time server enforcement values possibly deprecated. #257

New Issue

michael · 2026-01-19T18:29:50Z

michael commented

2026-01-19 18:29:50 +00:00

Originally created by @liquidoshin on GitHub.

I'm not sure if categorizing this as a bug is necessarily accurate as it possibly may be more of a feature request but I think there is a key value in one of the controls that is no longer supported, at least not with Big Sur and later. In the sysprefs folder, the yaml file sysprefs_time_server_enforce.yaml it seems the identifier com.apple.timed as well as the key TMAutomaticTimeOnlyEnabled are not supported anymore. I can't find anything in the apple profile documentation nor anything in general online except the nist guidance, which very possibly could not be updated. I just wanted to bring this to your attention. If you have any online resources that say otherwise I would love to be pointed in that direction. I'm currently using a third party software to create profiles called iMazing. this app is great and they update the app with any payloads, identifiers, and keys that people request if they don't already have them, provided they are apple supported items. But even they couldn't find anything to support these values. If this turns out to be a deprecated implementation it should probably be removed from the repo.

Originally created by @liquidoshin on GitHub. I'm not sure if categorizing this as a bug is necessarily accurate as it possibly may be more of a feature request but I think there is a key value in one of the controls that is no longer supported, at least not with Big Sur and later. In the sysprefs folder, the yaml file sysprefs_time_server_enforce.yaml it seems the identifier com.apple.timed as well as the key TMAutomaticTimeOnlyEnabled are not supported anymore. I can't find anything in the apple profile documentation nor anything in general online except the nist guidance, which very possibly could not be updated. I just wanted to bring this to your attention. If you have any online resources that say otherwise I would love to be pointed in that direction. I'm currently using a third party software to create profiles called iMazing. this app is great and they update the app with any payloads, identifiers, and keys that people request if they don't already have them, provided they are apple supported items. But even they couldn't find anything to support these values. If this turns out to be a deprecated implementation it should probably be removed from the repo.

michael closed this issue

2026-01-19 18:29:50 +00:00

michael commented

2026-01-19 18:29:50 +00:00

@liquidoshin commented on GitHub:

So it seems what you're saying is that this setting can also be set outside of installing a profile, i.e. a command. Am I correct in assuming this? If so, what is the command, I'm assuming a plistbuddy command or defaults command. Again, I can't find anything online unfortunately so I don't have anyway of looking this up for myself.

@liquidoshin commented on GitHub: So it seems what you're saying is that this setting can also be set outside of installing a profile, i.e. a command. Am I correct in assuming this? If so, what is the command, I'm assuming a plistbuddy command or defaults command. Again, I can't find anything online unfortunately so I don't have anyway of looking this up for myself.

michael commented

2026-01-19 18:29:50 +00:00

@liquidoshin commented on GitHub:

Ah awesome. This is what I needed. Thank you for your help.

@liquidoshin commented on GitHub: Ah awesome. This is what I needed. Thank you for your help.

michael commented

2026-01-19 18:29:50 +00:00

@robertgendler commented on GitHub:

This can be set and audited using the systemsetup command

sudo systemsetup -setusingnetworktime off or on
sudo systemsetup -getusingnetworktime

which writes to
/private/var/db/timed/Library/Preferences/com.apple.timed.plist

If you check that plist it changes.
sudo plutil -convert xml1 /private/var/db/timed/Library/Preferences/com.apple.timed.plist -o -

But a config profile locks the setting regardless of what the plist says.

@robertgendler commented on GitHub: This can be set and audited using the systemsetup command ``` sudo systemsetup -setusingnetworktime off or on sudo systemsetup -getusingnetworktime ``` which writes to `/private/var/db/timed/Library/Preferences/com.apple.timed.plist` If you check that plist it changes. `sudo plutil -convert xml1 /private/var/db/timed/Library/Preferences/com.apple.timed.plist -o -` But a config profile locks the setting regardless of what the plist says.

michael commented

2026-01-19 18:29:50 +00:00

@robertgendler commented on GitHub:

There are a number of configuration profile keys and values that we have found by digging through the system that are undocumented and not officially supported by Apple. This is one of them.

Most things that are controlled by a plist somewhere within the system are also able to be managed by a configuration profile even if not documented by Apple or a third party vendor.

@robertgendler commented on GitHub: There are a number of configuration profile keys and values that we have found by digging through the system that are undocumented and not officially supported by Apple. This is one of them. _Most_ things that are controlled by a plist somewhere within the system are also able to be managed by a configuration profile even if not documented by Apple or a third party vendor.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#257