如何使用Intune审计macOS定位服务,增强企业设备安全

本文详细介绍了如何利用微软Intune管理平台和bash脚本,对macOS设备的定位服务(Location Services)进行安全审计与配置强化,涵盖CIS基准建议的实施、具体脚本代码解析及部署步骤,旨在提升企业macOS设备的安全性与透明度。

谁在窥探?使用Intune审计macOS定位服务

在我的持续使命中,即利用Microsoft Intune强化macOS设备安全,今天的焦点是macOS定位服务,以及macOS设备CIS(互联网安全中心)二级基准中的两项建议。我们将探讨建议 2.6.1.2:确保“当系统服务请求您的位置时在控制中心显示位置图标”已启用,以及建议 2.6.1.3:审计定位服务访问。我仍在研究完整的二级基准,并很快会在我的Github上更新许多其他脚本来提供帮助。同时,可以查看我之前关于使用基于CIS的自定义安全基线保护macOS设备的帖子。

这两项CIS建议不仅能增强安全性,还能带来透明度,让用户和管理员能够前排看到谁在窥探位置数据。所以请系好安全带,因为我们将探讨这些设置为何重要、如何使用Intune部署它们,以及我编写的一些精巧脚本,它们能让您的工作更轻松。

为何要费心管理定位服务

有时,深入研究特定配置并不仅仅关乎直接可用性,还关乎好奇心和探索欲。我想看看能做什么,能把配置推到多远,以及从管理macOS上的定位服务中可以获得什么见解。探索这些设置让我理解了隐私与控制之间的平衡,并看到了如何利用Intune来增强可见性和安全性。这不仅仅是关于这些设置是否对每个环境都有必要。这篇文章更多是关于学习和个人发展。

建议 2.6.1.2:通过位置图标确保可见性

当macOS系统服务或应用程序请求位置数据时,用户通过控制中心中的可见图标得到通知至关重要。这能建立信任并确保用户了解位置跟踪活动,防止任何隐藏进程被忽视。

建议 2.6.1.3:审计定位服务访问

许多macOS功能依赖定位服务来提供定制化信息,从设置时区、显示本地天气到启用“查找我的Mac”。让我们面对现实吧,您的macOS应用喜欢知道您的位置。虽然定位服务带来了便利,但它们也可能带来隐私风险,尤其是在政府或医疗保健等敏感环境中。

通过审计哪些应用程序有权访问定位服务,组织可以在可用性和数据安全之间保持平衡。如果您的设备位于敏感地点(想想政府大楼或顶级秘密巢穴),您需要密切关注谁在访问这些数据。

使用Intune部署脚本

为了简化定位服务设置的管理,我开发了三个可以通过Microsoft Intune部署的脚本。以下是每个脚本的细分及其在增强安全性的作用。

1. 启用定位服务图标

首先,我们要确保当系统服务或应用请求您的位置时,定位服务图标会出现。只是注意别眨眼……您可能会错过这个动作。

尽管这个设置应该能让用户意识到定位服务正在被使用,但它位于菜单栏的顶部,并且只会有几秒钟亮起彩色……无论如何,我想这总比没有好。

脚本概述:

  • 检查相关的plist文件(com.apple.locationmenu.plist)是否存在。
  • 如果“显示位置图标”设置尚未激活,则启用它。
  • 记录所有操作以供审计。
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109

