Microsoft Edge for macOS Management with Configuration Profiles

If you had bet me just a year or two ago that Microsoft would base their new Edge browser on Google’s open-source Chromium, I probably would have lost some money. That being said, it’s good to see two of the big guys working together to make browsing the web better.

Also with the first release of Microsoft’s Edge browser for Mac, there is a plethora of preferences, both from Chrome as well as new one’s introduced by Microsoft, that can be managed. After diving into the documentation and building on previous work completed for Chrome and Brave, ProfileCreator now supports all of the available Edge preferences for Mac (with a caveat). Shoutout to @andre_db90 over in the MacAdmins Slack for helping with this!

UPDATE: After reviewing previous manifests, I failed to recall that ProfileCreator does in fact support preferences that use dictionaries within arrays … The latest update to the Edge manifest fixes this.

In the case of a few preferences, ProfileCreator doesn’t graphically support what ultimately needs to be produced in a profile’s XML. One such preference is ManagedSearchEngines, as this is formatted as an array of dictionaries. Click the link for more information.

As a result, if you configure this preference you will need to add some array tags around the resulting dictionary in your profile or plist. The XML below is not enough.

Additionally, if you want to manage more than one search engine, you will have to duplicate the dictionary once exported up to 9 additional times (only 10 managed search engines are supported) within the array and update the contained preferences accordingly. Definitely not ideal.

If you already use ProfileCreator, all you need to do is quit and reopen the app to download the latest profile manifests.

If you have any interest in contributing to the ProfileCreator app to provide enhancements or fixes to the current limitations, please feel free to fork the ProfileCreator project and submit a PR. Have other questions or issues? Join the conversation in the #profilecreator MacAdmins channel.

Hope that this helps those looking to manage Edge.

Auto Account Assigning and Deploying Full TeamViewer 14 Client with a Policy

With TeamViewer having moved exclusively to subscription-based licensing, all paid TeamViewer customers now have the benefit of getting the latest major versions of TeamViewer when they become available.

However, our environment does not push out major software updates during the year and as a result don’t want endpoints moving to these new major versions until we’re ready. We’ve been able to accomplish this on our managed endpoints with a custom TeamViewer Host module that is assigned a policy in our TeamViewer Console.

After recently deploying a new Mac Pro within our department, I found that not long after installing the latest release of version 14 that version 15 had been installed. The default behavior it seems which was previously to stay within the same major version is no longer the case. As a result, if a colleague needed to connect to this machine remotely s/he would likewise need to update to version 15 on his or her laptop.

Since TeamViewer doesn’t currently support configuration profile preference management, I initially looked to write to /Library/Preferences/com.teamviewer.teamviewer.plist to change the default update method. However, it appears this plist does not get created until you complete the initial remote password setup and consequently if you write this preference as part of a login script this gets overwritten.

After discussing this situation with TeamViewer Support, I learned that TeamViewer 15 introduced the ability to create custom full client modules just like with Host and QuickSupport (albeit minus the custom branding, but this is in the works) to automatically assign the full TeamViewer client to a management account and apply a desired policy. With some testing, we determined that it was possible to download a full TeamViewer 14 version installer by slightly altering our custom module URL (because this is a new feature in 15, this would otherwise be downloaded by default) and have it be automatically assigned to our management account. Additionally, the configured policy settings also applied successfully.

Know that as of this writing, managing the full TeamViewer client in this way is only possible on Macs and PCs, not Linux clients.

See below the jump for more info.

Read More

2019 Mac & macOS Updates to Apple’s Tours (com.apple.touristd)

With every new major macOS version (and certain hardware models), Apple introduces new “tours” that are offered to users to learn about “What’s New” with macOS, Mac basics, and where applicable, their specific Mac model. These tours manifest themselves in the form of notifications that when selected open a unique URL in Safari for the selected tour.

As far as I can tell, Carl Ashley was one of the first to write about this years ago when 10.12 Sierra was the current OS version. The ultimate goal is to suppress these additional macOS notifications entirely and can be done most efficiently with a configuration profile.

However, despite the touristd binary having commands to override different information, in my own testing I have been unable to trick touristd into pulling different tours than those applicable to my own macOS version and Mac hardware model. The same is the case when done in a VM. This up until now has made it difficult to update our own profile for new macOS versions and hardware that is released without having them on hand to test.

While a Mac’s current tour notification status data is written to each user’s ~/Library/Preferences/com.apple.touristd/com.apple.touristd.plist file, I recently stumbled on another touristd file in ~/Library/Application Support/com.apple.touristd/com.apple.touristd.plist. It appears that this file has all the information – the board IDs, URLs, applicable OS versions, etc. – for every possible tour, making it much much easier to verify and update moving forward.

UPDATE 5/21/20: Additionally, while you may not be running the latest major version of macOS you can always access all the available TouristD configs directly from https://help.apple.com/macOS/config.json. Changes are being logged in the macos-touristd-config repo.

You will find the new Catalina and Mac hardware model tours available in ProfileCreator, so you can more easily create a profile to suppress those alerts. So long as each preference key’s date and time is set to some point in the past, all tour notifications will be suppressed. That is, until Apple releases new ones.

While you can choose to deploy targeted profiles of just the applicable models to your devices, you can push one profile that suppresses everything to all your Macs.