Beispiele für Konfigurationsprofile
Die folgenden Beispiele können als Ausgangspunkt für die Erstellung einer PLIST oder .mobileconfig-Datei für Compliance Reporter dienen, die lokal installiert oder via Jamf Pro bereitgestellt werden kann.
PLIST-Datei
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AuditLevel</key>
<integer>1</integer>
<key>LogFileMaxNumberBackups</key>
<integer>10</integer>
<key>LogFileLocation</key>
<string>/var/log/JamfComplianceReporter.log</string>
<key>LogFileMaxSizeMegaBytes</key>
<integer>10</integer>
<key>FileEventUseFuzzyMatch</key>
<false/>
<key>FileEventInclusionPaths</key>
<array>
<string>/Users/.*</string>
</array>
<key>FileEventExclusionPaths</key>
<array>
<string>/Users/.*/Library/.*</string>
</array>
<key>LogFilePermission</key>
<string>640</string>
<key>LogFileOwnership</key>
<string>root:wheel</string>
<key>AuditEventLogVerboseMessages</key>
<false/>
<key>AuditEventExcludedUsers</key>
<array>
<string>_spotlight</string>
<string>_windowserver</string>
</array>
<key>AuditEventExcludedProcesses</key>
<array>
<string>/usr/bin/log</string>
<string>/usr/sbin/syslogd</string>
</array>
<key>LogRemoteEndpointEnabled</key>
<true/>
<key>LogRemoteEndpointURL</key>
<string>server.company.com:PORT</string>
<key>LogRemoteEndpointType</key>
<string></string>
<key>LogRemoteEndpointKafka</key>
<dict>
<key>TLSServerCertificate</key>
<string></string>
<key>TLSClientPrivateKey</key>
<string></string>
<key>TLSClientCertificate</key>
<string></string>
<key>TopicName</key>
<string>compliancereporter</string>
</dict>
<key>LogRemoteEndpointREST</key>
<dict>
<key>PublicKeyHash</key>
<string>e838SOLK9Yu+brDTxM4s0HatE2UdoEmRSBtNDU=</string>
</dict>
<key>LogRemoteEndpointTLS</key>
<dict>
<key>TLSServerCertificate</key>
<string></string>
</dict>
<key>SyslogFormatEnabled</key>
<false/>
</dict>
</plist>
Splunk HTTPS Event Collector Konfigurationsprofil
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.jamf.compliancereporter</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>AuditEventExcludedProcesses</key>
<array>
<string>/usr/sbin/mDNSResponder</string>
<string>/usr/sbin/syslogd</string>
<string>/Applications/splunk/bin/splunk-optimize</string>
</array>
<key>AuditEventExcludedUsers</key>
<array>
<string>_spotlight</string>
<string>_windowserver</string>
</array>
<key>AuditEventLogVerboseMessages</key>
<false/>
<key>AuditLevel</key>
<integer>1</integer>
<key>FileEventExclusionPaths</key>
<array>
<string>/Applications/splunk.*</string>
</array>
<key>FileEventInclusionPaths</key>
<array>
<string>/usr/lib/pam/.*</string>
<string>/Library/Launch.*</string>
<string>/Library/StartupItems/.*</string>
<string>/Library/Extensions/.*</string>
<string>/Library/Preferences/.*</string>
<string>/Library/PrivilegedHelperTools/.*</string>
<string>/private/etc/.*</string>
</array>
<key>LicenseEmail</key>
<string>example@mycompany.com</string>
<key>LicenseExpirationDate</key>
<string>dd/mm/yyyy</string>
<key>LicenseKey</key>
<string>35c...</string>
<key>LicenseType</key>
<string>Trial</string>
<key>LicenseVersion</key>
<string>1</string>
<key>LogFileMaxNumberBackups</key>
<integer>10</integer>
<key>LogFileMaxSizeMegaBytes</key>
<string>50</string>
<key>LogFileOwnership</key>
<string>root:wheel</string>
<key>LogFilePermission</key>
<string>644</string>
<key>LogRemoteEndpointEnabled</key>
<true/>
<key>LogRemoteEndpointREST</key>
<dict>
<key>PublicKeyHash</key>
<string>7E1DDE57-CEA3-4872-A477-CD2D6B640AFB</string>
</dict>
<key>LogRemoteEndpointType</key>
<string>Splunk</string>
<key>LogRemoteEndpointURL</key>
<string>https://splunk.company.com:8088/services/collector/raw</string>
<key>UnifiedLogPredicates</key>
<array>
<string>(subsystem == "com.apple.AccountPolicy")</string>
</array>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Custom</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>ACE8C1E0-2CA9-47F9-95EA-092964CAB3EE</string>
<key>PayloadOrganization</key>
<string>Jamf inc</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>ACE8C1E0-2CA9-47F9-95EA-092964CAB3EE</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Splunk HEC Compliance Reporter Preferences</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>8ECC25AC-0DAB-40D1-8E9F-2A7275315FDA</string>
<key>PayloadOrganization</key>