#!/bin/bash
#set -x
# -------------------------------------------------------------------------------------------------------------------------------
# Script to Ensure 'Show Location Icon in Control Center when System Services Request Your Location' Is Enabled
# CIS Benchmark Level 2 - 2.6.1.2 Ensure 'Show Location Icon in Control Center when System Services Request Your Location' Is Enabled
# -------------------------------------------------------------------------------------------------------------------------------
#
# -------------------------------------------------------------------------------------------------------------------------------
# WARNING: This script only works if you deploy it as a collection of scripts. You will need 3 scripts for this to work:
# 1- EnableLocationServiceIcon (optional but recommended)
# 2- audit_apps_using_Locationservices.sh
# 3- report_apps_using_Locationservices
# -------------------------------------------------------------------------------------------------------------------------------
#
# DISCLAIMER:
# This script is provided "as is" without warranties or guarantees of any kind. While it has been created to fulfill specific functions
# and has worked effectively for my personal requirements, its performance may vary in different environments or use-cases.
# Users are advised to employ this script at their own discretion and risk.
# No responsibility will be assumed for any direct, indirect, incidental, or consequential damages that may arise from its use.
# -------------------------------------------------------------------------------------------------------------------------------
#
# ALWAYS TEST it in a controlled environment before deploying it in your production environment!
#
# -------------------------------------------------------------------------------------------------------------------------------
# AUTHOR: Oktay Sari
# https://allthingscloud.blog
# https://github.com/oktay-sari/
#
# NOTE:
# This script is by no means perfect. I'm not an expert bash programmer.
# If you think you have a good idea to further enhance this script, then please reach out.
#
# SCRIPT VERSION/HISTORY:
# 06-02-2025 - Oktay Sari - Script version 1.0
#
# ROADMAP/WISHLIST:
#
# Requirements:
# MDM to deploy script
# -------------------------------------------------------------------------------------------------------------------------------

# Define variables
appname="EnableLocationIcon"
logandmetadir="/Library/Logs/Microsoft/IntuneScripts/$appname"
log="$logandmetadir/$appname.log"
plist_path="/Library/Preferences/com.apple.locationmenu.plist"

# Check if the log directory has been created
if [ -d "$logandmetadir" ]; then
    echo "$(date) | Log directory already exists - $logandmetadir"
else
    echo "$(date) | Creating log directory - $logandmetadir"
    mkdir -p $logandmetadir
fi

# Start logging
exec &> >(tee -a "$log")

# Begin Script Body
echo ""
echo "##############################################################"
echo "# $(date) | Starting running of script $appname"
echo "##############################################################"
echo ""

# Function to enable 'Show Location Icon for System Services'
function enable_location_icon {
    echo "$(date) | Checking if $plist_path exists."

    if [ -f "$plist_path" ]; then
        echo "$(date) | $plist_path exists. Checking current setting."
        current_setting=$(/usr/bin/defaults read "$plist_path" ShowSystemServices 2>/dev/null)

        if [[ "$current_setting" == "1" ]]; then
            echo "$(date) | 'Show Location Icon' is already enabled. No changes made."
        else
            echo "$(date) | 'Show Location Icon' is disabled or not set. Enabling now."
            /usr/bin/defaults write "$plist_path" ShowSystemServices -bool true
            chown root:wheel "$plist_path"
            chmod 644 "$plist_path"

            # Verify the change
            verify_setting=$(/usr/bin/defaults read "$plist_path" ShowSystemServices)
            if [[ "$verify_setting" == "1" ]]; then
                echo "$(date) | Successfully enabled 'Show Location Icon'."
            else
                echo "$(date) | Failed to enable 'Show Location Icon'. Please check manually."
            fi
        fi
    else
        echo "$(date) | $plist_path does not exist. Creating and enabling setting."
        /usr/bin/defaults write "$plist_path" ShowSystemServices -bool true
        chown root:wheel "$plist_path"
        chmod 644 "$plist_path"

        # Verify the change
        verify_setting=$(/usr/bin/defaults read "$plist_path" ShowSystemServices)
        if [[ "$verify_setting" == "1" ]]; then
            echo "$(date) | Successfully created $plist_path and enabled 'Show Location Icon'."
        else
            echo "$(date) | Failed to create $plist_path or enable 'Show Location Icon'. Please check manually."
        fi
    fi
}

# Execute the function
enable_location_icon

echo "$(date) | Script completed. 'Show Location Icon' setting has been applied."

