Open Radar

 
Summary:
Since 10.8, /usr/bin/dscl cannot be used to write to any other directory than /private/var/db/dslocal/nodes/Default/*, which prevents the maintenance of Managed Preferences in custom nodes created for the LocalMCX delivery method, detailed here:
http://managingosx.wordpress.com/2012/07/27/mountain-lion-and-mcx/
This behavior should be changed to allow for any subdirectory of /private/var/db/dslocal/nodes/ instead.

Steps to Reproduce:
1. create new folder structure in /private/var/db/dslocal/nodes/ MCX/groups, users, computers, and computer groups. with appropriate ownership and permissions
2. deploy computer record (i.e. local_laptop.plist) to that folder from a template
3. attempt to modify the template to associate management with the specific machine, using these commands:
/usr/bin/dscl /Local/MCX -create /Computers/$computerRecordName ENetAddress $macAddress 
/usr/bin/dscl /Local/MCX -create /Computers/$computerRecordName hardwareuuid

Expected Results: successful update of records
Actual Results: <dscl_cmd> DS Error: -14136 (eDSRecordNotFound)

Regression:all versions from 10.8 on

Notes: AS mentioned in this post by Joe Wollard, this behavior is able to be circumvented:
"open /System/Library/Sandbox/Profiles/com.apple.opendirectoryd.sb in your favorite text editor 
Find the line referencing "/var/db/dslocal/nodes/Default", should be line 43 (notice how this is under the "allow file-write*" container?) 
Insert a new line after that one with the following contents, making adjustments where needed for your local MCX path: #"^(/private)?/var/db/dslocal/nodes/MCX(/|$)" 
reload the daemon, effectively forcing sandboxd to reload the permissions: killall opendirectoryd "
https://groups.google.com/forum/?fromgroups=#!topic/macenterprise/h8qAyNxHxzw

This type of management is valuable while Configuration Profiles do not allow "Once" or "Often" frequency settings, which I will file a separate enhancement bug for.