A tool that helps manage and manipulate configuration profiles.
profiletool verb [options] FILE
This action will remove the signature from a given profile. The new, unsigned profile will be written to the current working directory with _unsigned appended to the file name. (i.e. Settings.mobileconfig will turn into Settings_unsigned.mobileconfig)
$ profiletool unsign Settings.mobileconfig
You usually do not have to explicitly unsign profiles when working with profiletool. All actions will work with signed and unsigned profiles.
This action will sign a profile with a given identity. This requires a --identity argument. If a profile is already signed, the existing signature will be replaced.
$ profiletool sign --identity "Developer ID Application: Armin Briegel"
You can get a list of identities available to use with
$ security find-identity -p codesigning -v
When you add the --identify argument to any action that generates a profile, the new profile will be signed.
This action will verify a signature and print some information.
$ profiletool check-signature Settings.mobileconfig
This action requires at one or more --type arguments. This specifies the PayloadType of payload items that will be extracted into a new profile. UUIDs will for the profile and payload items will be regenerated. Identifiers for the profile and payload items will also be regenerated (as with reset-identifiers).
The new, extracted profile will be written to the current working directory with _extract appended to the file name. (i.e. Settings.mobileconfig will turn into Settings_extract.mobileconfig)
$ profiletool extract --type com.apple.preference.security -t com.apple.security.pkcs1 -t com.apple.security.FDERecoveryKeyEscrow -t com.apple.MCX.FileVault2 --identifier "com.scriptingosx.security" Security.mobileconfig
Replaces the PayloadUUID of the profile and all payload items with new UUIDs.
The new profile will be written to the current working directory with _resetuuids appended to the file name.
Replaces all PayloadIdentifiers with new, unique values. The top-level identifier for the profile can (and should) be given with the --identifier option. If no --identifier is given, the tool will use new.<FILENAME>.
The identifier for each payload item will be generated by concatenating the --identifier and the PayloadType. When the Payload type starts with com.apple. this will be omitted.
The new profile will be written to the current working directory with _resetidentifiers appended to the file name.
Replaces both identifiers and uuids with new values.
This action requires a --type argument to define the payload item and a --key item to choose the key. When no --key is given, all keys and values will be printed for that payload.
$ profiletool read --type com.apple.security.pkcs1 --key PayloadUUID Security_extract.mobileconfig
This action requires a --type and --key argument, as well as a --string argument to define the value.
$ profiletool write --type com.scriptingosx.security.security.FDERecoveryKeyEscrow --key EncryptCertPayloadUUID --string 6a030f05-fe1e-11e8-b00f-8c85901d3852 Security_extract.mobileconfig