2. 审计使用定位服务的应用

此脚本审计所有访问过定位服务的应用程序,并将它们编译成可读的plist文件。它就像是我们的脚本三人组中的侦探。它向管理员提供了哪些应用正在利用位置数据的清晰概览。

脚本概述:

  • clients.plist 从二进制转换为XML以便于解析。
  • 提取授权使用定位服务的应用的捆绑包ID。
  • 将捆绑包ID解析为应用名称,并将其写入plist文件(com.company.locationapps.plist)。
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

#!/bin/bash
#set -x
# -------------------------------------------------------------------------------------------------------------------------------
#
# -------------------------------------------------------------------------------------------------------------------------------
# WARNING: This script only works if you deploy it as a collection of scripts. You will need 3 scripts for this to work:
# 1- EnableLocationServiceIcon (optional but recommended)
# 2- audit_apps_using_Locationservices.sh
# 3- report_apps_using_Locationservices
# -------------------------------------------------------------------------------------------------------------------------------
#
# DISCLAIMER:
# This script is provided "as is" without warranties or guarantees of any kind. While it has been created to fulfill specific functions
# and has worked effectively for my personal requirements, its performance may vary in different environments or use-cases.
# Users are advised to employ this script at their own discretion and risk.
# No responsibility will be assumed for any direct, indirect, incidental, or consequential damages that may arise from its use.
# -------------------------------------------------------------------------------------------------------------------------------
# ALWAYS TEST it in a controlled environment before deploying it in your production environment!
#
# -------------------------------------------------------------------------------------------------------------------------------
# AUTHOR: Oktay Sari
# https://allthingscloud.blog
# https://github.com/oktay-sari/
#
# NOTE:
# This script is by no means perfect. I'm not an expert bash programmer.
# If you think you have a good idea to further enhance this script, then please reach out.
#
# SCRIPT VERSION/HISTORY:
# 06-02-2025 - Oktay Sari - Script version 1.0
#
# ROADMAP/WISHLIST:
#
# Requirements:
# MDM to deploy script
#
# Why use plist files instead of log files?
# -------------------------------------------------------------------------------------------------------------------------------
# Plist files offer structured, standardized data storage that integrates natively with macOS and MDM solutions like Intune.
# They allow for consistent parsing and structured reporting, making them ideal for environments where data integrity and
# easy retrieval are critical. Unlike log files, which are unstructured and prone to formatting inconsistencies,
# plist files maintain a predictable format that ensures compatibility with automated systems.
# -------------------------------------------------------------------------------------------------------------------------------
# Define variables
# Path to the Location Services database and temporary XML file
LS_DB="/var/db/locationd/clients.plist"
XML_DB="/tmp/clients.xml"
OUTPUT_FILE="/Library/Preferences/com.company.locationapps.plist"

# Step 1: Check if the Location Services database exists
if [ ! -f "$LS_DB" ]; then
    echo "Location Services Database not found at $LS_DB"
    exit 1
fi

# Step 2: Convert the binary plist to an XML format
# This is necessary because the original plist is in a binary format, which is not human-readable and cannot be easily parsed.
# Converting it to XML allows us to extract and manipulate the data more effectively.
plutil -convert xml1 -o "$XML_DB" "$LS_DB"

# Step 3: Initialize an empty array to store the names of authorized apps
authorized_apps=()

# Step 4: Filter out non-UTF-8 characters and parse authorized apps
while IFS= read -r bundle_id; do
    echo "Processing bundle ID: $bundle_id"
    app_path=$(mdfind "kMDItemCFBundleIdentifier == '$bundle_id'" | head -n 1)
    if [ -n "$app_path" ]; then
        app_name=$(mdls -name kMDItemDisplayName -raw "$app_path")
        if [ -z "$app_name" ]; then
            app_name=$(mdls -name kMDItemCFBundleName -raw "$app_path")
        fi
        if [ -z "$app_name" ]; then
            app_name=$(mdls -name kMDItemFSName -raw "$app_path")
        fi

