mobileconfig creation ignores exempt preferences settings #291

New Issue

Closed

opened 2026-01-19 18:29:57 +00:00 by michael · 3 comments

michael commented 2026-01-19 18:29:57 +00:00

Owner

Copy Link

Originally created by @noambernstein on GitHub.

Originally assigned to: @golbiga on GitHub.

Summary

settings applied by mobileconfig ignore exempt preferences settings

Steps to reproduce

set the defaults plist in /Library/Preferences/org.PROFILE.plist exempt entry to true (and exempt_reason) for a rule that is enforced by mobileconfig, e.g. os_camera_disable. Then generate the mobileconfigs with scripts/generate_guidance.py -p build/baselines/stig_6390.yaml. The resulting mobileconfig will contain the entry that disables the camera, even though it should be exempt. Only the [source,bash] fixes take exempt into account, from what I can tell,

Operating System version

11.3.0

What is the current bug behavior?

things are disabled by the generated mobileconfig files even if they should not be.

What is the expected correct behavior?

rules that are exempt should not produce entries in the generated mobileconfig files.

Possible fixes

modify generate_guidance.py -y, I suppose, to read the preferences before deciding if a rule's mobileconfig entry should be created.

Originally created by @noambernstein on GitHub. Originally assigned to: @golbiga on GitHub. ### Summary settings applied by mobileconfig ignore exempt preferences settings ### Steps to reproduce set the defaults plist in /Library/Preferences/org.PROFILE.plist exempt entry to true (and exempt_reason) for a rule that is enforced by mobileconfig, e.g. os_camera_disable. Then generate the mobileconfigs with `scripts/generate_guidance.py -p build/baselines/stig_6390.yaml`. The resulting mobileconfig will contain the entry that disables the camera, even though it should be exempt. Only the [source,bash] fixes take exempt into account, from what I can tell, ### Operating System version 11.3.0 ### What is the current *bug* behavior? things are disabled by the generated mobileconfig files even if they should not be. ### What is the expected *correct* behavior? rules that are exempt should not produce entries in the generated mobileconfig files. ### Possible fixes modify `generate_guidance.py -y`, I suppose, to read the preferences before deciding if a rule's mobileconfig entry should be created.

michael closed this issue 2026-01-19 18:29:57 +00:00

michael commented 2026-01-19 18:29:57 +00:00

Author

Owner

Copy Link

@golbiga commented on GitHub:

@noambernstein the exemptions are used when you configure something that is "out of compliance" but want to report it as such... it's not meant to configure a system out of compliance, only for reporting.

If you do not want os_camera_disable included in your guidance, you can create a stig baseline with generate_baseline.py -k stig remove the rule from baseline in build/baselines/stig.yaml, and run generate_guidance.py against it, then the profile will not be generated.

@golbiga commented on GitHub: @noambernstein the exemptions are used when you configure something that is "out of compliance" but want to report it as such... it's not meant to configure a system out of compliance, only for reporting. If you do not want os_camera_disable included in your guidance, you can create a stig baseline with `generate_baseline.py -k stig` remove the rule from baseline in `build/baselines/stig.yaml`, and run `generate_guidance.py` against it, then the profile will not be generated.

michael commented 2026-01-19 18:29:57 +00:00

Author

Owner

Copy Link

@noambernstein commented on GitHub:

@noambernstein the exemptions are used when you configure something that is "out of compliance" but want to report it as such...

This is what I figured (although more documentation of this capability would be helpful). What I'd really like is for it to be tested, reported as passed or exempt (or maybe "failed but exempt"), but not remediated.

it's not meant to configure a system out of compliance, only for reporting.

In that case, why does the ..._compliance.sh script not apply the fix if exempt is set to true?

If you do not want os_camera_disable included in your guidance, you can create a stig baseline with generate_baseline.py -k stig remove the rule from baseline in build/baselines/stig.yaml, and run generate_guidance.py against it, then the profile will not be generated.

I assumed the workflow for remediation (whether or not some rules were set to exempt) was

1. run the remediation script
2. install the automatically generated mobileconfig files

However, in its current state it will behave inconsistently. The compliance script will not remediate exempt rules, but the generated mobileconfigs will enforce settings required by exempt rules.

