OS X 10.11.6: Managing Bonjour advertisement via a management profile

Originator:howard.griffith
Number:rdar://27953033 Date Originated:22-Aug-2016 12:53 PM
Status:Open Resolved:
Product:OS X Product Version:OS X 10.11.6 (15G31)
Classification:Security Reproducible:Always
 
This is a duplicate of rdar://27952362

Summary:

On OS X 10.11.x and later, the method of disabling Bonjour advertisement changed due to SIP no longer allowing the following plist to be edited:

/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

After doing some research, it looks like the Bonjour advertisement function can be disabled by running the following command with root privileges:

defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES

However, it does not appear that I can manage this with a profile.

Steps to Reproduce:

1. Install profile
2. Check NoMulticastAdvertisements value in /Library/Managed Preferences/com.apple.mDNSResponder.plist

Expected Results:

/Library/Managed Preferences/com.apple.mDNSResponder NoMulticastAdvertisements is set to True
Bonjour advertisement function is disabled

Actual Results:

/Library/Managed Preferences/com.apple.mDNSResponder NoMulticastAdvertisements is set to True
Bonjour advertisement function is not disabled

Regression:

Running the defaults command listed above sets the following value:

/Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements is set to True
Bonjour advertisement function is disabled

Notes:

I have more information on this issue available here:

https://derflounder.wordpress.com/2016/08/22/disabling-bonjour-advertisement-on-os-x-el-capitan-and-later/

I have a sample management profile available here:

https://github.com/rtrouton/profiles/tree/master/DisableBonjourAdvertisement

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!