{"id":26548,"date":"2019-09-10T16:49:19","date_gmt":"2019-09-10T20:49:19","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=26548"},"modified":"2019-09-10T16:50:04","modified_gmt":"2019-09-10T20:50:04","slug":"manipulating-the-system-policy-database-with-configuration-profiles","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/09\/10\/manipulating-the-system-policy-database-with-configuration-profiles\/","title":{"rendered":"Manipulating the System Policy Database with Configuration Profiles"},"content":{"rendered":"

Tom Bridge<\/a>:<\/p>\n

\n

The spctl<\/code> binary that is part of macOS’s command line interface, and has been for a very long time, are responsible for controlling what Gatekeeper looks at. These both write to a sqlite3<\/code> database stored at \/var\/db\/SystemPolicy<\/code>, and think of it a lot like a database of ID cards that the security guard at the desk will review. If your card is recognized, you pass through security without more than a passing hello at the barrier. If you card is not<\/strong> recognized, your ID is checked, your destination cleared, your name jotted down, and you’re granted a card if you belong.<\/p>\n

[…]<\/p>\n

This system can be directly manipulated via configuration profile, and those configuration profiles can be delivered by a capable MDM. Moreover, this has been the case since macOS 10.12. Hidden away in Apple’s documentation is the SystemPolicyRule<\/a> payload type, which can allow you to embed whitelisted objects in an MDM Profile.<\/p>\n

[…]<\/p>\n

While all of the above is intended for the operation:install<\/code> key, operation: execute<\/code> would allow you to run non-notarized Applications without Gatekeeper dialogs for those applications that are downloaded in their entirety without an installer package. You will need a separate profile if you want to whitelist both an installer and an application.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n