How To Generate Configuration Profiles
The primary script for generating configuration profiles is located here in the macos_security
repository:
Directorymacos_security/
Directoryscripts/ ---> Project scripts
- generate_guidance.py ---> Script to generate configuration profiles
Follow these steps to generate configuration profiles:
-
Prepare Your Rules YAML
- Ensure your rules YAML file contains rules with
mobileconfig: true
and the appropriatemobileconfig_info
section.
Example:mobileconfig: truemobileconfig_info:com.apple.security.smartcard:enforceSmartCard: true
- Ensure your rules YAML file contains rules with
-
Generate Unsigned Configuration Profiles
- Run the following command to generate unsigned configuration profiles and corresponding plists:
Terminal window ./scripts/generate_guidance.py -p build/baselines/800-53r5_moderate.yaml
- Run the following command to generate unsigned configuration profiles and corresponding plists:
-
(Optional) Generate Signed Configuration Profiles
- If you want to generate signed configuration profiles, you need the certificate Subject Key ID (not the SHA-1 hash).
- Retrieve the Subject Key ID with:
Terminal window skid=$(security find-certificate -c "CodeSigning Certificate Name" -p | openssl asn1parse | awk -F: '/X509v3 Subject Key Identifier/ {getline; print $1}')security find-certificate -c "CodeSigning Certificate Name" -p | openssl asn1parse -strparse $skid | awk -F: '/HEX DUMP/{print $4}' - Then use the
-H
flag with the Subject Key ID to generate signed profiles:Terminal window ./scripts/generate_guidance.py -p -H <HASHVALUE> build/baselines/800-53r5_moderate.yaml
-
Locate the Generated Files
- After running the script, the configuration profiles and plists will be created in the appropriate output directories.
For more information, see How to Generate Baselines or review the baseline file layout.