mobileconfig creation ignores exempt preferences settings

[noambernstein]

Summary

settings applied by mobileconfig ignore exempt preferences settings

Steps to reproduce

set the defaults plist in /Library/Preferences/org.PROFILE.plist exempt entry to true (and exempt_reason) for a rule that is enforced by mobileconfig, e.g. os_camera_disable. Then generate the mobileconfigs with scripts/generate_guidance.py -p build/baselines/stig_6390.yaml. The resulting mobileconfig will contain the entry that disables the camera, even though it should be exempt. Only the [source,bash] fixes take exempt into account, from what I can tell,

Operating System version

11.3.0

What is the current bug behavior?

things are disabled by the generated mobileconfig files even if they should not be.

What is the expected correct behavior?

rules that are exempt should not produce entries in the generated mobileconfig files.

Possible fixes

modify generate_guidance.py -y, I suppose, to read the preferences before deciding if a rule's mobileconfig entry should be created.

[golbiga]

@noambernstein the exemptions are used when you configure something that is "out of compliance" but want to report it as such... it's not meant to configure a system out of compliance, only for reporting.

If you do not want os_camera_disable included in your guidance, you can create a stig baseline with generate_baseline.py -k stig remove the rule from baseline in build/baselines/stig.yaml, and run generate_guidance.py against it, then the profile will not be generated.

[noambernstein]

@noambernstein the exemptions are used when you configure something that is "out of compliance" but want to report it as such...

This is what I figured (although more documentation of this capability would be helpful). What I'd really like is for it to be tested, reported as passed or exempt (or maybe "failed but exempt"), but not remediated.

it's not meant to configure a system out of compliance, only for reporting.

In that case, why does the ..._compliance.sh script not apply the fix if exempt is set to true?

If you do not want os_camera_disable included in your guidance, you can create a stig baseline with generate_baseline.py -k stig remove the rule from baseline in build/baselines/stig.yaml, and run generate_guidance.py against it, then the profile will not be generated.

I assumed the workflow for remediation (whether or not some rules were set to exempt) was

1. run the remediation script
2. install the automatically generated mobileconfig files

However, in its current state it will behave inconsistently. The compliance script will not remediate exempt rules, but the generated mobileconfigs will enforce settings required by exempt rules.

Am I just misunderstanding the intended process for a system with exempt rules?

[golbiga]

In that case, why does the ..._compliance.sh script not apply the fix if exempt is set to true?

If a rule is exempt then the compliance script will not attempt to fix it and will show up in the logs as:
Thu Jan 21 15:09:41 UTC 2021 auth_smartcard_enforce has an exemption (Reason: Broken Reader)

When a rule is exempt for a system, then the configuration profile must also be removed from that system, otherwise the settings will be applied no matter what.

[noambernstein]

Am I just misunderstanding the intended process for a system with exempt rules?

Is this in essence the problem? Are the exempt settings are meant to be set independently for each managed machine (by e.g. copying a modified version of the default ....audit.plist into the real location, namely /Library/Preferences/) , so it doesn't make sense to do anything with them when the mobile profiles are being generated?

If that's the intended workflow, perhaps this could be documented someplace (in general I didn't see any documentation for the exempt functionality), but if so I agree that no source code changes are needed. I could always write a script that removes mobileconfig payloads and modifies the default plist entries corresponding to things that need to be exempt.

[golbiga]

The exempt settings can either be applied to /Library/Preferences/org.{baseline}.audit.plist or via a custom configuration profile via MDM to /Library/Managed\ Preferences/org.{baseline}.audit.plist. The compliance script will look in /Library/Managed Preferences first and if it's not set there will then look in /Library/Preferences.

[golbiga]

Closed the issue as this is as designed, but will reply above.