2024-9-17 02:2:29 Author: derflounder.wordpress.com(查看原文) 阅读量:11 收藏
Home > Mac administration, macOS, Management Profiles > Blocking system extension disablement via System Settings on macOS Sequoia
Blocking system extension disablement via System Settings on macOS Sequoia
Since the introduction of system extensions in macOS Catalina, Apple has been adding controls for both individual users and Mac admins to allow management of system extensions. For individual users who manage their own Macs without using MDM management, Apple asks the user to approve the system extensions functions. In turn, for managed environments, Apple has provided management profile options to allow Mac admins to pre-approve or block system extensions from running on the Macs in that environment.
As part of the release of macOS Sequoia, Apple has added new user functionality for managing system extensions, as well as management profile options for Mac admins. For more details, please see below the jump.
The new functionality is the ability to manage installed system extensions via System Settings, with the relevant controls being found in System Settings: General: Login Items & Extensions. As an example, let’s look at the LuLu open-source firewall app. This app uses a network extension and a content filter.
On macOS Sonoma, the following management profiles can be deployed to allow LuLu’s network extension to be deployed and removed without the user being prompted.
Profile to allow deployment and removal:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1"> | |
| <dict> | |
| <key>PayloadUUID</key> | |
| <string>634D0A81-903D-4639-8C72-39A773AF68A8</string> | |
| <key>PayloadType</key> | |
| <string>Configuration</string> | |
| <key>PayloadOrganization</key> | |
| <string>Company Name</string> | |
| <key>PayloadIdentifier</key> | |
| <string>634D0A81-903D-4639-8C72-39A773AF68A8</string> | |
| <key>PayloadDisplayName</key> | |
| <string>LuLu System Extension Allowed and Removable Settings</string> | |
| <key>PayloadDescription</key> | |
| <string/> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>PayloadEnabled</key> | |
| <true/> | |
| <key>PayloadRemovalDisallowed</key> | |
| <true/> | |
| <key>PayloadScope</key> | |
| <string>System</string> | |
| <key>PayloadContent</key> | |
| <array> | |
| <dict> | |
| <key>PayloadUUID</key> | |
| <string>FF5677D3-9A0A-4592-8FFE-638846B7F5DD</string> | |
| <key>PayloadType</key> | |
| <string>com.apple.system-extension-policy</string> | |
| <key>PayloadOrganization</key> | |
| <string>Company Name</string> | |
| <key>PayloadIdentifier</key> | |
| <string>FF5677D3-9A0A-4592-8FFE-638846B7F5DD</string> | |
| <key>PayloadDisplayName</key> | |
| <string>System Extensions</string> | |
| <key>PayloadDescription</key> | |
| <string/> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>PayloadEnabled</key> | |
| <true/> | |
| <key>AllowUserOverrides</key> | |
| <true/> | |
| <key>AllowedSystemExtensions</key> | |
| <dict> | |
| <key>VBG97UB4TA</key> | |
| <array> | |
| <string>com.objective-see.lulu.extension</string> | |
| </array> | |
| </dict> | |
| <key>RemovableSystemExtensions</key> | |
| <dict> | |
| <key>VBG97UB4TA</key> | |
| <array> | |
| <string>com.objective-see.lulu.extension</string> | |
| </array> | |
| </dict> | |
| </dict> | |
| </array> | |
| </dict> | |
| </plist> |
Profile to configure the content filter:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1"> | |
| <dict> | |
| <key>PayloadUUID</key> | |
| <string>883C5AE4-FCBA-4A1D-83D5-51120C081063</string> | |
| <key>PayloadType</key> | |
| <string>Configuration</string> | |
| <key>PayloadOrganization</key> | |
| <string>Company Name</string> | |
| <key>PayloadIdentifier</key> | |
| <string>883C5AE4-FCBA-4A1D-83D5-51120C081063</string> | |
| <key>PayloadDisplayName</key> | |
| <string>LuLu Content Filter Settings</string> | |
| <key>PayloadDescription</key> | |
| <string/> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>PayloadEnabled</key> | |
| <true/> | |
| <key>PayloadRemovalDisallowed</key> | |
| <true/> | |
| <key>PayloadScope</key> | |
| <string>System</string> | |
| <key>PayloadContent</key> | |
| <array> | |
| <dict> | |
| <key>FilterDataProviderBundleIdentifier</key> | |
| <string>com.objective-see.lulu.extension</string> | |
| <key>FilterDataProviderDesignatedRequirement</key> | |
