Configuration Profiles (via MDM) do not handle an adequate amount of required settings

Originator:mattlavinepro
Number:rdar://30929555 Date Originated:08-Mar-2017 05:00 PM
Status:Open Resolved:
Product:macOS Product Version:10.12
Classification:Enhancement Reproducible:Always
 
This is a duplicate of rdar://28633131

Summary:
As it stands today, Configuration Profiles, which are the primary means by which MDMs manage clients, do not cover enough settings for many large organizations (Facebook, Google, etc)

Steps to Reproduce:
1. Try to manage SSH settings
2. Can't be done with profiles.

Expected Results:
All major services on macOS should be manageable via Profiles or some other means.

Actual Results:
Cannot manage a large number of settings.

Notes:
Here are a list of settings that cannot be managed fully/at all using Configuration Profiles today:


- Manage common settings via MDM
  - ntpd (“Set date and time automatically”)
    - Allowing multiple time servers to be set for shops where there’s a requirement to use an internal NTP server which isn’t accessible outside the network.
  - Enforce SSHD enabled/disabled (called “Remote login” in System Preferences)
  - SSH configuration (e.g. disable password auth / enforce key based auth)
  - Associating SSH keys with users (for password-less SSH) (see also:  Kerberos auth to SSH hosts)
  - Forwarding logs to one or more central syslog servers
  - sudoers (lol)
  - /etc/hosts
  - pathsd
  - Non-plist configuration files (e.g. conf files) Examples: Cisco AnyConnect, git, hg, arc, java ruleset, Splunk, Firefox, etc.
  - PAM modules
  - Security Certificate preferences
  - Identity Preferences
  - User Accounts (local users/passwords)
  - pf/firewall
  - pf logging
  - file sharing, both Server.app & regular in sys prefs (AFP / SMB / FTP)
  - Bluetooth settings
  - Network locations, and all network settings (not just 802.1x / wifi payloads…)
  - System certificates (adding via profile already work) - removal / revocation, CRL / OCSP, changing root CA trusts
  - Printers - adding works via profile (barely), but doesn’t remove when profile is removed; lpoptions aren’t enforced (either permanently or set-once)
    - Printer presets - particularly when critical information like network accounting is stored within the preset prefs data
  - Default audio input/output interface selection for classroom/auditorium/kiosk use
  - CUPS in general
  - Location Services (on / off / privacy controls)
  - TCC db (on / off / who gets what, access…)
  - pmset / power management / scheduled reboots, authrestarts, etc.
  - spotlight - adding / removing privacy entries, configuring / enabling
  - User account creation? CreateUserPkg?
  - Secure update process for passwords of specified local account(s).
  - Hostnames / ComputerName / LocalHostName? (scutil?)
  - SAML/SSO integration with DEP boot/MDM enrollment
  - Maximum screensaver idle time (i.e., “No more than 15 minutes”, and not “exactly 5” or exactly “10”)
  - Anything Apple hasn’t thought of yet that we can currently handle with the tools we have available today

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!