        if [ -n "$app_name" ]; then
            echo "Found app: $app_name ($bundle_id)"
            authorized_apps+=("$app_name ($bundle_id)")
        else
            echo "Found app path but no display name for $bundle_id"
            authorized_apps+=("$bundle_id (No app display name found)")
        fi
    else
        echo "No app path found for $bundle_id"
        authorized_apps+=("$bundle_id (No app display name found)")
    fi

done < <(
    /usr/libexec/PlistBuddy -c "Print" "$XML_DB" | iconv -f UTF-8 -t UTF-8//IGNORE |
    awk '
        BEGIN { authorized = 0; bundle_id = "" }
        /BundleId =/ { bundle_id = $3 }
        /Authorized = true/ {
            if (bundle_id != "") {
                print bundle_id
                bundle_id = ""
            } else {
                authorized = 1
            }
        }
        /^[^ ]/ {
            if (authorized && bundle_id != "") {
                print bundle_id
                authorized = 0
                bundle_id = ""
            }
        }
    '
)

# Step 5: Debugging - Check if the output file exists before creating a new one
# This step ensures we're aware if an existing plist file is already present. This can help in troubleshooting or verifying that the script is running as expected.
if ls -l "$OUTPUT_FILE"; then
    echo "DEBUG: File is visible to the script."
else
    echo "DEBUG: File is NOT visible to the script."
fi

# Step 6: Ensure the output file is freshly created on every run
# Removing the old plist ensures that no outdated or duplicate data remains. This guarantees that the plist only contains the most current information.
if [ -f "$OUTPUT_FILE" ]; then
    echo "Existing plist found. Removing it to create a fresh one."
    rm "$OUTPUT_FILE"
else
    echo "File Doesn't Exist, Will Create: $OUTPUT_FILE"
fi

# Step 7: Create a new plist with the required structure
# We initialize the plist with an 'AuthorizedApps' array to store the list of apps. This structure is required for consistent data formatting.
echo "Creating new plist file at $OUTPUT_FILE"
/usr/libexec/PlistBuddy -c "Add :AuthorizedApps array" "$OUTPUT_FILE"

# Step 8: Set permissions to ensure future detection and access
# Setting appropriate permissions ensures the file is readable and writable by system processes that may need to access or update it.
chmod 644 "$OUTPUT_FILE"
chown root:wheel "$OUTPUT_FILE"

# Confirm permissions to verify that they were set correctly
ls -l "$OUTPUT_FILE"

# Step 9: Populate the plist with the authorized apps
for app in "${authorized_apps[@]}"; do
    echo "Adding to plist: $app"
    /usr/libexec/PlistBuddy -c "Add :AuthorizedApps: string $app" "$OUTPUT_FILE"
done

# Step 10: Final confirmation message
echo "Location Services apps have been written to $OUTPUT_FILE"

3. 报告使用定位服务的应用

最后但同样重要的是,我们有了报告者。这个自定义属性脚本是为Intune内的报告目的而设计的。它读取审计脚本生成的plist文件,并输出使用定位服务的应用列表。

脚本概述:

  • com.company.locationapps.plist 读取。
  • 将授权应用列表输出到控制台,以便在Intune中报告。
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

#!/bin/bash
#set -x
# -------------------------------------------------------------------------------------------------------------------------------
# WARNING: This script only works if you deploy it as a collection of scripts. You will need 3 scripts for this to work:
# 1- EnableLocationServiceIcon (optional but recommended)
# 2- audit_apps_using_Locationservices.sh
# 3- report_apps_using_Locationservices
# -------------------------------------------------------------------------------------------------------------------------------
#
# DISCLAIMER:
# This script is provided "as is" without warranties or guarantees of any kind. While it has been created to fulfill specific functions
# and has worked effectively for my personal requirements, its performance may vary in different environments or use-cases.
# Users are advised to employ this script at their own discretion and risk.
# No responsibility will be assumed for any direct, indirect, incidental, or consequential damages that may arise from its use.
# -------------------------------------------------------------------------------------------------------------------------------
#
# ALWAYS TEST it in a controlled environment before deploying it in your production environment!
#
# -------------------------------------------------------------------------------------------------------------------------------
# AUTHOR: Oktay Sari
# https://allthingscloud.blog
# https://github.com/oktay-sari/
#
# NOTE:
# This script is by no means perfect. I'm not an expert bash programmer.
# If you think you have a good idea to further enhance this script, then please reach out.
#
# SCRIPT VERSION/HISTORY:
# 06-02-2025 - Oktay Sari - Script version 1.0
#
# ROADMAP/WISHLIST:
#
# Requirements:
# MDM to deploy script
# -------------------------------------------------------------------------------------------------------------------------------

