ProfileCreator
openhaystack
ProfileCreator | openhaystack | |
---|---|---|
30 | 67 | |
1,254 | 7,817 | |
1.1% | 1.4% | |
0.0 | 2.7 | |
15 days ago | about 1 month ago | |
Swift | Swift | |
MIT License | GNU Affero General Public License v3.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
ProfileCreator
-
The Right to Lie and Google’s “Web Environment Integrity”
> How many users have devices that they are really administrators of? Fewer and fewer.
As long as nobody has forced you to join your computer to a domain and accept the installation of group-policy overrides, you're still fundamentally an administrator of that machine.
You might not ever feel the need to administrate it, because the OS vendor is often co-administering the machine (see: Windows or macOS when you use a local account rooted in their cloud SSO) but the OS vendor hasn't restricted you from doing your own administration in the way that a corporation or institution administering the domain your device belongs to would restrict you. You still have the ambient authority to administer your machine, whether you ever bother to elevate yourself or not.
You can still install your own X.509 roots of trust. Even on, say, iOS! (You must administer the iOS device using tools — e.g. https://github.com/ProfileCreator/ProfileCreator — that run outside of the device on a "real computer"; but that's just a fact of history, to do with how system administrators generally prefer to interact with computers, not a property of the target device's security. A config profile is just a file format; if someone ever wanted to make a profile editor that ran on iOS itself, they could.)
(And if we're talking about a machine that is corporate or institutionally controlled? Well, then it's the responsibility of the people who manage your device — your IT department — to decide whether a given cert should be given trust.)
> What is the technical challenge of setting up your own HTTP server that can be browsed with an off the shelf browser on your local computer?
The approach where you run a proxy that wraps untrusted connections into trusted ones is fully general, but yes, only really applicable to the most advanced users. But then, only the most advanced users really need the full power of this approach. Only someone with a lot of experience in network security should consider themselves capable of vouchsafing a non-TLS HTTP connection as worth being trusted. You have to basically come up with an "attestation heuristic" for the remote yourself — that it stays on the same IP, that its DNS records haven't changed owner, that the server is still sending the same Server response header, etc.
If your needs are slightly weaker — if you can assume that every remote is at least using self-signed TLS certs rather than not using TLS at all — then the problem is vastly simplified: you can directly trust any cert by putting it that cert directly into your X.509 trust store (in effect making it a root-of-trust — though it doesn't have the X.509 property that enables other certs signed by the cert to be trusted transitively, so it's a leaf-node root-of-trust. A "stump of trust", if you will.) You don't need to run any local servers to do this.
-
Users using their own Icloud.
I don't have much experience with Jamf specifically so I don't know if they have a tool for this, but you can you software like iMazingand ProfileCreator to create the profiles from a GUI and then push the profiles from to devices using Jamf. Using either of these apps, under "Restrictions", you'll be able to deselect whatever iCloud service you want to be blocked and then save it to a profile.
-
Custom JSON Configuration Profiles
In Mosyle in the management profiles section you have an option called Certificates/Custom Profiles, there you can upload a .mobileconfig created with for example Profile creator: https://github.com/ProfileCreator/ProfileCreator which nicely includes the Nudge schema and other common used apps :-), this should be the same effect than in the JAMF video, its almost the same thing instead of cut an paste from the AJMF article, upload de .mobileconfig created by the App.
- How can I have a user account which absolutely CANNOT access the internet?
- Need assistance building .mobileconfig files for 3rd Party apps?
-
Is there a bash command for a device to give permissions for remote session control apps like Zoom/LogMeIn?
There are many examples and several ways to generate a profile that will grant the appropriate perms, personally I have used ProfileCreator: https://github.com/ProfileCreator/ProfileCreator
- How do I edit plists using Xcode?
- How do I allow non admins to Screen-share from payload/profile in macOS via MDM (workspace one in my case)?
-
Custom MacOS configuration profiles
On a side note, you might try this for manually creating profiles. https://github.com/ProfileCreator/ProfileCreator
-
iOS supervised device settings possibility question
If you have a Mac available ProfileCreator works well as an alternative to Apple Configurator, and it has a few more options.
openhaystack
- Beeper Mini will add SMS & RCS, other services, and FaceTime in ‘near future’
- OpenHaystack is a framework for tracking personal Bluetooth devices via Apple's massive Find My network. Use it to create your own tracking tags that you can append to physical objects (keyrings, backpacks, etc)
-
Apple: Android is a tracking device [pdf]
> For Find My, since they can even locate switched off phones
They can't. Find My is actually truly end-to-end encrypted, at least the version used for when a device is off (I'm not 100% sure how encrypted the self-reported version is for powered on iPhones with data).
Copy-pasting my summary about how Find My works from another comment in this post:
> The master private key used by the system is generated locally and never leaves your Apple devices in a state that anyone except your devices can read it.
> The master key is used to derive an AirTag specific private key which is provisioned to the AirTag and is in turn combined with an increasing counter which generates a third private key that's never stored anywhere. The ID broadcast is the public key of this third key. It changes every 30 minutes or 1 hour, I forget which.
> Other devices see this key, use it to encrypt their own location, and upload that encrypted blob along with the public key to Find My, and in order for Apple to even know which account the encrypted blob they can't decrypt belongs to I have to actually request the location of my AirTag by locally deriving the keypair it used for a certain point in time.
This has all been proven through [1] where they read the whitepaper (which I can't for the life of me find now but know exist because I've read it, or at least parts) and implemented OpenHaystack which proves Apple aren't lying about anything because if they did then OpenHaystack wouldn't work.
1: https://github.com/seemoo-lab/openhaystack
- Find my cat: open-source Cat Tracker
- Where can I put a AirTag on my Flipper zero
- [Question] Is it possible to spoof an airtag location with an android device or some kind of Arduino configuration?
- My graduation thesis: Person Following Robot - Smart Trolley 🛒🛒🛒, which runs in real-time on Jetson Nano and can work in all complex types of floors with 3D Vision
-
J'ai trouver des Airpod dans sur la ligne L, est t-il possible de retrouver son propriétaire?
find my network
-
Kuba Wojciechowski: Google is working on a smart tracker similar to Apple's AirTag, codename "grogu"
Much more nuance than that. You can't just tap into the networks. More information here https://github.com/seemoo-lab/openhaystack
-
AirTags replacement
You can actually create your own, using Apple's "find my" network. See OpenHaystack
What are some alternatives?
PPPC-Utility - Privacy Preferences Policy Control (PPPC) Utility
opendrop - An open Apple AirDrop implementation written in Python
Installomator - Installation script to deploy standard software on Macs
AirGuard - Protect yourself from being tracked 🌍 by AirTags 🏷 and Find My accessories 📍
ProfileManifestsMirror - Jamf JSON schema manifests automatically generated from ProfileCreator manifests (https://github.com/ProfileCreator/ProfileManifests)
bluesnooze - Sleeping Mac = Bluetooth off
mcxToProfile - Convert macOS property lists, defaults and MCX into Configuration Profiles with Custom Settings payloads
ubertooth - Software, firmware, and hardware designs for Ubertooth
outset - Automatically process packages, profiles, and scripts during boot, login, or on demand.
Brooklyn - 🍎 Screensaver inspired by Apple's Event on October 30, 2018
munkireport-php - A reporting tool for munki
send-my - Upload arbitrary data via Apple's Find My network.