|
|
TCO-aware provisioning of information security infrastructure
|
|
profiles(1) BSD General Commands Manual profiles(1) NAME
profiles -- Profiles Tool SYNOPSIS
profiles [[-I | -R | -i] [-F file_path_to_profile]] [[-L] [-U username]] [[-r] [-p profile_id] [-u uuid] [-o output_file_path]] [-PHDdCchfvxVz] DESCRIPTION
profiles allows you to install, remove or list configuration profiles, or to install provisioning profiles. Some commands may only work with elevated privileges, or for the current user. -I Install a configuration profile for a particular user from a profile file. -i Install a provisioning profile from a profile file. -V Verify a provisioning profile from a profile file. -R Remove a configuration profile for a particular user from a profile file. -r Remove a provisioning profile given a identifier and uuid. -L List configuration profile information for a particular user, or the current user if no Username was specified. -F Specify the file path to the profile file. -U Specify the short username. Since you can only install profiles for the current user, this is only useful for validation. -H Returns whether configuration profiles are installed. -P List configuration profile information for everyone. -C List configuration profile information for the computer. -c List provisioning profile information. -p A profile identifier used to locate the configuration or provisioning profile. -u A uuid identifier used to locate the provisioning profile. The uuid must be in its canonical 36 character form. -z The profile removal password. If not specified and the profile requires a removal password, you will be prompted. -o The output file path for profile information (-L, -P, -C, -c) as a plist file. The path argument must be specified to use this option, Use 'stdout' to send this informaton to the console. File output will be written as an XML plist file. The toplevel key will contain the user name, or _computerLevel for device or provisioning profile information. -h Displays help information. -v Enables verbose mode. A 'pass' or 'fail' indicator may also be displayed based on the command return status to stdout. -x Displays tool version number. The version is in the format x.yy, where x will change if new or incompatible commands are added. The version initially starts at 2.00 -f Automatically confirm any questions, or when used with -s, will retry startup profiles at each startup until successfully installed. -D Deletes all existing configuration profiles. It will not update any existing managed preferences. (Requires root privileges) -d Deletes all existing provisioning profiles. (Requires root privileges) -s Sets profile for startup. (Requires root privileges) EXAMPLES
profiles -I -F /testfile.configprofile Installs the profile file 'testfile.mobileconfig' into current user. profiles -R -F /profiles/testfile2.configprofile Removes the profile file '/profiles/testfile2.mobileconfig' into the current user. profiles -H Returns whether or not configuration profiles are installed on the system. profiles -P Displays information on all installed configuration profiles on the system. profiles -L Displays information for installed profiles for the current user. profiles -L -o /outputfile Displays information for installed profiles for the current user and sends the output as a dictionary to /outputfile.plist. profiles -Lv Displays extended information for installed configuration profiles for the current user. profiles -D Removes all configuration profile inforamtion on the system. (see important caveat below) profiles -R -p com.example.profile1 -z pass Removes any installed profiles with the identifier com.example.profile1 in the current user and using a removal password of 'pass'. profiles -s -F /startupprofile.mobileconfig -f Sets up the profile as a startup profile to be triggered at the next system startup time. If the profile can't be installed, it will try again at next startup time. CAVEATS
Certain configuration profiles may be marked as a device profile (system) using the PayloadScope key. However, the profiles tool will ignore the PayloadScope key and install the profile based on how the profile is installed; either a user profile if installed from a user, or a device profile if installed from root (or sudo). Specific payload dictionary information is not available since it may contain sensitive information. Non-sensitive information can be viewed using the System Profiler report. Because this command line tool was not designed to ask for missing information, some profiles may fail to install properly. The only recourse is to insert the missing information before installing the configuration profile. The System Preferences application's Profiles pane is designed to handle the querying of missing information. Configuration profiles installed to the wrong user domain (user vs system) may not behave in the way you expect since the information may not be useful to that particular domain. For example, adding a Mail payload to the system domain will not do anything since Mail payloads must have a user account. Additionally, since profiles are stored by the user shortname and only stored on the local client, care should be taken to not install a profile that could be used by a same named local user. The profiles tool should only be used from the /usr/bin folder since certain operations are privileged and may fail if moved. The -D command removes all configuration profile information without regards for any services it may have set up. This may leave your system in a state that requires you to manually clean up any service (account) information the profile(s) had installed - for all users on that sys- tem. You should not use this command without considering its consequences. There is no way to undo this command. You will be prompted to confirm this command before it will execute. MacOSX March 04, 2013 MacOSX