<string>Jamf inc</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>8ECC25AC-0DAB-40D1-8E9F-2A7275315FDA</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Sumo Logic REST HTTP Konfigurationsprofil
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.jamf.compliancereporter</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>AuditLevel</key>
<integer>1</integer>
<key>AuditEventLogVerboseMessages</key>
<false/>
<key>AuditEventExcludedProcesses</key>
<array>
<string>/Applications/splunk/bin/splunk</string>
<string>/Applications/splunk/bin/splunkd</string>
<string>/Applications/splunk/bin/splunk-optimize</string>
<string>/usr/sbin/mDNSResponder</string>
</array>
<key>FileEventExclusionPaths</key>
<array>
<string>/private/etc/cups/.*</string>
</array>
<key>FileEventInclusionPaths</key>
<array>
<string>/usr/lib/pam/.*</string>
<string>/Library/LaunchDaemons/.*</string>
<string>/Library/LaunchAgents/.*</string>
<string>/Library/StartupItems/.*</string>
<string>/Library/Extensions/.*</string>
<string>/private/etc/.*</string>
<string>/private/var/.*</string>
</array>
<key>UnifiedLogPredicates</key>
<array>
<string></string>
</array>
<!-- Remote endpoint logging master switch -->
<key>LogRemoteEndpointEnabled</key>
<true/>
<key>LogRemoteEndpointURL</key>
<string>https://endpoint4.collection.us2.sumologic.com/receiver/v1/http/ZaVnC4dhaV2OEAFVGi2WoEGbB048Hi63VjN_DJVhV...</string>
<key>LogRemoteEndpointType</key>
<string>REST</string>
<key>LogRemoteEndpointREST</key>
<dict>
<key>PublicKeyHash</key>
<string></string>
</dict>
<key>LicenseEmail</key>
<string>example@mycompany.com</string>
<key>LicenseExpirationDate</key>
<string>mm/dd/yyyy</string>
<key>LicenseKey</key>
<string>6466...</string>
<key>LicenseType</key>
<string>Trial</string>
<key>LicenseVersion</key>
<string>1</string>
<key>LogFileMaxNumberBackups</key>
<integer>10</integer>
<key>LogFileMaxSizeMegaBytes</key>
<string>100</string>
<key>LogFileOwnership</key>
<string>root:wheel</string>
<key>LogFilePermission</key>
<string>644</string>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Custom</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>ACE8C1E0-2CA9-47F9-95EA-092964CAB3EE</string>
<key>PayloadOrganization</key>
<string>Jamf inc</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>ACE8C1E0-2CA9-47F9-95EA-092964CAB3EE</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Example Compliance Reporter Preferences</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>8ECC25AC-0DAB-40D1-8E9F-2A7275315FDA</string>
<key>PayloadOrganization</key>
<string>Jamf inc</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>8ECC25AC-0DAB-40D1-8E9F-2A7275315FDA</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Konfigurationsprofil für die Richtliniensteuerung in der Systemeinstellung „Sicherheit“
Während Compliance Reporter für den Großteil der Dateiüberwachung nicht voraussetzt, dass die Payload „Richtliniensteuerung in der Systemeinstellung ‚Sicherheit‘“ konfiguriert ist, ist dies für Host Intrusion Detection (HID) notwendig.
Weitere Informationen finden Sie unter Host Intrusion Detection in der Compliance Reporter Dokumentation.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>JamfComplianceReporter-PPPC</string>
<key>PayloadDisplayName</key>
<string>JamfComplianceReporter-PPPC</string>
<key>PayloadIdentifier</key>
<string>com.jamf.compliance-reporter.pppc</string>
<key>PayloadOrganization</key>
<string>Jamf Compliance Reporter</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>3b7f1c8e-a301-4784-bb79-1fa85d02899f</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.jamf.reporter" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.jamf.reporter</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
<key>SystemPolicySysAdminFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.jamf.reporter" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.jamf.reporter</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>JamfComplianceReporter-PPPC</string>
<key>PayloadDisplayName</key>
<string>JamfComplianceReporter-PPPC</string>
<key>PayloadIdentifier</key>
<string>com.jamf.compliance-reporter.pppc</string>
<key>PayloadOrganization</key>
<string>Jamf Compliance Reporter</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>3b7f1c8e-a301-4784-bb79-1fa85d02899f</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>