macOS: 構成プロファイルを CLI / Temirnal で確認する

macOS で構成プロファイルを CLI / Terminal で確認する方法を調べた

profiles コマンド

profiles list コマンドを使うといいらしい。 UUID のリストを取り出せた

 $ sudo profiles list -all
_computerlevel[1] attribute: profileIdentifier: 7652B8FE-93F6-427E-A132-4F0032BC2E25
_computerlevel[2] attribute: profileIdentifier: CE05F367-D6B1-44F5-BE4E-75092CC92CCF
_computerlevel[3] attribute: profileIdentifier: 00000000-0000-0000-A000-4A414D460003
_computerlevel[4] attribute: profileIdentifier: b6410f7f-7e37-48aa-b4ba-3b0532670ded
hito[5] attribute: profileIdentifier: F6FDEB75-31CB-48E1-849A-4A63DB0E310C
_computerlevel[6] attribute: profileIdentifier: 9BB724A3-3C4C-4678-B94A-7BD131E3533C
_computerlevel[7] attribute: profileIdentifier: 95307970-9F31-49A3-929E-38DD7FFE6798
_computerlevel[8] attribute: profileIdentifier: 4832ABA3-49D0-41EE-A154-740AABB187CB
_computerlevel[9] attribute: profileIdentifier: B6CA5188-4CE3-4E0E-A7FD-926D691F6ECA
_computerlevel[10] attribute: profileIdentifier: 5FEA911C-C63C-4568-A567-9D3AFF96FA84
_computerlevel[11] attribute: profileIdentifier: AD23B302-7FA9-40A8-ABEE-6BE1E75B7252
_computerlevel[12] attribute: profileIdentifier: BB3C1710-A7FB-4465-9433-B05AF0F62F98
_computerlevel[13] attribute: profileIdentifier: 2E9C4A81-5839-4DFA-A03F-3CF389DE927F
_computerlevel[14] attribute: profileIdentifier: C70479F3-F6FB-4839-8347-C1C8C10F5648
_computerlevel[15] attribute: profileIdentifier: B04EAFC1-48DA-461D-9DA2-4A2593BEFB5C
_computerlevel[16] attribute: profileIdentifier: com.jamf.notifications.settings
_computerlevel[17] attribute: profileIdentifier: 4a90db4f-aa61-4909-8f45-d72e204733f9
_computerlevel[18] attribute: profileIdentifier: com.jamfsoftware.tcc.management
There are 18 configuration profiles installed

profiles show を実行すると構成プロファイルの詳細が取り出せる。下記は Jamf で配布した構成プロファイルです。

$ sudo profiles show 

...

_computerlevel[2] attribute: name: Falcon Notifactions
_computerlevel[2] attribute: installationDate: 2022-10-07 02:24:49 +0000
_computerlevel[2] attribute: organization: ***
_computerlevel[2] attribute: profileIdentifier: BB3C1710-A7FB-4465-9433-B05AF0F62F98
_computerlevel[2] attribute: profileUUID: BB3C1710-A7FB-4465-9433-B05AF0F62F98
_computerlevel[2] attribute: profileType: Configuration
_computerlevel[2] attribute: removalDisallowed: TRUE
_computerlevel[2] attribute: version: 1
_computerlevel[2] attribute: containsComputerItems: TRUE
_computerlevel[2] attribute: installedByMDM: TRUE
_computerlevel[2] attribute: internaldata: TRUE
_computerlevel[2] payload count = 1
_computerlevel[2]            payload[1] name            = Notifications Payload
_computerlevel[2]            payload[1] description     = (null)
_computerlevel[2]            payload[1] type            = com.apple.notificationsettings
_computerlevel[2]            payload[1] organization        = JAMF Software
_computerlevel[2]            payload[1] identifier      = C462E5FD-60CC-43D9-B91F-423C330C3513
_computerlevel[2]            payload[1] uuid            = 382A2208-A159-46EC-96F2-76FC2C00CAF3

man はこんな感じ ( man profiles | col -b | pbcopy で出した ) 色々サブコマンドがついているが、細かくは調べていない

profiles(1)           General Commands Manual             profiles(1)

NAME
     profiles - Profiles Tool for macOS.

SYNOPSIS
     profiles verb [options]

DESCRIPTION
     profiles is used to handle various profile types on macOS.   Starting with
     macOS 11.0 (profiles tool 8.0 or later), this tool cannot be
     used to install configuration profiles.  You should add your profiles
     using the System Preferences Profiles
     preference pane.    Additionally, startup profiles are no longer
     supported.