Am I just misunderstanding the intended process for a system with exempt rules?

@noambernstein commented on GitHub: > @noambernstein the exemptions are used when you configure something that is "out of compliance" but want to report it as such... This is what I figured (although more documentation of this capability would be helpful). What I'd really like is for it to be tested, reported as passed or exempt (or maybe "failed but exempt"), but not remediated. > it's not meant to configure a system out of compliance, only for reporting. In that case, why does the `..._compliance.sh` script not apply the fix if exempt is set to true? > If you do not want os_camera_disable included in your guidance, you can create a stig baseline with `generate_baseline.py -k stig` remove the rule from baseline in `build/baselines/stig.yaml`, and run `generate_guidance.py` against it, then the profile will not be generated. I assumed the workflow for remediation (whether or not some rules were set to exempt) was 1. run the remediation script 2. install the automatically generated mobileconfig files However, in its current state it will behave inconsistently. The compliance script will _not_ remediate exempt rules, but the generated mobileconfigs _will_ enforce settings required by exempt rules. Am I just misunderstanding the intended process for a system with exempt rules?

michael commented 2026-01-19 18:29:57 +00:00

Author

Owner

Copy Link

@noambernstein commented on GitHub:

Am I just misunderstanding the intended process for a system with exempt rules?

Is this in essence the problem? Are the exempt settings are meant to be set independently for each managed machine (by e.g. copying a modified version of the default ....audit.plist into the real location, namely /Library/Preferences/) , so it doesn't make sense to do anything with them when the mobile profiles are being generated?

If that's the intended workflow, perhaps this could be documented someplace (in general I didn't see any documentation for the exempt functionality), but if so I agree that no source code changes are needed. I could always write a script that removes mobileconfig payloads and modifies the default plist entries corresponding to things that need to be exempt.

@noambernstein commented on GitHub: > Am I just misunderstanding the intended process for a system with exempt rules? Is this in essence the problem? Are the exempt settings are meant to be set independently for each managed machine (by e.g. copying a modified version of the default `....audit.plist` into the real location, namely /Library/Preferences/) , so it doesn't make sense to do anything with them when the mobile profiles are being generated? If that's the intended workflow, perhaps this could be documented someplace (in general I didn't see any documentation for the exempt functionality), but if so I agree that no source code changes are needed. I could always write a script that removes mobileconfig payloads and modifies the default plist entries corresponding to things that need to be exempt.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev_2.0_generate_mapping

dev_2.0

sequoia

sonoma

nist-pages

nist-pages-docs

ios_18

ios_26

ios_26_cmmc

dev_2.0_compliance_script

tahoe

visionos_26

dev_ios_26_stig

dev_visionOS_26_stig

dev_tahoe_adjustments

ios_17

dev_sequoia_bio

tahoe_578-typo-in-os_sshd_fips_compliantyaml-fix-code

ventura

ios_16

visionos_2

505-create-python-scp-library

monterey

big_sur

catalina

tahoe_rev2

sequoia_rev4

visionos26_rev2

ios26_rev2

tahoe_rev1

visionos26_rev1

ios26_rev1

sonoma_rev5

sequoia_rev3

ios18_rev3

ios17_rev4

ventura_rev6

sonoma_rev4

sequoia_rev2

visionos_rev2

ios18_rev2.0

ios16_rev4

sequoia_rev1.1

ventura_rev5.1

ios18_rev1.1

sonoma_rev3.1

sequoia_rev1

visionos_rev1

ios18_rev1

ios17_rev3

ios16_rev3

ventura_rev5

sonoma_rev3

ventura_rev4

sonoma_rev2

ios17_rev2

ios16_rev2

monterey_rev6

sonoma_rev1

ventura_rev3

monterey_rev5

ios16_rev1

ios17_rev1

big_sur_rev7

monterey_rev4

ventura_rev2

ventura_rev1.1

monterey_rev3.1

big_sur_rev6.1

ventura_rev1

monterey_rev3

big_sur_rev6

monterey_rev2

catalina_rev6

big_sur_rev5

monterey_rev1

big_sur_rev4

catalina_rev5

big_sur_rev3

catalina_rev4

big_sur_rev2

catalina_rev3

big_sur_rev1

catalina_rev2

catalina_rev1

v0.9

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#291