# Define variables

OUTPUT_FILE="/Library/Preferences/com.company.locationapps.plist"

if [ -f "$OUTPUT_FILE" ]; then
    authorized_apps=$(defaults read "$OUTPUT_FILE" AuthorizedApps)
    echo "Authorized Apps: $authorized_apps"
else
    echo "No apps found using Location Services."
fi

隐私考量

虽然审计定位服务访问对于维护安全至关重要,但承认潜在的隐私问题也很重要。列出所有访问位置数据的应用程序可能会无意中暴露有关用户如何与其设备交互的敏感信息。这就像窥探用户的日记。它很有用,但让我们谨慎行事。

潜在的隐私风险:

  • 用户担忧: 即使出于最好的意图,用户知道管理员可以看到哪些应用程序正在访问他们的位置,也可能会感到不安。
  • 数据敏感性: 在某些环境中,透露特定的应用程序名称可能会无意中泄露敏感细节。

缓解策略:

  • Intune设备刀片中的可见性: 值得注意的是,应用程序已经在Intune设备刀片中可见。然而,额外的自定义报告可能会引起进一步的担忧。
  • 数据匿名化: 未来的脚本增强功能可以专注于匿名化这些数据。例如,与其在自定义属性中列出实际的应用程序名称,我们不如只报告使用定位服务的应用程序数量。这种方法在尊重个人隐私的同时保持了监督。

未来的脚本增强

这些脚本很棒,但总有改进的空间。以下是一些将事情提升到新水平的想法:

  • 匿名化报告: 修改报告脚本,仅显示使用定位服务的应用数量,而不是它们的名称。这提供了一个高级概览,同时不损害隐私。
  • 细粒度权限: 引入逻辑来区分系统服务和第三方应用,提供更细致的报告。
  • 自动警报: 当新应用请求位置访问时通知管理员。
  • 计划审计: 使审计过程定期自动运行,确保持续监控而无需管理开销。
  • 维护已批准应用列表: 仅对未知/未批准的应用发出警报。

通过Microsoft Intune部署

分步部署指南:

  1. 将脚本上传到Intune:

    • 在Microsoft Intune中,导航到“设备”>“macOS”>“脚本”。
    • 单独添加前2个脚本,确保它们分配给适当的设备组。
    • 导航到“设备”>“macOS”>“自定义属性”,上传报告脚本,并将其也分配给您的设备。

  2. 监控部署:

    • 使用Intune的报告功能来验证脚本是否成功执行。
    • 报告脚本将提供有关哪些应用正在访问定位服务的反馈。

  3. 根据需要调整策略:

    • 根据审计结果,调整应用权限或告知用户潜在的隐私影响。

结论

管理macOS上的定位服务不仅仅是锁定一切——它关乎在安全性和可用性之间取得平衡。通过定位服务图标显示谁在窥探,以及审计随时关注应用行为,您可以在不完全进入监控模式的情况下获得完全控制。

但请记住,能力越大,责任越大。时刻牢记隐私,尽可能进行匿名化处理,并始终保持对用户的透明度。有效的采用和沟通可以帮助应对这些挑战。

请继续关注更多见解,我们将继续探索并使用Microsoft Intune为macOS实施CIS二级基准。如果您对这些脚本有任何建议或改进意见,请随时联系或通过GitHub贡献。

comments powered by Disqus
© 2020 - 2026 qife
使用 Hugo 构建
主题 StackJimmy 设计
本站总访问量 本站访客数人次