How To Generate Configuration Profiles

The primary script for generating configuration profiles is located here in the macos_security repository:

• Directorymacos_security/

  • Directoryscripts/ ---> Project scripts

    • generate_guidance.py ---> Script to generate configuration profiles

Caution

Always use the branch matching your target OS version. Do not use the main branch for workflow or development.

Follow these steps to generate configuration profiles:

1. Prepare Your Rules YAML

   • Ensure your rules YAML file contains rules with mobileconfig: true and the appropriate mobileconfig_info section.
     Example:

     mobileconfig: true
     mobileconfig_info:
       com.apple.security.smartcard:
         enforceSmartCard: true

2. Generate Unsigned Configuration Profiles

   • Run the following command to generate unsigned configuration profiles and corresponding plists:

     ./scripts/generate_guidance.py -p build/baselines/800-53r5_moderate.yaml

3. (Optional) Generate Signed Configuration Profiles

   • If you want to generate signed configuration profiles, you need the certificate Subject Key ID (not the SHA-1 hash).
   • Retrieve the Subject Key ID with:

     skid=$(security find-certificate -c "CodeSigning Certificate Name" -p | openssl asn1parse | awk -F: '/X509v3 Subject Key Identifier/ {getline; print $1}')
     security find-certificate -c "CodeSigning Certificate Name" -p | openssl asn1parse -strparse $skid | awk -F: '/HEX DUMP/{print $4}'

   • Then use the -H flag with the Subject Key ID to generate signed profiles:

     ./scripts/generate_guidance.py -p -H <HASHVALUE> build/baselines/800-53r5_moderate.yaml

4. Locate the Generated Files

   • After running the script, the configuration profiles and plists will be created in the appropriate output directories.

For more information, see How to Generate Baselines or review the baseline file layout.