Trying to whitelist a kernel extension for an agent I'm trying to install. I'm using Mojave as the client machine and Profile Manger on a Mac server I've set up. I can enroll the client machine fine in Profile Manager, and it can receive canned settings like external device restrictions etc, but I can't seem to get custom settings to work correctly.
The process to get this to work is I've been uploading the following:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AllowedKernelExtensions</key>
<dict>
<key>HLGBMCXUS7</key>
<array>
<string>com.verdasys.dgagent</string>
</array>
</dict>
<key>AllowedTeamIdentifiers</key>
<array>
<string>HLGBMCXUS7</string>
</array>
<key>PayloadDescription</key>
<string>Configures Kernel Extension Policy settings</string>
<key>PayloadDisplayName</key>
<string>Kernel Extension Policy</string>
<key>PayloadIdentifier</key>
<string>com.github.erikberglund.ProfileCreator.F508AD6F-E398-402B-9928-1A2300C1E229.com.apple.syspolicy.kernel-extension-policy.69B09342-9C35-4FB8-9C18-6DF2A53E7C0C</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.syspolicy.kernel-extension-policy</string>
<key>PayloadUUID</key>
<string>69B09342-9C35-4FB8-9C18-6DF2A53E7C0C</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>allows extensions from specific extension Team Identifiers</string>
<key>PayloadDisplayName</key>
<string>DigitalGuardian</string>
<key>PayloadIdentifier</key>
<string>com.github.erikberglund.ProfileCreator.F508AD6F-E398-402B-9928-1A2300C1E229</string>
<key>PayloadOrganization</key>
<string>ProfileCreator</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>F508AD6F-E398-402B-9928-1A2300C1E229</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
as a .plist file using "com.apple.syspolicy.kernel-extension-policy" as a policy domain into Profile Manager, saving the config on profile manager, then downloading a .mobileconfig file.
I move that .mobileconfig file to the already enrolled client, and run the file and except the prompts to install the profile into profile->system prefs. This goes successfully and I see green "verified" at the top
BUT
it doesn't result in adding the team ID into the DB (at least not so far).
I'm using the following code to try to read the sqlite DB to verify:
#!/bin/sh
# Gather list of User Approved Kernel Extensions. 20180313 DM
folder=.
file=checkKEXTs.csv
# Create folder
/bin/mkdir -p ${folder}
/usr/sbin/chown root:admin ${folder}
/bin/chmod 755 ${folder}
/usr/bin/sqlite3 -csv /var/db/SystemPolicyConfiguration/KextPolicy "select team_id,bundle_id from kext_policy" > ${folder}/${file}
exit 0
I do see entries, but they're for VMware. Never for the above products.
Searching Console, I see the following:
rejecting write of key _DKThrottledActivityLast_DKKnowledgeStorageLogging_DKKnowledgeStorageDidInsertEventsNotification:/app/usageActivityDate in { com.apple.contextstored, root, kCFPreferencesAnyHost, no container, managed: 0 } from process 151 because setting preferences outside an application's container requires user-preference-write or file-write-data sandbox access
and
Sandbox: contextstored(151) deny(1) file-write-data /private/var/root/Library/Preferences/com.apple.contextstored.plist
Violation: deny(1) file-write-data /private/var/root/Library/Preferences/com.apple.contextstored.plist
Process: contextstored [151]
Path: /System/Library/PrivateFrameworks/CoreDuetContext.framework/Versions/A/Resources/contextstored
Load Address: 0x1077f3000
Identifier: contextstored
Version: ??? (???)
