Home > Mac administration, macOS > profiles command includes client-side rate limitation for certain functions on macOS 12.3

profiles command includes client-side rate limitation for certain functions on macOS 12.3

One of the changes brought with macOS 12.3 is that the profiles command line tool now includes a rate limiter for some of its functions:

profiles show

Screen Shot 2022 03 22 at 3 55 30 PM

profiles validate

Screen Shot 2022 03 22 at 3 55 47 PM

In both cases, running these functions may be limited to once every 23 hours.

For those familiar with rate limitation on the server side, where a server may choose to limit how many calls can be received in a set period from a client, this rate limitation is similar but is set and managed entirely on the client side. This means that there is no bypassing the profiles command’s rate limitation in this case for the Mac in question.

One way this may appear is on Macs which are part of the Automated Device Enrollment program, where the Mac can show its enrollment status by running the following command:


profiles show -type enrollment

view raw

gistfile1.txt

hosted with ❤ by GitHub

In the event that this command errors, the profiles command will block further attempts to display this information for the next 23 hours. In this situation, you may see output like that shown below:


username@computername ~ % sudo profiles show -type enrollment
Password:
Device Enrollment configuration:
(null)
username@computername ~ % sudo profiles show -type enrollment
Error fetching Device Enrollment configuration – Request too soon. Try again later.

view raw

gistfile1.txt

hosted with ❤ by GitHub

At this time, I don’t know where the information which tracks this 23 hour limitation is stored, but I did confirm that it is stored somewhere in the writable portion of the Mac’s boot drive. Wiping the Mac’s boot drive, via a disk wipe and OS reinstall or via Erase All Contents and Settings, will remove whatever is tracking and enforcing the 23 hour limitation.

Update – 4-22-2022:

It looks like the file which tracks this information is stored in the following location:

/private/var/db/ConfigurationProfiles/Settings/.profilesFetchTimerCheck

This file is protected by SIP. Thanks to zolotkey in the comments!

Also, in the original version of this post, I had made a mistake and conflated the functions of the following commands:

  • profiles renew -type enrollment
  • profiles show -type enrollment

The profiles renew -type enrollment command can be used to enroll or re-enroll a Mac which is part of the Automated Device Enrollment program with the MDM server that ADE associates the Mac with. To the best of my knowledge, the renew function of the profiles command does not have a client side rate limitation on macOS 12.3. Thanks also to Richard in the comments for catching my mistake and letting me know about it.

Categories: Mac administration, macOS
  1. Richard
    March 22, 2022 at 8:36 pm

    “where the Mac can be enrolled with its MDM server by running the following command:” ?!?
    The above for “profiles show” is incorrect, show is an advanced, more detailed, version of status.
    From the man page information where screenshots have been included in the article: “For an enrollment, this will show the current DEP configuration, …”

    • March 22, 2022 at 8:40 pm

      You’re right and I’ll correct that. I was thinking of “sudo profiles renew -type enrollment”

    • Peteo
      March 22, 2022 at 9:01 pm

      when I do “profiles status -type enrollment” I do not get the enrollment popup. When I do “profiles show -type enrollment” I do get the enrollment pop up.

  2. zolotkey
    March 22, 2022 at 8:39 pm

    The file that the holds the timer is `/private/var/db/ConfigurationProfiles/Settings/.profilesFetchTimerCheck`

    It is under SIP. So you can only remove it if you do so from recovery. It holds both Show and Validate.

    Example:
    {
    “lastProfilesShowFetchTime” => 2022-03-22 20:37:31 +0000
    “lastProfilesValidateFetchTime” => 2022-03-22 20:31:07 +0000
    }

    Thanks for the post Rich!

  3. Peteo
    March 22, 2022 at 9:06 pm

    Can “sudo profiles renew -type enrollment” be used to get around this even if the computer never went through setup assistant?

  4. Andreas Schenk
    April 27, 2022 at 2:49 pm

    Great Post!
    Interesting to see, that a SIP Protected File can be changed by the OS. It looks like this is a priviledged part of the OS/Framework that ignores SIP. Otherwise the File that zolotkey identified would not be writeable.

  5. May 17, 2022 at 9:07 am

    Hi. It looks like the rate limitation for profiles show, even if it is still indicated in the man page, is gone with macOS 12.4. I’m currently able to run a profiles show -type enrollment multiple times in a raw so far.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: