Enabling, Restricting, and Hiding Third-Party System Preference Panes on Mac

As time goes on, it’s staggering to think about the amount of things we learn and then later happily (but at times also unhappily) forget when it becomes no longer relevant or useful. Much to my surprise, something I had long forgotten (mostly unpleasant memories) came flooding back to me from a relatively simple question: can third-party System Preferences panes be managed via profile?

Back when the only Jamf Pro option was on-premises, Jamf provided this Jamfnation Article as a guide for admins to natively manage third-party preference panes. By default, only a very small (and now very dated) native list of preference panes could be enabled, restricted, or hidden entirely via the System Preferences payload. Without too too much effort (if you knew what you’re doing) you could add your own checkboxes with the desired display name and the corresponding CFBundleIdentifier for the preference pane in order to selectively allow, deny, or hide these preference panes right from within the native Jamf profile builder.

Due to the fact the method of adding checkbox options involved changing the actual XML code of a particular JSS file, which got reset to its original state after every JSS upgrade, this required making the desired changes after every upgrade… Not a fun time! Shoutout to my fellow MacAdmins who can relate.

I’d even forgotten I’d written a Feature Request to add this functionality, which sadly like many a good Jamfnation FR:

To be fair, it’s not completely Jamf’s fault as it is a relatively trivial problem to solve and not necessarily one that’s needed to be made by a vendor when so many great open source solutions available…

All we need then is a way to create a System Preferences profile payload, have a list of our needed preference pane bundle ids, and have these listed under either the appropriate allowed, denied, or hidden list. Thankfully, I had taken the time to put some of this old work into code that with a little digging revealed a number of good options to start with.

So as of this writing, the ProfileManifests project which provides both ProfileCreator and iMazing’s Profile Editor with its magical powers now includes a number of third-party preference panes in the System Preferences payload! At the moment this is limited to a handful of items that I personally cared about (native Apple preference panes sorted alphabetically first, followed by third-party options), but it’s trivial to add more.

Don’t see an option you need, file an issue!

So how do you use this functionality with your own MDM? First, you must decide one of 3 paths. Do you want to:

  • Enable/Allow only the selected preference panes and disable all others
  • Disable/Restrict only the selected preference panes and enable all others
  • Hide only the selected preference panes and show all others

The best way to choose from the above options is to determine how you’d want to handle a new (perhaps an unknown, untrusted, or untested) preference pane addition. Would you want this enabled or disabled by default?

If you want to auto disable, I’d recommend the Enabled Preference Panes option which requires you to select everything in the list you expressly want to be enabled. If you want to auto enable, use the Disabled Preference Panes option instead. I have personally not tested the hide route, or combining any of these options, so test test test before if for whatever reason you decide to go that route.

To be clear, you don’t have to go with a one size fits all approach for your Mac fleet in this regard. You can certainly configure multiple profiles to auto allow or deny preference panes and target them to different groups of users or machines. Don’t want people to sign in to iCloud but don’t want to restrict this for your CEO? Make a special profile just for them.

Once you have your System Preferences profile settings the way you want them, export your profile and import that sucker in your MDM! No need have your MDM vendor build in native support for this…

That said, if your MDM vendor is Jamf don’t forget to sign your profile before you upload it.

Happy preference pane managing.

Microsoft Edge for macOS Management with Configuration Profiles

If you had bet me just a year or two ago that Microsoft would base their new Edge browser on Google’s open-source Chromium, I probably would have lost some money. That being said, it’s good to see two of the big guys working together to make browsing the web better.

Also with the first release of Microsoft’s Edge browser for Mac, there is a plethora of preferences, both from Chrome as well as new one’s introduced by Microsoft, that can be managed. After diving into the documentation and building on previous work completed for Chrome and Brave, ProfileCreator now supports all of the available Edge preferences for Mac (with a caveat). Shoutout to @andre_db90 over in the MacAdmins Slack for helping with this!

UPDATE: After reviewing previous manifests, I failed to recall that ProfileCreator does in fact support preferences that use dictionaries within arrays … The latest update to the Edge manifest fixes this.

In the case of a few preferences, ProfileCreator doesn’t graphically support what ultimately needs to be produced in a profile’s XML. One such preference is ManagedSearchEngines, as this is formatted as an array of dictionaries. Click the link for more information.

As a result, if you configure this preference you will need to add some array tags around the resulting dictionary in your profile or plist. The XML below is not enough.

Additionally, if you want to manage more than one search engine, you will have to duplicate the dictionary once exported up to 9 additional times (only 10 managed search engines are supported) within the array and update the contained preferences accordingly. Definitely not ideal.

If you already use ProfileCreator, all you need to do is quit and reopen the app to download the latest profile manifests.

If you have any interest in contributing to the ProfileCreator app to provide enhancements or fixes to the current limitations, please feel free to fork the ProfileCreator project and submit a PR. Have other questions or issues? Join the conversation in the #profilecreator MacAdmins channel.

Hope that this helps those looking to manage Edge.

2019 Mac & macOS Updates to Apple’s Tours (com.apple.touristd)

With every new major macOS version (and certain hardware models), Apple introduces new “tours” that are offered to users to learn about “What’s New” with macOS, Mac basics, and where applicable, their specific Mac model. These tours manifest themselves in the form of notifications that when selected open a unique URL in Safari for the selected tour.

As far as I can tell, Carl Ashley was one of the first to write about this years ago when 10.12 Sierra was the current OS version. The ultimate goal is to suppress these additional macOS notifications entirely and can be done most efficiently with a configuration profile.

However, despite the touristd binary having commands to override different information, in my own testing I have been unable to trick touristd into pulling different tours than those applicable to my own macOS version and Mac hardware model. The same is the case when done in a VM. This up until now has made it difficult to update our own profile for new macOS versions and hardware that is released without having them on hand to test.

While a Mac’s current tour notification status data is written to each user’s ~/Library/Preferences/com.apple.touristd/com.apple.touristd.plist file, I recently stumbled on another touristd file in ~/Library/Application Support/com.apple.touristd/com.apple.touristd.plist. It appears that this file has all the information – the board IDs, URLs, applicable OS versions, etc. – for every possible tour, making it much much easier to verify and update moving forward.

UPDATE 5/21/20: Additionally, while you may not be running the latest major version of macOS you can always access all the available TouristD configs directly from https://help.apple.com/macOS/config.json. Changes are being logged in the macos-touristd-config repo.

You will find the new Catalina and Mac hardware model tours available in ProfileCreator, so you can more easily create a profile to suppress those alerts. So long as each preference key’s date and time is set to some point in the past, all tour notifications will be suppressed. That is, until Apple releases new ones.

While you can choose to deploy targeted profiles of just the applicable models to your devices, you can push one profile that suppresses everything to all your Macs.