Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. If you like what you see, join us in person at the ninth annual Jamf Nation User Conference (JNUC) this October for three days of learning, laughter and IT love.

Add new NSExtension Management Payload for macOS 10.13 and later

https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf

NSExtension Management
The NSExtension payload is designated by specifying com.apple.NSExtension as the PayloadType.

This payload specifies which NSExtensions are allowed or disallowed on a system. Extensions can be managed by bundleID in whitelists and blacklists or by a blacklist of extension points.

It is supported on macOS 10.13 and later.

In addition to the settings common to all payloads, this payload defines these keys:
Key: AllowedExtensions
Type: Array
Value: Optional. Array of extension identifiers for extensions that are allowed to run on the system.

Key: DeniedExtensions
Type: Array
Value: Optional. Array of extension identifiers for extensions that are not allowed to run on the system.

Key: DeniedExtensionPoints
Type: Array
Value: Optional. Array of NSExtension extension points for extensions that are not allowed to run on the system.

If an array element within DeniedExtensionPoints is ”AllPublicExtensionPoints”, DeniedExtensionPoints will be filled with a list of extension points that the client considers to be ”public”. These are the extension points referenced in developer documentation and supported by the Xcode programming environment.

Expansion of ”AllPublicExtensionPoints” happens at evaluation time. The list of extension points may change from release to release.

This feature is intended as a way to specify ”Start with no extensions belonging to any public extension points enabled but then allow only extensions A, B, C to run”. Specifying ”AllPublicExtensionPoints” will disallow both Apple and third-party extensions within the ”public” extension points but will still allow extensions belonging to system-critical extension points to execute.

Comment

Posted: by bpavlov

One thing to note:
The ShareKit Payload specifies which ShareKit plugin can be accessed on client. Both allow and disallow lists can be specified.
This payload is deprecated as of macOS 10.12. For clients running macOS 10.13 or later, use the NSExtension Payload instead. If a profile contains both a NSExtension Payload and a ShareKit Payload, the ShareKit Payload will be ignored.

Like