

         

        It is possible to remove configuration profiles programmatically? An example of what I'm talking about would be all the profiles listed here:

         

        https://github.com/rtrouton/profiles

         

        I know that this can be done via the Terminal, using a command like this:

         

        sudo profiles remove -identifier someIdentifier

         

        However, I'd prefer not to shell out to do this, and would like to find the correct APIs for the task. Any advice?

        • Re: Remove configuration profiles?
          eskimo Apple Staff Apple Staff (10,295 points)

          macOS has no APIs for installing or removing configuration profiles.  The profiles tool is one way to do this but I understand your reluctance to use that approach.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Remove configuration profiles?
              thomasareed Level 1 Level 1 (0 points)

              That's disappointing.

               

              Do you have any advice for some way of doing this in the most secure manner possible? We're reluctant to shell out in our software, since that could open up a potential attack vector for malicious software to use us for root escalation and the like. Is there a way you'd recommend to do that securely?

                • Re: Remove configuration profiles?
                  eskimo Apple Staff Apple Staff (10,295 points)

                  It’s hard to answer this without more context.  Most folks manage profiles via MDM, and that’s the approach I recommend in general.  If you need to do this from an app running on the Mac, you can have your app talk to your MDM server talk to your Mac.  It’s kinda roundabout, but it’s both supported and secure.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: Remove configuration profiles?
                      thomasareed Level 1 Level 1 (0 points)

                      The problem is that there are some adware programs that are instaling config profiles to force the browser to a particular home page. This prevents the average user from correcting the issue, since they don't know that these profiles even exist. We want to help remove those, but without damaging other legitimate profiles that may be installed.

                        • Re: Remove configuration profiles?
                          eskimo Apple Staff Apple Staff (10,295 points)

                          If you can’t rely on MDM then your only option is the profiles tool.  Two things:

                          • In various places above you wrote “shell out”.  I’m hoping you’re using that generically, and not literally using a shell (for example, via the system routine).  If you run command line tools from code, you should always run them directly (using NSTask, posix_spawn, fork / exec, and so on) rather than invoking a shell.

                          • If you’d like to see an API for this sort of thing, I encourage you to file an enhancement request describing your requirements.

                            Please post your bug number, just for the record.

                          Share and Enjoy

                          Quinn “The Eskimo!”
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"

                            • Re: Remove configuration profiles?
                              thomasareed Level 1 Level 1 (0 points)

                              Yup, I didn't mean literally invoking a shell.

                               

                              Thanks for your assistance! I'll file an enhancement request, although I'm not going to get high hopes... in fact, I'm hoping that Apple will instead lock down profiles more tightly in the future to prevent these attacks and eliminate the need for this kind of remediation. (Perhaps that should be the essence of my enhancement request, actually.)

                                • Re: Remove configuration profiles?
                                  eskimo Apple Staff Apple Staff (10,295 points)

                                  (Perhaps that should be the essence of my enhancement request, actually.)

                                  You can always file two!

                                  Share and Enjoy

                                  Quinn “The Eskimo!”
                                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                  let myEmail = "eskimo" + "1" + "@apple.com"