Ejemplos de perfil de configuración
Los siguientes ejemplos se pueden usar como punto de partida para crear un archivo PLIST o .mobileconfig para Compliance Reporter que se puede instalar localmente o implementar con Jamf Pro.
Archivo PLIST
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AuditLevel</key>
<integer>1</integer>
<key>LogFileMaxNumberBackups</key>
<integer>10</integer>
<key>LogFileLocation</key>
<string>/var/log/JamfComplianceReporter.log</string>
<key>LogFileMaxSizeMegaBytes</key>
<integer>10</integer>
<key>FileEventUseFuzzyMatch</key>
<false/>
<key>FileEventInclusionPaths</key>
<array>
<string>/Users/.*</string>
</array>
<key>FileEventExclusionPaths</key>
<array>
<string>/Users/.*/Library/.*</string>
</array>
<key>LogFilePermission</key>
<string>640</string>
<key>LogFileOwnership</key>
<string>root:wheel</string>
<key>AuditEventLogVerboseMessages</key>
<false/>
<key>AuditEventExcludedUsers</key>
<array>
<string>_spotlight</string>
<string>_windowserver</string>
</array>
<key>AuditEventExcludedProcesses</key>
<array>
<string>/usr/bin/log</string>
<string>/usr/sbin/syslogd</string>
</array>
<key>LogRemoteEndpointEnabled</key>
<true/>
<key>LogRemoteEndpointURL</key>
<string>server.company.com:PORT</string>
<key>LogRemoteEndpointType</key>
<string></string>
<key>LogRemoteEndpointKafka</key>
<dict>
<key>TLSServerCertificate</key>
<string></string>
<key>TLSClientPrivateKey</key>
<string></string>
<key>TLSClientCertificate</key>
<string></string>
<key>TopicName</key>
<string>compliancereporter</string>
</dict>
<key>LogRemoteEndpointREST</key>
<dict>
<key>PublicKeyHash</key>
<string>e838SOLK9Yu+brDTxM4s0HatE2UdoEmRSBtNDU=</string>
</dict>
<key>LogRemoteEndpointTLS</key>
<dict>
<key>TLSServerCertificate</key>
<string></string>
</dict>
<key>SyslogFormatEnabled</key>
<false/>
</dict>
</plist>Perfil de configuración de recopilador de eventos HTTP de Splunk
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.jamf.compliancereporter</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>AuditEventExcludedProcesses</key>
<array>
<string>/usr/sbin/mDNSResponder</string>
<string>/usr/sbin/syslogd</string>
<string>/Applications/splunk/bin/splunk-optimize</string>
</array>
<key>AuditEventExcludedUsers</key>
<array>
<string>_spotlight</string>
<string>_windowserver</string>
</array>
<key>AuditEventLogVerboseMessages</key>
<false/>
<key>AuditLevel</key>
<integer>1</integer>
<key>FileEventExclusionPaths</key>
<array>
<string>/Applications/splunk.*</string>
</array>
<key>FileEventInclusionPaths</key>
<array>
<string>/usr/lib/pam/.*</string>
<string>/Library/Launch.*</string>
<string>/Library/StartupItems/.*</string>
<string>/Library/Extensions/.*</string>
<string>/Library/Preferences/.*</string>
<string>/Library/PrivilegedHelperTools/.*</string>
<string>/private/etc/.*</string>
</array>
<key>LicenseEmail</key>
<string>example@mycompany.com</string>
<key>LicenseExpirationDate</key>
<string>dd/mm/yyyy</string>
<key>LicenseKey</key>
<string>35c...</string>
<key>LicenseType</key>
<string>Trial</string>
<key>LicenseVersion</key>
<string>1</string>
<key>LogFileMaxNumberBackups</key>
<integer>10</integer>
<key>LogFileMaxSizeMegaBytes</key>
<string>50</string>
<key>LogFileOwnership</key>
<string>root:wheel</string>
<key>LogFilePermission</key>
<string>644</string>
<key>LogRemoteEndpointEnabled</key>
<true/>
<key>LogRemoteEndpointREST</key>
<dict>
<key>PublicKeyHash</key>
<string>7E1DDE57-CEA3-4872-A477-CD2D6B640AFB</string>
</dict>
<key>LogRemoteEndpointType</key>
<string>Splunk</string>
<key>LogRemoteEndpointURL</key>
<string>https://splunk.company.com:8088/services/collector/raw</string>
<key>UnifiedLogPredicates</key>
<array>
<string>(subsystem == "com.apple.AccountPolicy")</string>
</array>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Custom</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>ACE8C1E0-2CA9-47F9-95EA-092964CAB3EE</string>
<key>PayloadOrganization</key>
<string>Jamf inc</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>ACE8C1E0-2CA9-47F9-95EA-092964CAB3EE</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Splunk HEC Compliance Reporter Preferences</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>8ECC25AC-0DAB-40D1-8E9F-2A7275315FDA</string>
<key>PayloadOrganization</key>
