Home > Mac administration, macOS, Management Profiles > Adding password protection to manually installed management profiles

Adding password protection to manually installed management profiles

While working with some colleagues, I recently built a management profile that my one colleague requested to be set as non-removable. Normally, this can be accomplished by setting the PayloadRemovalDisallowed key in the profile to a boolean value of true.

Screen Shot 2017 08 24 at 3 32 10 PM

I provided the profile to my colleague and he tested it out. However, in the course of testing, he discovered that the profile could be removed by a user with administrative rights using the following procedure:

1. Open System Preferences
2. Select the profile in question.
3. Click the minus button.

Screen Shot 2017 08 24 at 3 26 17 PM

4. Be warned about removing a locked profile.

Screen Shot 2017 08 24 at 3 29 52 PM

5. Enter admin credentials when prompted.

Screen Shot 2017 08 24 at 3 27 17 PM

After entering admin credentials, the profile was then removed.

When I checked Apple’s reference documentation on configuration profiles, the issue came down to how the profile was being delivered. Apple’s documentation includes the following note about the PayloadRemovalDisallowed key:

Screen Shot 2017 08 24 at 2 44 26 PM

This profile was being installed by an installer package, so from Apple’s point of view it was being installed manually. That meant that the manual installation behavior, where the profile could be removed by anyone with admin rights, was the applicable behavior here.

Another colleague working with us on this issue suggested adding a removal password to the profile, using Apple’s com.apple.profileRemovalPassword profile payload.

Screen Shot 2017 08 24 at 3 01 15 PM

A removal password for a profile is designed to allow the removal of a management profile, even if that profile is otherwise set to be non-removable. For more details, see below the jump:

In our case, we were seeking to block removal rather than facilitate it. However, having the removal password added as a payload worked for our purposes as well because now the profile could not be removed without supplying the password. An example Removal Password payload is available below:

Once the Removal Password payload is added to a profile where PayloadRemovalDisallowed set to true, the removal process for a manually installed profile now looks like this:

1. Open System Preferences
2. Select the profile in question.
3. Click the minus button.

Screen Shot 2017 08 24 at 3 26 17 PM

4. Be warned about removing a locked profile and that removal will require a password.

Screen Shot 2017 08 24 at 3 26 38 PM

5. Supply the removal password when prompted.

Screen Shot 2017 08 24 at 3 27 01 PM

6. Enter admin credentials when prompted.

Screen Shot 2017 08 24 at 3 27 17 PM

If the profiles command line tool is being used to remove the profile in question, the -z option can be used to supply a profile removal password.

Screen Shot 2017 08 24 at 3 48 01 PM

To show the Removal Password payload in the context of a full management profile, please see below:

Screen Shot 2017 08 24 at 3 32 25 PM

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: