{"id":1277,"date":"2022-11-03T15:58:32","date_gmt":"2022-11-03T20:58:32","guid":{"rendered":"https:\/\/www.brunerd.com\/blog\/?p=1277"},"modified":"2024-02-05T16:48:58","modified_gmt":"2024-02-05T21:48:58","slug":"detecting-and-affecting-lockdown-mode-in-macos-ventura","status":"publish","type":"post","link":"https:\/\/www.brunerd.com\/blog\/2022\/11\/03\/detecting-and-affecting-lockdown-mode-in-macos-ventura\/","title":{"rendered":"Detecting and affecting Lockdown Mode in macOS Ventura"},"content":{"rendered":"\n

Lockdown mode<\/a> is new feature for macOS Ventura and for many MacAdmins we’ve been wondering how to detect this state. Why? Lockdown mode affects how macOS and Mac apps behave. This is something a helpdesk might like to know when trying to troubleshoot an issue. Also, due to some ambiguous wording by Apple, they made it seem like MDM Config Profiles could not be installed at all<\/em> when in Lockdown mode, however this is not always the case. The hunt was on!<\/p>\n\n\n\n

Detecting Lockdown Mode<\/h2>\n\n\n\n

I was looking everywhere<\/em> last week: ps<\/code> process lists, nvram<\/code>, system_profiler<\/code>, kextstat<\/code>, launchctl<\/code>, sysdiagnose<\/code>, a defaults read<\/code> dump, etc. I was looking high and low for “lock” “down” and “mode” and I got a hit in the com.apple.Safari<\/code> domain in the sandboxed ~\/Library\/Containers\/Safari<\/code> path. While it turns out that Safari will in some cases<\/em> write the button label LockdownModeToolbarIdentifier<\/code> to that pref domain, it requires Safari to be launched and<\/em> for the toolbar to be in non-default layout, otherwise the label name is never written! So that was a dead end.<\/p>\n\n\n\n

Then a little birdie on MacAdmins pointed me in the right direction and blogged<\/a> about it and wrote a Jamf extension attribute! \ud83d\ude05 Turns out I had missed the value sitting at the top of the defaults read<\/code> dump! (d’oh) It was there the whole time in .GlobalPreferences, I just hadn’t done a diff<\/code> like I should have! That<\/em> would have revealed the key uses the LDM<\/code> acronym\/mnemonic: LDMGlobalEnabled<\/code> Funnily enough, when I searched for this key on Google I got 5 hits and all of them for iOS<\/strong>, like this one<\/a> at the Apple dev forums. However they were all about Swift and iOS, here’s how to do it in shell for the current user:<\/p>\n\n\n\n

defaults read .GlobalPreferences.plist LDMGlobalEnabled 2>\/dev\/null<\/code><\/pre>\n\n\n\n
It’s a boolean value, that will not exist if Lockdown mode has never been enabled, when enabled it will report 1<\/code> from defaults<\/code> and when disabled the key will remain and report 0<\/code>. What stands out is that this is a per-user preference. Since it makes you reboot I had supposed<\/em> it was a system-wide setting but sure enough if you log out and into another user, Lockdown mode is disabled. Perhaps that makes sense but I’m not quite sure about that? <\/p>\n\n\n\n
Affecting Lockdown Mode<\/h2>\n\n\n\n
This totally blew me away: You can enable and disable macOS Lockdown mode by writing to your .GlobalPreferences preference domain!<\/strong><\/p>\n\n\n\n
#turn lockdown mode off\ndefaults write .GlobalPreferences.plist LDMGlobalEnabled -bool false\n#turn lockdown mode on\ndefaults write .GlobalPreferences.plist LDMGlobalEnabled -bool true<\/code><\/pre>\n\n\n\n
That’s right, it’s not written to a rootless\/SIP protected file like TCC.db! Just run the command as the user and it’ll turn toggle the behavior for most things. Here’s some details of my findings:<\/p>\n\n\n\n