-
Notifications
You must be signed in to change notification settings - Fork 208
Generate Configuration Profiles
Allen Golbig edited this page Oct 8, 2024
·
12 revisions
Adding the -p flag to the generate-guidance.py script will generate configuration profiles and the corresponding plists for the rules that have the mobileconfig set to true in the rules YAML file.
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:
enforceSmartCard: trueGenerate Unsigned Configuration Profiles
➜ macos_security git:(sequoia) ./scripts/generate_guidance.py -p build/baselines/800-53r5_moderate.yamlAdding the -H flag to the generate-guidance.py script will generate signed configuration profiles as well as unsigned for viewing. In order to sign the profiles, the certificate subject key ID and not the SHA-1 hash of the code signing certificate must be provided.
Get the Subject Key ID for Signing
skid=$(security find-certificate -c "CodeSigning Certificate Name" -p | openssl asn1parse | awk -F: '/X509v3 Subject Key Identifier/ {getline; print $1}')
security find-certificate -c "CodeSigning Certificate Name" -p | openssl asn1parse -strparse $skid | awk -F: '/HEX DUMP/{print $4}'Generate Signed Configuration Profiles
➜ macos_security git:(sequoia) ./scripts/generate_guidance.py -p -H <HASHVALUE> build/baselines/800-53r5_moderate.yaml