Code Type: x86_64 (Native)
Parent Process: launchd [1]
Responsible: /System/Library/PrivateFrameworks/CoreDuetContext.framework/Resources/contextstored [151]
User ID: 0
Date/Time: 2019-02-23 17:09:04.228 PST
OS Version: Mac OS X 10.14.3 (18D109)
Report Version: 8
MetaData: {"checker":"cfprefsd","target":"\/private\/var\/root\/Library\/Preferences\/com.apple.contextstored.plist","profile-in-collection":false,"signing-id":"com.apple.contextstored","profile-flags":0,"build":"Mac OS X 10.14.3 (18D109)","errno":1,"primary-filter":"path","responsible-process-path":"\/System\/Library\/PrivateFrameworks\/CoreDuetContext.framework\/Resources\/contextstored","platform-policy":false,"action":"deny","process":"contextstored","sandbox_checker":"cfprefsd","flags":5,"responsible-process-pid":151,"normalized_target":["private","var","root","Library","Preferences","com.apple.contextstored.plist"],"checker-pid":116,"hardware":"Mac","file-flags":0,"process-path":"\/System\/Library\/PrivateFrameworks\/CoreDuetContext.framework\/Versions\/A\/Resources\/contextstored","summary":"deny(1) file-write-data \/private\/var\/root\/Library\/Preferences\/com.apple.contextstored.plist","platform-binary":true,"platform_binary":"yes","vnode-type":"REGULAR-FILE","uid":0,"primary-filter-value":"\/private\/var\/root\/Library\/Preferences\/com.apple.contextstored.plist","operation":"file-write-data","pid":151,"rdev":0,"path":"\/private\/var\/root\/Library\/Preferences\/com.apple.contextstored.plist"}
Thread 0 (id: 809):
0 libsystem_kernel.dylib 0x00007fff6c47117a mach_msg_trap + 10
1 CoreFoundation 0x00007fff3f052158 __CFRunLoopServiceMachPort + 336
2 CoreFoundation 0x00007fff3f0516a6 __CFRunLoopRun + 1661
3 CoreFoundation 0x00007fff3f050dd6 CFRunLoopRunSpecific + 467
4 CoreFoundation 0x00007fff3f050bde CFRunLoopRun + 40
5 contextstored 0x00000001077f6525
6 libdyld.dylib 0x00007fff6c337ed9 start + 1
7 contextstored 0x0000000000000001
Thread 1 (id: 5898):
0 libsystem_kernel.dylib 0x00007fff6c472b6a __workq_kernreturn + 10
1 libsystem_pthread.dylib 0x00007fff6c52a405 start_wqthread + 13
Thread 2 (id: 5904):
0 libsystem_kernel.dylib 0x00007fff6c472b6a __workq_kernreturn + 10
1 libsystem_pthread.dylib 0x00007fff6c52a405 start_wqthread + 13
2 contextstored 0x0000000054485244
Thread 3 (id: 5923):
0 libsystem_kernel.dylib 0x00007fff6c47117a mach_msg_trap + 10
1 libdispatch.dylib 0x00007fff6c3016ff _dispatch_mach_msg_send + 1087
2 libdispatch.dylib 0x00007fff6c300eeb _dispatch_mach_send_drain + 440
3 libdispatch.dylib 0x00007fff6c2fda5a _dispatch_mach_send_msg + 307
4 libdispatch.dylib 0x00007fff6c2fdd15 _dispatch_mach_send_and_wait_for_reply + 382
5 libdispatch.dylib 0x00007fff6c2fe2ad dispatch_mach_send_with_result_and_wait_for_reply + 53
6 libxpc.dylib 0x00007fff6c569161 xpc_connection_send_message_with_reply_sync + 178
7 CoreFoundation 0x00007fff3f0c03ea __91-[CFPrefsPlistSource sendFullyPreparedMessage:toConnection:settingValue:forKey:retryCount:]_block_invoke + 29
8 CoreFoundation 0x00007fff3f047b4d -[_CFXPreferences withConnectionForRole:performBlock:] + 36
9 CoreFoundation 0x00007fff3f0c03be -[CFPrefsPlistSource sendFullyPreparedMessage:toConnection:settingValue:forKey:retryCount:] + 202
10 CoreFoundation 0x00007fff3f0c0025 -[CFPrefsPlistSource sendMessageSettingValue:forKey:] + 605
11 CoreFoundation 0x00007fff3f0bf60a -[CFPrefsPlistSource alreadylocked_setPrecopiedValues:forKeys:count:from:] + 579
12 CoreFoundation 0x00007fff3f08357b -[CFPrefsSource setValues:forKeys:count:copyValues:removeValuesForKeys:count:from:] + 394
13 CoreFoundation 0x00007fff3f0833eb -[CFPrefsSource setValues:forKeys:count:copyValues:from:] + 28
14 CoreFoundation 0x00007fff3f0c204a -[CFPrefsSearchListSource alreadylocked_setPrecopiedValues:forKeys:count:from:] + 1000
15 CoreFoundation 0x00007fff3f08357b -[CFPrefsSource setValues:forKeys:count:copyValues:removeValuesForKeys:count:from:] + 394
16 CoreFoundation 0x00007fff3f0833eb -[CFPrefsSource setValues:forKeys:count:copyValues:from:] + 28
17 CoreFoundation 0x00007fff3f0bf3ac -[CFPrefsSource setValue:forKey:from:] + 71
18 CoreFoundation 0x00007fff3f02fdb0 __108-[_CFXPreferences(SearchListAdditions) withSearchListForIdentifier:container:cloudConfigurationURL:perform:]_block_invoke + 268
19 CoreFoundation 0x00007fff3f02fa72 -[_CFXPreferences(SearchListAdditions) withSearchListForIdentifier:container:cloudConfigurationURL:perform:] + 337
20 CoreFoundation 0x00007fff3f0c1c39 -[_CFXPreferences setValue:forKey:appIdentifier:container:configurationURL:] + 90
21 CoreFoundation 0x00007fff3f0c1bad _CFPreferencesSetAppValueWithContainerAndConfiguration + 116
22 Foundation 0x00007fff41437ec3 -[NSUserDefaults(NSUserDefaults) setObject:forKey:] + 55
