Menu Close

macOS Ventura’s Lockdown Mode, MDM & the Enterprise

File feedback with Apple to at least allow MDM to report on the status of Lockdown Mode

Background

In a recently published support article, Apple stated that Lockdown Mode provides “extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats.”

However, near the end of the article, Apple states:

Lockdown Mode is not a configurable option for Mobile Device Management by system administrators

HT212650

Currently, MDM is not allowed to control or report on the status of Lockdown Mode.

Invitation

Since Lockdown Mode is available for iOS 16, iPadOS 16 and macOS Ventura, as a Mac or Mobile Product Manager or Administrator, if being able to accurately report on and act on the security status of your devices is critical to your organization, please consider filing feedback with Apple to at least allow MDM to report on the status of Lockdown Mode.

Updates

02-Nov-2022

A Mac Admin, who prefers to remain anonymous, mentioned that the output a certain command may prove interesting, which I have since deleted.

03-Nov-2022

After counseling with a few Mac Admins, I’ve decided to publicly post Lockdown Mode EA-0.0.1.bash.

However, while the following Extension Attribute seems to be working for us — in limited testing — my current understanding is that it’s undocumented and could break at any time.

#!/bin/bash
#############################################################################
# A script to determine the status of the macOS Ventura 13's Lockdown Mode. #
#############################################################################

result="Unknown"
export PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin/
osProductVersion=$( sw_vers -productVersion )

case "${osProductVersion}" in
    10* | 11* | 12* )
        echo "<result>N/A; macOS ${osProductVersion}</result>"
        exit 0
        ;;
    13* )
        # Initialize array
        list=()

        # Users with UID greater than 500
        for username in $( dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }' ); do
            userHome=$( dscl . read /Users/"${username}" NFSHomeDirectory | awk -F ": " '{print $2}' )
            lockdownModeTest=$( defaults read "${userHome}"/Library/Preferences/.GlobalPreferences.plist LDMGlobalEnabled  2>&1 )
            if [[ "${lockdownModeTest}" == "1" ]]; then
                list+=("${username}")
            fi
        done

        if [[ -z "${list}" ]]; then
            list="None"
        fi

        echo "<result>${list[@]}</result>"
        exit 0
        ;;
    * )
        echo "<result>${result}</result>"
        ;;
esac
Posted in macOS, SecOps

Related Posts