VMware Workspace ONE Community
phongshader
Contributor
Contributor

OSX hardening Custom Attributes

[updated to mac OS 10.14.3] MacOS 10.13.3 I've been able to get most of what I need through the ' Compliance Policies'  and ' Profiles and Resources'  menus but I'm stuck the last few items: 'Disable printer sharing', 'Disable screen sharing', 'Disable remote management', and 'Disable remote login (SSH)'. Maybe I'm missing these in the above AW menus, if so could you point out what I'm missing. I've tried running command line through ' Staging and Provisioning'  but they all fail. Is it possible to create a ' Custom Settings'  profile to 'Disable remote management', or any of the other items listed above or am I barking up the wrong tree?

Labels (1)
Reply
0 Kudos
10 Replies
phongshader
Contributor
Contributor

Could I use ' Custom  Attributes'  profile to execute this command ' systemsetup -f -setremotelogin off'  or ' systemsetup -setwakeonnetworkaccess off'  ?

Reply
0 Kudos
phongshader
Contributor
Contributor

Still looking for information on this
Reply
0 Kudos
hetjan
Contributor
Contributor

If your goal is compliance then you should look into running a script on each mac that populates AirWatch with a key on the current status, since sending a command will set the value on the device but won't give you an up-to-date status of the value.
Reply
0 Kudos
phongshader
Contributor
Contributor

Thank you for the reply. I want to accomplish an initial setup, -setremotelogin off, -setwakeonnetworkaccess off, etc, and check compliance as well. I ask these questions because I'm not sure if this is the right tool to accomplish my goals. It does seem to work but it may not be the best way to do it.
Reply
0 Kudos
phongshader
Contributor
Contributor

' you should look into running a script on each mac that populates AirWatch with a key on the current status'  Please tell me or point me to documentation on how to do this. I can write scripts to tell me the current status is but how do I get AW to automate the execution of these scripts so that Custom Attributes can act upon the output of these scripts? Am I understanding the use case correctly?


For instance we want to make sure a setting in a plist is set:


# this checks if the reconnect on wake setting is enabled


defaults read com.viscosityvpn.Viscosity ReconnectOnWake &&  or


{ echo ' it's off' ; } ||  or


{ echo ' it's on' ; }


right now the output is an echo command, how would change that into something I can leverage with AW and use with custom attributes?

Reply
0 Kudos
phongshader
Contributor
Contributor

Can anyone add to this?
Reply
0 Kudos
phongshader
Contributor
Contributor

Still looking for an explanation for  ' running a script on each mac that populates AirWatch with a key on the current status'
Reply
0 Kudos
hetjan
Contributor
Contributor

VMware calls that ' Custom Attributes' . It's a feature that allows you to run a script on the machine and report it back to the console.
Reply
0 Kudos
phongshader
Contributor
Contributor

I'm finally starting to understand what/how ' custom attributes'  works. It maybe obvious to all of you but not to me. As stated above Airwatch runs a script on an endpoint that returns a value to the AW console. It is logged in Devices > Provisioning > Custom Attributes >  > Values, globally, meaning that every unique value for that custom attribute is stored in Values. I didn't see the point in that because there is no way to track what value came from what endpoint (if no unique identifier was returned from the endpoint) and the returned values persist even if the returned value from an endpoint changes. What I did find out is that If I go to Devices > List View >  > More > Custom Attributes I get the current values returned by the endpoint, which is interesting, informative, and some what useful but still not what I was hoping for. What I would really like to see, maybe it's possible, is a way to see these values globally for all the endpoints, not one endpoint at a time. That is if I wanted to know if a certain process is running or not running on an endpoint how would I search to find all the endpoints that return a value of, for instance, ' Stopped' ? I see there is the ability to take a returned value and ' Use As Lookup Value'  but I'm unsure of what that does. I tried using a saved ' Lookup Value'  as a search term in the console with no results returned so I'm not understanding the correct usage there. Also can some one explain what ' Rule Generator'  is, what it's used for, how to access it?
Thanks
Reply
0 Kudos
phongshader
Contributor
Contributor

A year to the day...
Reply
0 Kudos