Option to ignore unmanaged preferences

[Melvin-P-NL]

All Munki preferences have a default value. We use configuration profiles to customize settings, like most of the users would. But we leave a lot of settings unmanaged, because the default is fine. I think this might be a risk (or at least suboptimal) in some situations, because a local admin user could set another value with the defaults write command.

Some examples. If you dont't manage the...

• PackageURL key; then a local admin could set it to 'whatever' and so break Munki's functionality on that machine.
• SuppressUserNotification key; then a local admin could set it to true and so disable any notifications.
• ClientIdentifier key and use default manifest resolution with serial numbers as the manifest names; then a local admin could spoof another serial number.

Of course it's our own responsibility to manage the settings we care about and prevent problems. Managing all preferences takes this all away. But this gave me the idea for an additional option, that sets Munki to ignore any unmanaged settings and only apply managed or default settings.

So, when a setting like 'IgnoreUnmanagedPreferences' is enabled, Munki applies managed preferences only and keeps the default setting when none is set. Also when a local preference is set.

In the end, I think an option like that would keep setting up Munki minimalistic, but more secure and less 'hackable' at the same time.

[gregneagle]

It's an interesting idea. In order to implement it, we'd need to be very thorough and methodic about which preferences/defaults can be usefully managed and which need to live in /Library/Preferences/ManagedInstalls.plist (these are more "record-keeping": values that Munki writes there to communicate to itself in the future or to other processes like Managed Software Center.app, etc.

I don't see myself working on something like this any time soon, but would be happy to review proposed code changes.

[gregneagle]

Might want to note that a preference to ignore unmanaged preferences would itself have to be one that was only honored if it was a managed preference.

[macBerlin]

@Melvin-P-NL I understand your objection, but you always assume that the user has admin rights. He can also delete the complete Munki application or folder, LaunchDaemons and co.

[gregneagle]

I've thought about this some more. It seems to me that if you "leave a lot of settings unmanaged, because the default is fine", but then are concerned a savvy user could override those, then the obvious fix is to manage those settings. This solves your problem with no code changes in Munki. This also then avoids the problem of having to be very careful, now and in the future, of making sure Munki knows which preferences should be able to be set and read from /Library/Preferences/ManagedInstalls.plist, and which should be covered by a feature that ignores unmanaged preferences.

The part that is a tiny bit tricky here: you can't easily manage a preference as undefined, but I think if you were to manage things like ClientIdentifier and PackageURL as empty strings, you'd get the desired effect. I think someone should test and verify that, however.