Mac OS X Provisioning Using MDM Profiles

apple mac provisioning mdm snippet

While Jon Bardin and I were rebuilding the Mavenlink Mac workstation setup script, we found that the old mac defaults write <your default> doesn’t appear to work any longer for some settings. It has since I got my first Mac certification back in 2004 so I was a bit surprised to say the least. Some of the defaults write commands that we have in our current workstation setup are having no effect.

Anyway, Apple evidently prefers that organizations use Mobile Device Management (MDM) profiles to load in most of the settings. While garbage to look at (thanks XML), they do have all of the options that you can imagine and you don’t even need Mac OS X server to load them in since there’s a command line utility. We did notice that things such as Dash & Quote substitution and Press and Hold still need to be handled through defaults write.

Here are a few of the commands that I found helpful for interacting with profiles:

  • To see all of the installed profiles for the system: /usr/bin/profiles -P
  • To see all of the installed profiles for the user: /usr/bin/profiles -L
  • To remove all profiles: /usr/bin/profiles -D
  • To remove a profile loaded in via a file: /usr/bin/profiles -R -F /path/to/file.profile
  • To install a load a profile from a file: /usr/bin/profiles -I -F /path/to/file.profile
    • This makes the profile take effect immediately
  • To install a profile at next boot (and try again if it fails): /usr/bin/profiles -s -F /path/to/file.profile -f -v

Below are the resources that I found the most helpful if anyone wants to look through them.

An example profile format
The Apple Profile Reference
A third party profile reference
A good overview of the profile commands

In addition, here is an example payload that requires the screensaver to prompt for a password on wake.

<?xml version=”1.0” encoding=”UTF-8”?>
<!DOCTYPE plist PUBLIC ”-//Apple Inc//DTD PLIST 1.0//EN” ”http://www.apple.com/DTDs/
PropertyList-1.0.dtd”>
<plist version=”1.0”>
	<dict>
		<key>PayloadVersion</key>
		<integer>1</integer>
		<key>PayloadUUID</key>
		<string>Ignored</string>
		<key>PayloadType</key>
		<string>Configuration</string>
		<key>PayloadIdentifier</key>
		<string>Ignored</string>
		<key>PayloadContent</key>
		<array>
			<dict>
				<key>PayloadDescription</key>
				<string>Sets screensaver settings</string>
				<key>PayloadUUID</key>
				<string>fd8a6b9e-0fed-406f-9571-8ec98722b714</string>
				<key>PayloadType</key>
				<string>com.apple.screensaver</string>
				<key>PayloadDisplayName</key>
				<string>Screensaver settings</string>
				<key>PayloadVersion</key>
				<integer>1</integer>
				<key>PayloadOrganization</key>
				<string>Mavenlink</string>
				<key>PayloadIdentifier</key>
				<string>com.mavenlink.mac.screensaver</string>
                <key>askForPassword</key>
                <true/>
			</dict>
		</array>
	</dict>
</plist>