If you haven't noticed already, Apple's new Declarative Device Management model for the Apple MDM Protocol is gaining traction everywhere, and SimpleMDM is no exception.
SimpleMDM now has a DDM-enabled configuration profile called a service configuration profile. This configuration profile allows the admin to push essential system settings and prebuilt service configurations across multiple devices fast — or in the words of our parent company, Pretty Damn Quick.
MacAdmins can upload a zip archive to configure service configuration profiles to SimpleMDM. This archive should have a directory structure that matches the configured preference files.
After installation, the files are placed in a tamper-proof location to ensure a secure and consistent user experience.
Declarative Device Management involves the server declaring the device's "desired state" and the device attempting to enforce that state and report back its status. This minimizes the back-and-forth between server and device, leaning more towards a simple declaration from the server and the device executing to fit that declaration. |
What are service configuration files?
Service configuration files enable administrators to configure system service settings, ensuring device consistency and robust security compliance across all macOS devices.
This configuration profile enables macOS admins to configure and manage the settings of system services like these:
sshd: configured as com.apple.sshd
sudo: configured as com.apple.sudo
PAM: configured as com.apple.pam
CUPS: configured as com.apple.cups
Apache httpd: configured as com.apple.apache.httpd
zsh (/private/etc/zprofile): configured as com.apple.zsh
bash (/private/etc/profile): configured as com.apple.bash
And other supported services.
These built-in services are modified to look for the managed service configuration files, which will take precedence over the built-in settings.
Declaration: ServicesConfigurationFiles consists of two main properties: - DataAssetReference: The identifier of an asset declaration containing a reference to the files for system service configuration (zip archive of an entire directory). - ServiceType: The system service identifier with managed configuration files. Use a reverse DNS style for this identifier. |
What does a service configuration profile do?
The service configuration profile allows admins to replace the file directory for any service with their own managed directory if they have the service identifier and a properly structured zip file.
The service configuration file should be a zip archive with the directory. The provided zip archive should include one or more files or subdirectories and be organized to precisely match the layout of the original directory it's intended to replace.
According to our brilliant users on the SimpleMDM MacAdmin Slack Channel, this is the location (path) where you can expect to find deployed service configuration files: /private/var/db/ManagedConfigurationFiles/{{com.apple.whatever}} |
Technical requirements
To successfully deploy a DDM-enabled service configuration file, you must meet these conditions:
The device must be enrolled through Device Enrollment or Automated Device Enrollment (user or local-type enrollments will not work).
The device must be running macOS 14.
DDM note: Once a declaration is installed, it will be displayed differently from the profiles on the device. Instead of appearing as a separate profile under > System Settings, it will be displayed under the top-level MDM profile details. |
Deployment considerations
Here are a few more things to consider before you deploy a service configuration file:
SimpleMDM does not perform accuracy checks against the identifier or the zip file format; it's up to the admin to confirm that both are correct before deployment.
If the identifier or zip is not appropriately set, the declaration will still visibly install but will not function.
Admins will need a separate declaration for each system service they wish to configure. Although these must be created one at a time, admins can make as many as they need.
The admin can upload any custom service using the "other" option in SimpleMDM, allowing them to customize nearly any service that supports service configurations.
When creating a custom service type, use the "com.apple." prefix for built-in services. Please note that using identifiers of reserved native system services (like com.apple.dock) will cause devices to return an error, resulting in a failed declaration installation. |
|---|
Why do service configuration files matter?
These service configuration files make it easy to set up necessary (and complicated!) system settings that have historically been very time-consuming to configure manually.
Before DDM, there wasn't a standardized approach for configuring system services on devices in enterprise environments.
While these services are often critical for developers and other technical end users, the configuration was typically left up to the end user due to resource constraints around provisioning.
Other approaches often involved makeshift scripts, which were prone to breaking from one update to another and may not have prevented tampering.
Raise your hand if you've ever been personally victimized by the receiving end of a ticket queue with user error configurations gone awry. 👀🙌 |
|---|
Here are just a few ways service configuration files make your MacAdmin life easier:
Customization: With the "other" custom service option, admins can configure many system services, which gives them a huge advantage in controlling their device fleet.
Consistency: Service config files enable admins to make changes across their entire device fleet, ensuring consistent configuration for simplified management and support.
Compliance: You get increased compliance by deploying a baseline configuration and security by pushing settings resistant to end-user tampering.
And the PDQ Special:
Time-saving automation: Service config files can save admin time when custom settings for third-party services must be deployed on every endpoint.
When to use service configuration files
Technically, the possibilities for configuring service files are almost endless. Consider any preferences you'd like to automate for your end users and go to town!
Not sure where to start? Here are a few examples:
com.apple.sshd (SSHD): An admin might enable or disable the SSH service, modify its listening address, listening port, and authentication methods, or specify which users can remotely access the machine via SSH.
SSHD (Secure Shell Daemon) is the server-side program that listens for and accepts secure shell network connections from clients, providing encrypted, remote command-line login and command execution. TL;DR: It's what makes secure remote access possible in a Unix-like system, including macOS. |
|---|
com.apple.sudo (SUDO): An admin may want to give specific users elevated privileges without sharing the root password. They may modify the sudoers file to specify these users and what commands they can execute using sudo.