23 CoreDuet 0x00007fff52f61de4 -[_DKActivityThrottler setDate:forKey:] + 116
24 CoreDuet 0x00007fff52f60e74 -[_DKActivityThrottler _performNoMoreOftenInSecondsThan:name:activityBlock:throttleBlock:] + 340
25 CoreDuet 0x00007fff52f616e6 __94-[_DKActivityThrottler _performOrScheduleWithTimeInterval:name:queue:activityBlock:callDepth:]_block_invoke.123 + 48
26 libdispatch.dylib 0x00007fff6c2e8d53 _dispatch_call_block_and_release + 12
27 libdispatch.dylib 0x00007fff6c2e9dcf _dispatch_client_callout + 8
28 libdispatch.dylib 0x00007fff6c2f0124 _dispatch_lane_serial_drain + 618
29 libdispatch.dylib 0x00007fff6c2f0bdc _dispatch_lane_invoke + 388
30 libdispatch.dylib 0x00007fff6c2f9090 _dispatch_workloop_worker_thread + 603
31 libsystem_pthread.dylib 0x00007fff6c52a60b _pthread_wqthread + 409
32 libsystem_pthread.dylib 0x00007fff6c52a405 start_wqthread + 13
Binary Images:
0x1077f3000 - 0x1077f7ff3 contextstored (915.240.4) <3a7911f4-4f46-377e-ac35-01772ef5c88a> /System/Library/PrivateFrameworks/CoreDuetContext.framework/Versions/A/Resources/contextstored
0x7fff3f016000 - 0x7fff3f464ff7 com.apple.CoreFoundation (6.9 - 1562) <da75643f-6cf0-3fb1-b047-c142152e63b6> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0x7fff413b9000 - 0x7fff41787fff com.apple.Foundation (6.9 - 1562) <83d4a12b-ea5a-3c62-8d93-95e64f0a256b> /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
0x7fff52e77000 - 0x7fff5304dff3 com.apple.CoreDuet (1.0 - 1) <186c84c2-679e-3a75-86e1-0b4e7c155b4e> /System/Library/PrivateFrameworks/CoreDuet.framework/Versions/A/CoreDuet
0x7fff6c2e6000 - 0x7fff6c320ff7 libdispatch.dylib (1008.220.2) <2fdb1401-5119-3df0-91f5-f4e105f00cd7> /usr/lib/system/libdispatch.dylib
0x7fff6c321000 - 0x7fff6c350ff3 libdyld.dylib (655.1) <90c801e7-5d05-37a8-810c-b58e8c53953a> /usr/lib/system/libdyld.dylib
0x7fff6c470000 - 0x7fff6c498ff7 libsystem_kernel.dylib (4903.241.1) <ca10bc3a-5b09-32ce-b74f-bad01755aa37> /usr/lib/system/libsystem_kernel.dylib
0x7fff6c528000 - 0x7fff6c532fff libsystem_pthread.dylib (330.230.1) <80cc5992-823e-327e-bb6e-9d4568b84161> /usr/lib/system/libsystem_pthread.dylib
0x7fff6c55f000 - 0x7fff6c58ffff libxpc.dylib (1336.240.2) <ee0cda53-6ff9-3b4e-a571-335a5ff6b6f4> /usr/lib/system/libxpc.dylib
These log messages appear right at the time of that I install the .mobileconfig file each time, so I suspect there's a correlation. I've tried repairing permissions without success. About the only thing I didn't do is try this on another Mac which I may try as well. I've also tried using a .plist file that only includes configurations for bundle ID's or Team ID's respectively (not combined as in above) without success.
The worst part is that I'm having difficulties troubleshooting the issue. I just don't understand the underlying mechanisms very well so I'm open to troubleshooting tips. It may also be that there's something wrong with my .plist code but I'm just not seeing it. Very open to suggestions there as well. It seems like my test machine is trying to commit the settings, but it's just not working.
Another thing: I noticed errors related to the file "DetachedSignatures" in the logs as well and copied a file from another machine onto the test one in the /var/db (I think) folder and the errors went away. No idea if they're related.
As you can tell, I'm sorta grasping at straws here. Hoping and praying the moderator Gods are kind to me and allow me to keep this post active so I can get help. Thank you so much in advance for reading this and hopefully with your help, I can get beyond this. It's probably something silly I'm missing.
Best Answer
Alrighty, I'm going to update this post with what I've learned. First, I wasn't able to solve the original problem and have had more than a couple of other seasoned experts help me try without success. I'm super grateful to them for their help. Along the way though, I discovered that the most recent versions of Apple Server, which is only compat with 10.13 and 10.14, contains a version of profile manager that includes built-in kernel extension settings. They work flawlessly.
Another thing: the script shown above is not a valid script to know whether the enforcing mobileconfig policy is truly allowing the team IDs it is configured to allow, so that was a bad test. I don't know what would be better. All I know is that prior to changing the built-in setting in PM, it wasn't working. After changing that setting, it worked perfectly.
Finally, I was pushing policies by downloading them and installing them manually on the computer, which apparently is not going to work at all for Kernel Extensions.
Just sharing what little I know about this so that some poor schmuck out there doesn't have to endure the ordeal I went through.