Enabling, Restricting, and Hiding Third-Party System Preference Panes on Mac

As time goes on, it’s staggering to think about the amount of things we learn and then later happily (but at times also unhappily) forget when it becomes no longer relevant or useful. Much to my surprise, something I had long forgotten (mostly unpleasant memories) came flooding back to me from a relatively simple question: can third-party System Preferences panes be managed via profile?

Back when the only Jamf Pro option was on-premises, Jamf provided this Jamfnation Article as a guide for admins to natively manage third-party preference panes. By default, only a very small (and now very dated) native list of preference panes could be enabled, restricted, or hidden entirely via the System Preferences payload. Without too too much effort (if you knew what you’re doing) you could add your own checkboxes with the desired display name and the corresponding CFBundleIdentifier for the preference pane in order to selectively allow, deny, or hide these preference panes right from within the native Jamf profile builder.

Due to the fact the method of adding checkbox options involved changing the actual XML code of a particular JSS file, which got reset to its original state after every JSS upgrade, this required making the desired changes after every upgrade… Not a fun time! Shoutout to my fellow MacAdmins who can relate.

I’d even forgotten I’d written a Feature Request to add this functionality, which sadly like many a good Jamfnation FR:

To be fair, it’s not completely Jamf’s fault as it is a relatively trivial problem to solve and not necessarily one that’s needed to be made by a vendor when so many great open source solutions available…

All we need then is a way to create a System Preferences profile payload, have a list of our needed preference pane bundle ids, and have these listed under either the appropriate allowed, denied, or hidden list. Thankfully, I had taken the time to put some of this old work into code that with a little digging revealed a number of good options to start with.

So as of this writing, the ProfileManifests project which provides both ProfileCreator and iMazing’s Profile Editor with its magical powers now includes a number of third-party preference panes in the System Preferences payload! At the moment this is limited to a handful of items that I personally cared about (native Apple preference panes sorted alphabetically first, followed by third-party options), but it’s trivial to add more.

Don’t see an option you need, file an issue!

So how do you use this functionality with your own MDM? First, you must decide one of 3 paths. Do you want to:

  • Enable/Allow only the selected preference panes and disable all others
  • Disable/Restrict only the selected preference panes and enable all others
  • Hide only the selected preference panes and show all others

The best way to choose from the above options is to determine how you’d want to handle a new (perhaps an unknown, untrusted, or untested) preference pane addition. Would you want this enabled or disabled by default?

If you want to auto disable, I’d recommend the Enabled Preference Panes option which requires you to select everything in the list you expressly want to be enabled. If you want to auto enable, use the Disabled Preference Panes option instead. I have personally not tested the hide route, or combining any of these options, so test test test before if for whatever reason you decide to go that route.

To be clear, you don’t have to go with a one size fits all approach for your Mac fleet in this regard. You can certainly configure multiple profiles to auto allow or deny preference panes and target them to different groups of users or machines. Don’t want people to sign in to iCloud but don’t want to restrict this for your CEO? Make a special profile just for them.

Once you have your System Preferences profile settings the way you want them, export your profile and import that sucker in your MDM! No need have your MDM vendor build in native support for this…

That said, if your MDM vendor is Jamf don’t forget to sign your profile before you upload it.

Happy preference pane managing.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s