Configuration Profiles using Set-Once are destructive
| Originator: | eholtam | ||
| Number: | rdar://19964383 | Date Originated: | 25-Feb-2015 |
| Status: | Open | Resolved: | |
| Product: | OS X | Product Version: | 10.10.x |
| Classification: | Data Loss | Reproducible: | Always |
Summary: Installing a Profile on 10.10.x using the frequency of Set-Once with no timestamp (equivalent to the "Often" setting from MCX) the preferences the profile controls, plus whatever was set at the time of the Profile installation, are applied every login and destroys any changes made to the domain's settings since the profile was applied. This same profile behaves properly in OS 10.9 when installed and only refreshes the preferences in the Profile payload. The Often setting had been used successfully in the past and is mirroring the MCX payload model. The Forced and Once (Set-Once with a timestamp) method still behave as expected. Steps to Reproduce: 1. Create a plist with settings: `defaults write my.great.app setting1 -string foobar` `defaults write my.great.app setting2 -bool false` `defaults read my.great.app` to see the applied settings 2. Use Tim Sutton's mcxToProfile tool to create a Profile to manage the domain “often”. `mcxToProfile.py --plist ~/Library/Preferences/my.great.app.plist --identifier MyGreatApp --manage Often` 3. Delete the settings to clear the slate `defaults delete my.great.app` 4. Install the profile on a computer running Yosemite. `sudo profiles -IF MyGreatApp.mobileconfig` `defaults read my.great.app` to see the applied settings 5. Make some preference changes after the Profile was installed: `defaults write my.great.app setting3 -string Chickens` `defaults write my.great.app setting4 -int 42` `defaults read my.great.app` to see the applied settings 6. Log out and back into OS X and read the plist again. `defaults read my.great.app` Expected Results: The settings applied after the profile was installed would still be present after logging out and back in. Actual Results: The user’s settings made after the profile was installed have been eradicated even though they aren’t the keys being managed. Version: 10.10.3 14D87h Notes: Additional anecdotal information can be found at https://osxbytes.wordpress.com/2015/02/25/profile-behavior-changes-in-yosemite/ The mcxToProfile tool is at https://github.com/timsutton/mcxToProfile and is commonly used in the Mac admin community. Configuration: This happens on 10.10.2 GM and 10.10.3 14D87h This does not happen on 10.9.5
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
Addressed in ElCap?
I was asked to verify the behavior in ElCap beta 4. To my surprise the set-often profile is behaving as expected again. I've asked if the set-once/set-often frequency is supported. We'll see if they answer.
Hello:
Did you ever get a reply if the set-once/set-often frequency is officially supported?