Re-send restrictions configuration profile to hosts after macOS update

[ddribeiro]

• @ddribeiro: customer-eponym wants to maintain one restrictions configuration profile in Fleet. Different versions of macOS have different restrictions that the IT admin is able to use. Apple adds new restrictions in minor releases.
  • @allenhouchins: For example, macOS 15.2 supports some new AI restrictions. New restrictions are coming out in later macOS versions. The user might want to add these restrictions before the new macOS version is released.
  • @noahtalerman: In the interim the user can create a configuration profile for each macOS version. Here's what customer-eponym is doing:

macOS 15.0

allowGenmoji
allowImagePlayground
allowWritingTools
allowiPhoneMirroring

15.1

allowMailSummary
forceBypassScreenCaptureAlert

15.2

allowExternalIntelligenceIntegrationsSignIn
allowExternalIntelligenceIntegrations

15.3

allowedExternalIntelligenceWorkspaceIDs
allowNotesTranscriptionSummary

• @nonpunctual: Other MDM solutions re-send all profiles on macOS update.
  • @allenhouchins: I don't think this is true. See article here. Redelivering some profiles has side-effects that MDM solutions want to avoid. For example, signing the end user out of email or Wi-Fi.
  • @ddribeiro: Eventually Fleet could let the admin specify that a profile should be re-sent in the Fleet UI. This would prevent Fleet from re-sending profiles that might be fragile (like network settings or certificates) but allow the admin to specify that a Restrictions profile should be re-sent, for example.
  • @noahtalerman: Eventually Fleet could resend the restrictions configuration profile by default on macOS update.
    • @noahtalerman: If we take this approach, let's make sure to test what happens when the the profile delivery fails on macOS update. Are the old restrictions still applied?

---

[JoStableford]

Linked to Unthread ticket:

Assistance needed with creating OS target labels for GitOps workflow #3953

[ddribeiro]

Rather than re-sending ALL configuration profiles after a host performs an OS update, it might make more sense to let the admin specify that a profile should be re-sent in the Fleet UI. This would prevent Fleet from re-sending profiles that might be fragile (like network settings or certificates) but allow the admin to specify that a Restrictions profile should be re-sent, for example.

[nonpunctual]

@noahtalerman @marko-lisica FYI good article on this topic: https://derflounder.wordpress.com/2024/12/18/management-profile-settings-and-os-upgrade-implications/

[noahtalerman]

Gong snippet: N/A, calls for customer-epoynym are not recorded.

Problem

By default, Apple devices do not re-evaluate configuration profiles after they are delivered by an MDM.

As Apple adds more features to its OS's, they often include ways to manage those features with MDM. Using the current release, macOS 15 Sequoia as an example, the com.apple.applicationaccess payload has had the following keys added with each minor release:
15.0

allowGenmoji
allowImagePlayground
allowWritingTools
allowiPhoneMirroring

15.1

allowMailSummary
forceBypassScreenCaptureAlert

15.2

allowExternalIntelligenceIntegrationsSignIn
allowExternalIntelligenceIntegrations

15.3

allowedExternalIntelligenceWorkspaceIDs
allowNotesTranscriptionSummary

As new keys are added, an admin would update existing configuration profiles to include them. If a configuration profile is delivered to a host whose OS version doesn't support them yet, those keys are safely ignored. However, when that host updates to the version that does support those keys, they are still ignored because the profile only gets evaluated when it is delivered to the host. The profile would need to be redelivered to the host in order for it to respect the values for newly supported keys in the profile.

What have you tried?

Currently, customer-eponym is uploading multiple versions of the same profile and using dynamic labels to remove/add profiles from hosts as their OS version changes. This effectively causes Fleet to re-send the profile after an OS update so the host can revaluate the keys in the profile.

This is not ideal because it becomes very difficult to manage multiple versions of the same profile, especially as features get continuously added.

Potential solutions

Fleet should re-send configuration profiles to devices after an OS update occurs. This would cause the host to re-evaluate the profile and respect any keys contained in the profile that the new OS version supports.

It would also eliminate the need to maintain multiple, per OS version, of the same profile and manage them with labels.

What is the expected workflow as a result of your proposal?

As a result of this proposal, customer-eponym would maintain one "Restrictions" configuration profile and add keys to it as they become available. They would deploy that profile to all hosts on their team, whether or not those hosts are running a version of macOS that supports those keys.

When a host performs a software update, Fleet would re-send that profile to the host, and the host would re-evaluate it. This would ensure the host is respecting all the values specified in the profile and remains in compliance with the organization's policies.