Adding password protection to manually installed management profiles
While working with some colleagues, I recently built a management profile that my one colleague requested to be set as non-removable. Normally, this can be accomplished by setting the PayloadRemovalDisallowed key in the profile to a boolean value of true.
I provided the profile to my colleague and he tested it out. However, in the course of testing, he discovered that the profile could be removed by a user with administrative rights using the following procedure:
1. Open System Preferences
2. Select the profile in question.
3. Click the minus button.
4. Be warned about removing a locked profile.
5. Enter admin credentials when prompted.
After entering admin credentials, the profile was then removed.
When I checked Apple’s reference documentation on configuration profiles, the issue came down to how the profile was being delivered. Apple’s documentation includes the following note about the PayloadRemovalDisallowed key:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Note: OSX versions 10.10 and later honor a true value of the PayloadRemovalDisallowed key | |
| to prevent manual removal of profiles installed through an MDM server. Such profiles cannot | |
| be removed using the Profiles preference pane, nor the profiles command line tool even when | |
| run as root. Only the MDM server can remove such profiles. Profiles installed manually, with | |
| PayloadRemovalDisallowed set to true, can be removed manually, but only by using administrative authority. |
This profile was being installed by an installer package, so from Apple’s point of view it was being installed manually. That meant that the manual installation behavior, where the profile could be removed by anyone with admin rights, was the applicable behavior here.
Another colleague working with us on this issue suggested adding a removal password to the profile, using Apple’s com.apple.profileRemovalPassword profile payload.
A removal password for a profile is designed to allow the removal of a management profile, even if that profile is otherwise set to be non-removable. For more details, see below the jump:
In our case, we were seeking to block removal rather than facilitate it. However, having the removal password added as a payload worked for our purposes as well because now the profile could not be removed without supplying the password. An example Removal Password payload is available below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <dict> | |
| <key>Description</key> | |
| <string>Enter the password in the RemovalPassword key to remove this profile</string> | |
| <key>PayloadType</key> | |
| <string>com.apple.profileRemovalPassword</string> | |
| <key>PayloadUUID</key> | |
| <string>CA7AE3B9-9A50-4596-A2F5-EFDE48AD4431</string> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>PayloadEnabled</key> | |
| <true/> | |
| <key>RemovalPassword</key> | |
| <string>PasswordGoesHere!</string> | |
| </dict> |
Once the Removal Password payload is added to a profile where PayloadRemovalDisallowed set to true, the removal process for a manually installed profile now looks like this:
1. Open System Preferences
2. Select the profile in question.
3. Click the minus button.
4. Be warned about removing a locked profile and that removal will require a password.
5. Supply the removal password when prompted.
6. Enter admin credentials when prompted.
If the profiles command line tool is being used to remove the profile in question, the -z option can be used to supply a profile removal password.
To show the Removal Password payload in the context of a full management profile, please see below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <!– Time Machine configuration –> | |
| <key>PayloadContent</key> | |
| <array> | |
| <dict> | |
| <key>PayloadContent</key> | |
| <dict> | |
| <key>com.apple.TimeMachine</key> | |
| <dict> | |
| <key>Forced</key> | |
| <array> | |
| <dict> | |
| <key>mcx_preference_settings</key> | |
| <dict> | |
| <key>DoNotOfferNewDisksForBackup</key> | |
| <true/> | |
| </dict> | |
| </dict> | |
| </array> | |
| </dict> | |
| </dict> | |
| <key>PayloadEnabled</key> | |
| <true/> | |
| <key>PayloadIdentifier</key> | |
| <string>MCXToProfile.9f9a0b1f-7b17-4656-92aa-b7046ad88d00.alacarte.customsettings.905bcd92-fe37-4a99-9265-a0a26ff30a41</string> | |
| <key>PayloadType</key> | |
| <string>com.apple.ManagedClient.preferences</string> | |
| <key>PayloadUUID</key> | |
| <string>905bcd92-fe37-4a99-9265-a0a26ff30a41</string> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| </dict> | |
| <!– Password authorization for profile removal –> | |
| <dict> | |
| <key>Description</key> | |
| <string>Enter the password in the RemovalPassword key to remove this profile</string> | |
| <key>PayloadType</key> | |
| <string>com.apple.profileRemovalPassword</string> | |
| <key>PayloadUUID</key> | |
| <string>5933EF14-6BB8-4BD4-BCF4-0C20B25B52CB</string> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>PayloadEnabled</key> | |
| <true/> | |
| <key>RemovalPassword</key> | |
| <string>PasswordGoesHere!</string> | |
| </dict> | |
| </array> | |
| <key>PayloadDescription</key> | |
| <string>Turn off requests to use new disks for Time Machine</string> | |
| <key>PayloadDisplayName</key> | |
| <string>Disable Time Machine Disk Requests</string> | |
| <key>PayloadIdentifier</key> | |
| <string>9f9a0b1f-7b17-4656-92aa-b7046ad88d00</string> | |
| <key>PayloadOrganization</key> | |
| <string>Company Name</string> | |
| <key>PayloadRemovalDisallowed</key> | |
| <true/> | |
| <key>PayloadScope</key> | |
| <string>System</string> | |
| <key>PayloadType</key> | |
| <string>Configuration</string> | |
| <key>PayloadUUID</key> | |
| <string>9f9a0b1f-7b17-4656-92aa-b7046ad88d00</string> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| </dict> | |
| </plist> |
Leave a Reply
Recent Comments
 | Mark P on 20 years of Der Flounder |
 | Bruce Carter on 20 years of Der Flounder |
 | JimH on Downloading installer packages… |
 | Sander on Downloading installer packages… |
 | Andreas Schenk on Downloading installer packages… |
Der Flounder 
Is there a way to password protect one provided by an MDM like the JSS? If the machine goes through DEP and the profile installs via MDM, then it should be ok, but when it goes through the user accepted MDM – like when it’s enrolled manually instead of DEP – it seems to be removable, when I can get the MDM to install it.
How would you remove the restriction from a configuration profile than cannot be installed manually. An example is with Addigy MDM there is an option to download the MDM profile .mobileconfig and the using Apple Remote Desktop can copy it to a /tmp folder then use the profiles command to install it which intern starts the deployment process without having to enrol every computer manually.
Just FYI, Addigy is unwilling to share the solution with me.
is possible to make MDM profile removal with password in Mac?
want to make MDM profile as non removal profile for user initiated enrolment in Jamf Pro