| <string>anchor apple generic and identifier "com.objective-see.lulu.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = VBG97UB4TA)</string> | |
| <key>FilterPacketProviderBundleIdentifier</key> | |
| <string>com.objective-see.lulu.extension</string> | |
| <key>FilterPacketProviderDesignatedRequirement</key> | |
| <string>anchor apple generic and identifier "com.objective-see.lulu.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = VBG97UB4TA)</string> | |
| <key>FilterPackets</key> | |
| <true/> | |
| <key>FilterSockets</key> | |
| <true/> | |
| <key>FilterType</key> | |
| <string>Plugin</string> | |
| <key>PayloadDisplayName</key> | |
| <string>Web Content Filter Payload</string> | |
| <key>PayloadIdentifier</key> | |
| <string>46C79391-5AA6-4A5A-8B91-C298D629F1B7</string> | |
| <key>PayloadOrganization</key> | |
| <string>JAMF Software</string> | |
| <key>PayloadType</key> | |
| <string>com.apple.webcontent-filter</string> | |
| <key>PayloadUUID</key> | |
| <string>46C79391-5AA6-4A5A-8B91-C298D629F1B7</string> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>PluginBundleID</key> | |
| <string>com.objective-see.lulu.app</string> | |
| <key>UserDefinedName</key> | |
| <string>LuLu</string> | |
| </dict> | |
| </array> | |
| </dict> | |
| </plist> |
On macOS Sequoia, the new functionality referenced earlier is not managed by either profile. Instead, if you look at System Settings: General: Login Items & Extensions, you should see a Network Extensions entry in the Extensions section.
When you click on the (i) option for the Network Extensions entry, you should see controls like what’s shown below. These controls include the ability to disable the system extension.
To manage this new functionality, Apple has added a new NonRemovableFromUISystemExtensions key to the existing com.apple.system-extension-policy payload for managing system extensions. The following management profile can be deployed to macOS Sequoia Macs to prevent the user from being able to disable the LuLu network extension.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1"> | |
| <dict> | |
| <key>PayloadUUID</key> | |
| <string>CC25188C-5988-4EC7-8622-3D7CDD56A6DD</string> | |
| <key>PayloadType</key> | |
| <string>Configuration</string> | |
| <key>PayloadOrganization</key> | |
| <string>Company Name</string> | |
| <key>PayloadIdentifier</key> | |
| <string>CC25188C-5988-4EC7-8622-3D7CDD56A6DD</string> | |
| <key>PayloadDisplayName</key> | |
| <string>LuLu System Extension NonRemovableFromUISystemExtensions Settings</string> | |
| <key>PayloadDescription</key> | |
| <string/> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>PayloadEnabled</key> | |
| <true/> | |
| <key>PayloadRemovalDisallowed</key> | |
| <true/> | |
| <key>PayloadScope</key> | |
| <string>System</string> | |
| <key>PayloadContent</key> | |
| <array> | |
| <dict> | |
| <key>PayloadUUID</key> | |
| <string>168038F2-B6BA-415E-9FA7-84D45FF1BCAA</string> | |
| <key>PayloadType</key> | |
| <string>com.apple.system-extension-policy</string> | |
| <key>PayloadOrganization</key> | |
| <string>Company Name</string> | |
| <key>PayloadIdentifier</key> | |
| <string>168038F2-B6BA-415E-9FA7-84D45FF1BCAA</string> | |
| <key>PayloadDisplayName</key> | |
| <string>System Extensions</string> | |
| <key>PayloadDescription</key> | |
| <string/> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>PayloadEnabled</key> | |
| <true/> | |
| <key>AllowUserOverrides</key> | |
| <true/> | |
| <key>NonRemovableFromUISystemExtensions</key> | |
| <dict> | |
| <key>VBG97UB4TA</key> | |
| <array> | |
| <string>com.objective-see.lulu.extension</string> | |
| </array> | |
| </dict> | |
| </dict> | |
| </array> | |
| </dict> | |
| </plist> |
Once deployed, the user controls available via the Network Extensions entry will be grayed out and the user will not be able to change those settings.
Note: Something to be aware of is that the NonRemovableFromUISystemExtensions key only works on macOS Sequoia and older versions of macOS, including macOS Sonoma, will ignore it. This means that deploying profiles which use this NonRemovableFromUISystemExtensions key to older versions of macOS will not result in the new management settings being applied to macOS Sequoia when the Mac is upgraded to run macOS Sequoia. Instead, profiles which use this NonRemovableFromUISystemExtensions key should only be deployed to macOS Sequoia as of this time.
如有侵权请联系:admin#unsafe.sh