usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 05:53:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

icloud_appleid_system_settings_disable checking script seems to be returning inconsistent data #218

New Issue
Closed
opened 2026-01-19 18:29:41 +00:00 by michael · 8 comments
michael commented 2026-01-19 18:29:41 +00:00
Owner
Copy Link

Originally created by @cipineda on GitHub.

Summary

It seems that the code to check the status for icloud_appleid_system_settings_disable is not fetching the correct information.
It returns a 0 even though the profile to restrict access to appleid is being enforced on the tested endpoint with MacOS Ventura 13.1.

Steps to reproduce

Remove the grep command from the original checking script and run as follows:

/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//*[contains(text(), "DisabledSystemSettings")]/following-sibling::*[1])' -

The code returns a single line and the result changes each time it is executed:
Sample outputs:
/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//*[contains(text(), "DisabledSystemSettings")]/following-sibling::*[1])' - com.apple.ScreenSaver-Settings.extension root@AMR-20ZMQ6X8 Preferences # /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//*[contains(text(), "DisabledSystemSettings")]/following-sibling::*[1])' - com.apple.WalletSettingsExtension root@AMR-20ZMQ6X8 Preferences # /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//*[contains(text(), "DisabledSystemSettings")]/following-sibling::*[1])' - com.apple.Internet-Accounts-Settings.extension root@AMR-20ZMQ6X8 Preferences # /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//*[contains(text(), "DisabledSystemSettings")]/following-sibling::*[1])' - com.apple.Wallpaper-Settings.extension root@AMR-20ZMQ6X8 Preferences # /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//*[contains(text(), "DisabledSystemSettings")]/following-sibling::*[1])' - com.apple.Wallpaper-Settings.extension root@AMR-20ZMQ6X8 Preferences # /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//*[contains(text(), "DisabledSystemSettings")]/following-sibling::*[1])' - com.apple.BluetoothSettings

Operating System version

Ventura 13.1

(macOS Version and build)
Version 13.1 Beta (22C5033e)

Intel or Apple Silicon

Silicon

What is the current bug behavior?

The validation script shows as failed (finding) even though the proper profile exits

This is a snippet of the profiles installed on the computer:
<key>ProfileInstallDate</key> <string>2022-10-20 22:35:33 +0000</string> <key>ProfileItems</key> <array> <dict> <key>PayloadContent</key> <dict> <key>DisabledSystemSettings</key> <array> <string>com.apple.systempreferences.AppleIDSettings</string> </array> </dict>

What is the expected correct behavior?

The expected behavior is for the validation script to properly read the profiles xml output and detect the correct profile being enforced

Output of checks

`/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//[contains(text(), "DisabledSystemSettings")]/following-sibling::[1])' - | /usr/bin/grep -c com.apple.systempreferences.AppleIDSettings

0
`

Possible fixes

(If you can, link to the line of code that might be responsible for the problem)

Originally created by @cipineda on GitHub. <!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "bug" label and verify the issue you're about to submit isn't a duplicate. ---> ### Summary It seems that the code to check the status for icloud_appleid_system_settings_disable is not fetching the correct information. It returns a 0 even though the profile to restrict access to appleid is being enforced on the tested endpoint with MacOS Ventura 13.1. ### Steps to reproduce Remove the grep command from the original checking script and run as follows: `/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//*[contains(text(), "DisabledSystemSettings")]/following-sibling::*[1])' -` The code returns a single line and the result changes each time it is executed: Sample outputs: `/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//*[contains(text(), "DisabledSystemSettings")]/following-sibling::*[1])' - com.apple.ScreenSaver-Settings.extension root@AMR-20ZMQ6X8 Preferences # /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//*[contains(text(), "DisabledSystemSettings")]/following-sibling::*[1])' - com.apple.WalletSettingsExtension root@AMR-20ZMQ6X8 Preferences # /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//*[contains(text(), "DisabledSystemSettings")]/following-sibling::*[1])' - com.apple.Internet-Accounts-Settings.extension root@AMR-20ZMQ6X8 Preferences # /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//*[contains(text(), "DisabledSystemSettings")]/following-sibling::*[1])' - com.apple.Wallpaper-Settings.extension root@AMR-20ZMQ6X8 Preferences # /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//*[contains(text(), "DisabledSystemSettings")]/following-sibling::*[1])' - com.apple.Wallpaper-Settings.extension root@AMR-20ZMQ6X8 Preferences # /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//*[contains(text(), "DisabledSystemSettings")]/following-sibling::*[1])' - com.apple.BluetoothSettings ` ### Operating System version Ventura 13.1 (macOS Version and build) Version 13.1 Beta (22C5033e) ### Intel or Apple Silicon Silicon ### What is the current *bug* behavior? The validation script shows as failed (finding) even though the proper profile exits This is a snippet of the profiles installed on the computer: ` <key>ProfileInstallDate</key> <string>2022-10-20 22:35:33 +0000</string> <key>ProfileItems</key> <array> <dict> <key>PayloadContent</key> <dict> <key>DisabledSystemSettings</key> <array> <string>com.apple.systempreferences.AppleIDSettings</string> </array> </dict> ` ### What is the expected *correct* behavior? The expected behavior is for the validation script to properly read the profiles xml output and detect the correct profile being enforced ### Output of checks `/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//*[contains(text(), "DisabledSystemSettings")]/following-sibling::*[1])' - | /usr/bin/grep -c com.apple.systempreferences.AppleIDSettings 0 ` ### Possible fixes (If you can, link to the line of code that might be responsible for the problem)
michael commented 2026-01-19 18:29:41 +00:00
Author
Owner
Copy Link