VERBS
     Each command verb is listed with its description and optional individual
     arguments.   Most commands use the -type option to determine which kind of
     profile should be used in the command.  For those commands, if no type is
     specified, the default will be to use the configuration profile type.

     help
        Shows abbreviated help

     list   -type profile_type -user user_name -output output_path
        List profiles for a user or when running as root, the device.

     show   -type profile_type -user user_name -output output_path
        Show expanded information for profiles.   For an enrollment,
        this will show the current DEP configuration, and the call may
        be rate limited to once every 23 hours.

     remove -type profile_type -user user_name -identifier identifier -uuid
        uuid -path file_path -forced -all
        Remove profiles. Attempting to remove a configuration profile
        requring a removal password without the correct password will
        fail.

     status -type profile_type
        Display status of the profiles installed on this client.   When
        displaying the enrollment type status, if the MDM enrollment was
        user approved, the status output will show "(User Approved)".

     sync   -type configuration
        For configuration profiles, synchronize current installed set of
        profiles with the local users and remove any configuration
        profiles that belong to users that no longer exist on this
        computer.

     renew  -type profile_type -identifier identifier -output output_path
        For configuration profiles, renews any certificates for the
        specified profile.  For Device Enrollment Program (DEP)
        enrollments, retry to obtain the device enrollment
        configuration, and re-enable the user notification if enrollment
        wasn't completed.

     validate   -type profile_type -path file_path
        For provisioning profiles, validate the provisioning profile
        located at the file_path.  For enrollments, re-validate the
        installed DEP server information and update any local
        information, displaying any major changes.  If this information
        is different from the current enrolled server, this will not
        unenroll the client from the current server.  This call may be
        rate limited to once every 23 hours.

     version
        Displays current tool version.

OPTIONS
     -type profile_type
         The profile_type can be one of either: "configuration",
         "provisioning", "bootstraptoken", or "enrollment" (DEP).  If a
         command requires a profile type and none is specified,
         "configuration" will be used.

     -path file_path
         A file path or "-" to represent stdout.   When used by the remove
         command for startup profiles, this should only contain the file
         name of the profile.

     -user user_name
         An OD short user name.   In most cases if no user was specified,
         then the current user will be used.   If no user option was
         specified and the process runs as root, the computer/device
         profiles will be used in the command.

     -uuid profile_uuid
         A canonical form UUID to specify a profile's PayloadUUID, such as
         5A15247B-899C-474D-B1D7-DBD82BDE5684.   Only used by the remove
         provisioning profile command.

     -identifier profile_identifier
         A profile identifier (PayloadIdentifier) to specify a profile.

     -output output_path
         The output path location.  The output_path argument must be
         specified to use this option, Use 'stdout' to send this informaton
         to the console.  File output will be written as an XML plist file,
         or you can use 'stdout-xml' to write XML to the console.  The
         toplevel key of the dictionary will contain either the user name,
         or _computerLevel for device or provisioning profile information.

     -password password
         An optional password used when removing a configuration profile
         which requires the password removal option.

     -forced
         This will prevent confirmation requests, and when trying to remove
         all configuration profles for a user, it will ignore any errors
         during removal.

     -all    For configuration profiles, when running as root, the use of this
         option with the list or show commands will display all profiles
         installed on the system.   When removing profiles, using this
         option will remove all profiles for that user (or device).

     -verbose
         Display additional information.

PROFILE TYPES
     configuration
         A configuration profile.

     provisioning
         A provisioning profile.

     enrollment
         A device enrollment program (DEP) or mobile device management (MDM)
         enrollment profile or feature.

     bootstraptoken
         Bootstrap Token options.   Requires MDM supervised client.

EXAMPLES
     profiles remove -path /profiles/testfile2.mobileconfig
          Removes the configuration profile file
          '/profiles/testfile2.mobileconfig' into the current user.

     profiles list -type provisioning
          Displays a list of installed provisioning profiles.

     profiles list -all
          When running as root, this will list all configuration profiles on
          the system.

     profiles show
          Displays extended information for installed configuration profiles
          for the current user.

     profiles status -type startup
          Displays information on whether or not startup profiles are set
          up.

     profiles remove -identifier com.example.profile1 -password pass
          Removes any installed profiles with the identifier
          com.example.profile1 in the current user and using a removal
          password of 'pass'.

     profiles show -type enrollment
          Displays the current DEP configuration information.

     profiles renew -type enrollment
          Re-enables the DEP user notification enrollment messages.

     profiles install -type bootstraptoken
          Creates or updates the Bootstrap Token APFS record and escrows the
          information to the server.

SEE ALSO
     profiles.old(1)

macOS               November 30, 2021              macOS