SUDO (SuperUser DO) is a command-line utility that allows a permitted user to execute a command as the superuser or another user, as specified by the system's security policy. It's typically used to run commands that require administrative or root permissions. |
|---|
com.apple.pam (PAM): PAM provides dynamic authentication support for applications. An admin may configure PAM to implement advanced authentication protocols, like two-factor authentication or biometric access controls.
PAM (Pluggable Authentication Modules) is a mechanism for authenticating users. It allows system administrators to set specific authentication policies without having to rewrite programs that handle authentication. TL;DR: It's a dynamic way to set authentication rules for different applications. |
|---|
com.apple.cups (CUPS): CUPS is the service you use to configure printer settings. An admin might define which printer devices can be used, set the default printer, assign user access controls to printers, or configure printer pooling.
CUPS (Common Unix Printing System) is a modular printing system that allows an endpoint to act as a print server. TL;DR: The system lets your computer communicate with a printer and organize print jobs. |
|---|
com.apple.apache.httpd (Apache httpd): Within the Apache HTTP Server software, an admin might modify settings like ServerAdmin (the email that the server includes in errors sent to the client), DocumentRoot (the directory out of which you will serve your documents), permissions for directories, and more.
Apache httpd (HTTP Daemon) is an open-source web server software developed and maintained by the Apache Software Foundation. It serves and receives HTTP requests, making websites accessible over the internet. TL;DR: The software turns your device into a working web server. |
|---|
com.apple.bash (Bash): Bash (Bourne Again SHell) acts as a command interpreter. By configuring global bashrc or bash_profile files, an admin may define system-wide functions, aliases, or environment variables.
Bash (/private/etc/profile)(Bourne Again SHell) is the legacy command-line shell since Apple switched the default shell from Bash to Zsh (Z Shell) for new users in macOS Catalina (10.15). The text interface lets users control their computer using commands typed into the Terminal Utility. Bash is still available, but Zsh is the standard shell for new accounts on macOS. The /private/etc/profile is a system-wide configuration file executed by Bash for all users when a shell session is started. It sets environment variables and defaults. |
|---|
com.apple.zsh (Zsh): Zsh is another shell, similar to Bash, but with additional features. An admin might define system-wide plugins, themes, or aliases by configuring the global zshrc file.
Zsh (/private/etc/zprofile)(Z Shell)) is a Unix shell used as an interactive login shell and command interpreter for shell scripting. |
|---|
How to configure service configuration files in SimpleMDM
We're not in the pre-DDM Stone Age anymore; there's no need to manually configure every system setting and third-party app configuration over and over.
Check out the SMDM official knowledge base article on configuring service configuration files. |
To deploy a service configuration to a device, follow these steps:
1. Ensure target Macs run macOS 14+ with DDM enabled.
2. Navigate to Configs > Profiles and click Create Profile.
3. Select Service Configuration File from the list.
4. In the Service dropdown, select one of the predefined services or choose Other to specify a different service. When selecting Other, you must enter the service identifier in a format like "com.apple.sshd."
5. Upload the service configuration file. This should be a zip archive with directory — it can contain one or several files and should mirror the layout of the directory it replaces.
Did we lose you on that last step? Let's break it down: Zip archive: A zip archive is a compressed file or collection of files packaged into a single file for more accessible storage, transfer, and organization. The zip archive can contain one or many files, including single or multiple files and subdirectories. Directory: A directory (or folder) is a file system structure that organizes and stores files and other directories. Identifying the directory for the zip archive: Let's take the example of the file path /private/etc/cups: /private is the primary or parent directory at the root level (notated by '/') of the file system. /etc is a subdirectory of '/private'. /cups is a subdirectory of '/etc'. Mirror the layout: The zip archive's structure should mirror the layout of the original directory it is replacing. This means that the zip archive's organization and hierarchy of files and subdirectories should match exactly with those in the original directory. |
6. Click Save when you are done and assign the configuration to your devices.
7. Once assigned and installed on a device, you can check System Settings > Profiles > MDM Profile > Device Declarations > Profile Name on devices to verify the configuration was applied.
Examples
CUPS example:
Loading...
Apache example:
Loading...
Custom/Other example:
Loading...
Service configuration files FAQ
What is a SuperUser?
A SuperUser, also known as "root," is a user account with full access to all commands and files on a system. Root is the default superuser in these systems and has the power to do anything on the system.
What is a public library in programming?
A public library is a collection of prewritten code, routines, or functions that provide specific functionalities and can be reused by different software applications.
What is a command line interpreter?
A command line interpreter (CLI), often called a command line shell, provides a command-line interface for end users to interact with an operating system or execute commands and scripts. It reads and executes commands entered by the user in a text-based format.
CLI examples:
Bash (Bourne Again SHell): The shell is on most Linux and macOS.
Zsh (Z Shell) has advanced features and customization options. It is commonly used on macOS and is also available for Linux.
cmd.exe: The default command line interpreter for Windows operating systems.
PowerShell: Microsoft developed this more advanced command-line shell and scripting language for Windows, macOS, and Linux.
Ready to take your device management to new heights? 🚀 Start your 30-day free trial with SimpleMDM today and experience the power of configuration service file deployment firsthand!