@brodjieski commented on GitHub:

Are you able to post the entire output of sudo /usr/bin/profiles show -output stdout-xml?

@brodjieski commented on GitHub: Are you able to post the entire output of `sudo /usr/bin/profiles show -output stdout-xml`?
michael commented 2026-01-19 18:29:41 +00:00
Author
Owner
Copy Link

@cipineda commented on GitHub:

I tried this on Ventura 13.0 22A380 and the same behavior occurs.

@cipineda commented on GitHub: I tried this on Ventura 13.0 22A380 and the same behavior occurs.
michael commented 2026-01-19 18:29:41 +00:00
Author
Owner
Copy Link

@cipineda commented on GitHub:

I am running with sudo.

@cipineda commented on GitHub: I am running with sudo.
michael commented 2026-01-19 18:29:41 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Are you running the profiles check with sudo before it.

sudo /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//[contains(text(), "DisabledSystemSettings")]/following-sibling::[1])' - | /usr/bin/grep -c com.apple.systempreferences.AppleIDSettings

It must be ran with root privileges. It's best to run all checks with root privs.

@robertgendler commented on GitHub: Are you running the profiles check with `sudo` before it. `sudo /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//[contains(text(), "DisabledSystemSettings")]/following-sibling::[1])' - | /usr/bin/grep -c com.apple.systempreferences.AppleIDSettings` It must be ran with root privileges. It's best to run all checks with root privs.
michael commented 2026-01-19 18:29:41 +00:00
Author
Owner
Copy Link

@brodjieski commented on GitHub:

Ok... looks like you have multiple profiles deployed that are disabling various system settings. We will have to test and figure out if we can account for that use case. Since the output of the profiles command isn't always consistent (the order of which profiles seems random), we have to see if there is a different way to report the status.

@brodjieski commented on GitHub: Ok... looks like you have multiple profiles deployed that are disabling various system settings. We will have to test and figure out if we can account for that use case. Since the output of the `profiles` command isn't always consistent (the order of which profiles seems random), we have to see if there is a different way to report the status.
michael commented 2026-01-19 18:29:42 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Perfect. Ya we'll update the other branches and stuff.

@robertgendler commented on GitHub: Perfect. Ya we'll update the other branches and stuff.
michael commented 2026-01-19 18:29:42 +00:00
Author
Owner
Copy Link

@cipineda commented on GitHub:

I tried this fix and it worked as expected.
Are you also updating the other locations where the old code was used?
If, yes, this can be closed.

@cipineda commented on GitHub: I tried this fix and it worked as expected. Are you also updating the other locations where the old code was used? If, yes, this can be closed.
michael commented 2026-01-19 18:29:42 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Check out branch dev_ventura_issue193 and let us know if that fixes it.

I updated the xpath from

string(//*[contains(text(), "DisabledPreferencePanes")]/following-sibling::*[1])

to

//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]

You can try the full command

/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.systempreferences.AppleIDSettings

@robertgendler commented on GitHub: Check out branch `dev_ventura_issue193` and let us know if that fixes it. I updated the xpath from `string(//*[contains(text(), "DisabledPreferencePanes")]/following-sibling::*[1])` to `//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]` You can try the full command `/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.systempreferences.AppleIDSettings`
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#218
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?