search

ProfileCreator / ProfileManifests

Manifest repository for the ProfilePayloads framework
343 stars 146 forks source link

Time server enforce #528

Closed liquidoshin closed 2 years ago

liquidoshin commented 2 years ago

Please provide the following information:

App Name: Time server enforce

App URL: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjmhozEyoL2AhWRKH0KHTPKCBEQFnoECAQQAQ&url=https%3A%2F%2Fcsrc.nist.gov%2FCSRC%2Fmedia%2FProjects%2Fnational-vulnerability-database%2Fdocuments%2FCCE%2Fcce-macos_bigsur.xls&usg=AOvVaw0XRSWpBSHnn2PaYHrDBLzO App Profile Documentation URL: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjmhozEyoL2AhWRKH0KHTPKCBEQFnoECAQQAQ&url=https%3A%2F%2Fcsrc.nist.gov%2FCSRC%2Fmedia%2FProjects%2Fnational-vulnerability-database%2Fdocuments%2FCCE%2Fcce-macos_bigsur.xls&usg=AOvVaw0XRSWpBSHnn2PaYHrDBLzO

Payload / Domain: com.apple.ManagedClient.preferences: com.apple.timed: TMAutomaticTimeOnlyEnabled: true

relgit commented 2 years ago

See #526 for discussion about this issue.

kevinmcox commented 2 years ago

Documentation URL: https://github.com/usnistgov/macos_security/blob/main/rules/sysprefs/sysprefs_time_server_enforce.yaml

liquidoshin commented 2 years ago

Hey folks, I was just wondering if the com.apple.timed identifier was going to be added. #526 was resolved regarding Disable Media Sharing but I still haven't seen anything pertaining to the time server setting. It's very possible this is a deprecated setting so if there is not enough information out there to support this that is totally understandable. This was the information again: Payload / Domain: com.apple.ManagedClient.preferences: com.apple.timed: TMAutomaticTimeOnlyEnabled: true Any thoughts?

apizz commented 2 years ago

@liquidoshin circling back to this, just been busy. From the NIST documentation, it looks awfully a lot like this particular setting is expected to be an MCX-style profile given the explicit inclusion of com.apple.ManagedClient.preferences. See Apple's documentation here for reference: https://developer.apple.com/documentation/devicemanagement/managedpreferences

I have no problem adding this and can do this pretty quickly. This is one of those things where if it works then great, but I I would feel better about some concrete testing beyond the existing documentation. I'll do that shortly so you can test, and assuming this works can add a wiki page to reference where we got this info from and why it must be MCX.

apizz commented 2 years ago

See if the manifest outlined in #547 works for you @liquidoshin

liquidoshin commented 2 years ago

Yes this works. Sorry for the delayed response. I'm not getting notified in my email with responses.