<string>Jamf inc</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>8ECC25AC-0DAB-40D1-8E9F-2A7275315FDA</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Perfil de configuración de HTTP REST de Sumo Logic
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.jamf.compliancereporter</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>AuditLevel</key>
<integer>1</integer>
<key>AuditEventLogVerboseMessages</key>
<false/>
<key>AuditEventExcludedProcesses</key>
<array>
<string>/Applications/splunk/bin/splunk</string>
<string>/Applications/splunk/bin/splunkd</string>
<string>/Applications/splunk/bin/splunk-optimize</string>
<string>/usr/sbin/mDNSResponder</string>
</array>
<key>FileEventExclusionPaths</key>
<array>
<string>/private/etc/cups/.*</string>
</array>
<key>FileEventInclusionPaths</key>
<array>
<string>/usr/lib/pam/.*</string>
<string>/Library/LaunchDaemons/.*</string>
<string>/Library/LaunchAgents/.*</string>
<string>/Library/StartupItems/.*</string>
<string>/Library/Extensions/.*</string>
<string>/private/etc/.*</string>
<string>/private/var/.*</string>
</array>
<key>UnifiedLogPredicates</key>
<array>
<string></string>
</array>
<!-- Remote endpoint logging master switch -->
<key>LogRemoteEndpointEnabled</key>
<true/>
<key>LogRemoteEndpointURL</key>
<string>https://endpoint4.collection.us2.sumologic.com/receiver/v1/http/ZaVnC4dhaV2OEAFVGi2WoEGbB048Hi63VjN_DJVhV...</string>
<key>LogRemoteEndpointType</key>
<string>REST</string>
<key>LogRemoteEndpointREST</key>
<dict>
<key>PublicKeyHash</key>
<string></string>
</dict>
<key>LicenseEmail</key>
<string>example@mycompany.com</string>
<key>LicenseExpirationDate</key>
<string>mm/dd/yyyy</string>
<key>LicenseKey</key>
<string>6466...</string>
<key>LicenseType</key>
<string>Trial</string>
<key>LicenseVersion</key>
<string>1</string>
<key>LogFileMaxNumberBackups</key>
<integer>10</integer>
<key>LogFileMaxSizeMegaBytes</key>
<string>100</string>
<key>LogFileOwnership</key>
<string>root:wheel</string>
<key>LogFilePermission</key>
<string>644</string>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Custom</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>ACE8C1E0-2CA9-47F9-95EA-092964CAB3EE</string>
<key>PayloadOrganization</key>
<string>Jamf inc</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>ACE8C1E0-2CA9-47F9-95EA-092964CAB3EE</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Example Compliance Reporter Preferences</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>8ECC25AC-0DAB-40D1-8E9F-2A7275315FDA</string>
<key>PayloadOrganization</key>
<string>Jamf inc</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>8ECC25AC-0DAB-40D1-8E9F-2A7275315FDA</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Perfil de configuración «Control de políticas de preferencias de privacidad»
Compliance Reporter no requiere una carga útil «Control de políticas de preferencias de privacidad» configurada para la mayor parte de la monitorización de archivos, pero sí para Host Intrusion Detection (HID).
Si quieres más información, consulta Host Intrusion Detection en la documentación de Compliance Reporter.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>JamfComplianceReporter-PPPC</string>
<key>PayloadDisplayName</key>
<string>JamfComplianceReporter-PPPC</string>
<key>PayloadIdentifier</key>
<string>com.jamf.compliance-reporter.pppc</string>
<key>PayloadOrganization</key>
<string>Jamf Compliance Reporter</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>3b7f1c8e-a301-4784-bb79-1fa85d02899f</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.jamf.reporter" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.jamf.reporter</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
<key>SystemPolicySysAdminFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.jamf.reporter" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.jamf.reporter</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>JamfComplianceReporter-PPPC</string>
<key>PayloadDisplayName</key>
<string>JamfComplianceReporter-PPPC</string>
<key>PayloadIdentifier</key>
<string>com.jamf.compliance-reporter.pppc</string>
<key>PayloadOrganization</key>
<string>Jamf Compliance Reporter</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>3b7f1c8e-a301-4784-bb79-1fa85d02899f</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>