does anyone know the bundle identifier for the osqueryd bina

Question

does anyone know the bundle identifier for the osqueryd binary on macOS trying to write a Full Disk Access MDM policy for it It looks like it s just osqueryd can anyone confirm ```~ sudo usr bin codesign vvvv display entitlements ~ Downloads osqueryd Executable= Users user Downloads osqueryd Identifier=osqueryd Format=Mach O thin x86 64 lt snip gt Signature size=9077 Authority=Developer ID Application Theodore Reed B89LNTUADM Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Dec 16 2020 at 10 34 40 PM Info plist=not bound TeamIdentifier=B89LNTUADM Runtime Version=10 14 0 Sealed Resources=none Internal requirements count=1 size=168```

Mike Myers · Answer

< theopolis> is that intended point up I know I ve seen `com facebook osqueryd` elsewhere

Mike Myers · Answer

This is where I d seen it <https github com osquery osquery blob 4cf19f29c2508cc5821b82017029da0ada16f9e1 tools deployment productbuild sh L95>

Mike Myers · Answer

< Magneto> I ve created PPPC profiles before so if you need help with that lmk

Magneto · Answer

< Mike Myers> I appreciate that here s the one I wrote mind taking a peek to ensure it looks good

Magneto · Answer

Mmm I think the certificate fields are wrong Let me fix that

Mike Myers · Answer

Optional but you could add ``` lt key gt PayloadDescription lt key gt lt string gt Allow osquery agent to have Full Disk Access lt string gt ```

Mike Myers · Answer

Yea the tricky part is the `CodeRequirement` field

Mike Myers · Answer

gt I think the certificate fields are wrong Whatever this says is what s needed for that field ```codesign dr path to osqueryd``` Everything after the `= gt ` characters that is No leading or trailing spaces

Magneto · Answer

perfect thanks

Magneto · Answer

looks like that s ```identifier osqueryd and anchor apple generic and certificate 1 field 1 2 840 113635 100 6 2 6 exists and certificate leaf field 1 2 840 113635 100 6 1 13 exists and certificate leaf subject OU = B89LNTUADM```

Magneto · Answer

I do recall seeing com facebook osqueryd but I think that s just the `launchd` URI I ve gone through every release macOS build back to 3 3 2 and the identifier on the final binary is unchanged from `osqueryd`

Magneto · Answer

cc < Mike Myers> < theopolis>

Mike Myers · Answer

ok then that s apparently how Teddy s been signing it

allister · Answer

we should DEFINITELY have that in docs somewhere

Mike Myers · Answer

An example grant Full Disk Access configuration profile Yea that would be great if < Magneto> can file a documentation Pull Request I m sure it would be accepted

Magneto · Answer

+1

seph · Answer

It s not proper docs per se but there s a snippet in and in This will also change with osquery 5 0 this will be the defining change of osquery 5 0

Gavin · Answer

FYI This is a full raw profile for Launcher signed binaries amp OsqueryD ``` lt xml version= 1 0 encoding= UTF 8 gt lt DOCTYPE plist PUBLIC Apple DTD PLIST 1 0 EN <http www apple com DTDs PropertyList 1 0 dtd> gt lt plist version= 1 0 gt lt dict gt lt key gt PayloadContent lt key gt lt array gt lt dict gt lt key gt PayloadDescription lt key gt lt string gt Osquery + Kolide Launcher FDE lt string gt lt key gt PayloadDisplayName lt key gt lt string gt io osquery launcher fde lt string gt lt key gt PayloadIdentifier lt key gt lt string gt A2E777C7 76EE 429E AC2B 6C444C9906BD lt string gt lt key gt PayloadOrganization lt key gt lt string gt Example lt string gt lt key gt PayloadType lt key gt lt string gt com apple TCC configuration profile policy lt string gt lt key gt PayloadUUID lt key gt lt string gt DDB83349 7AC0 40D8 AD46 699A7085600C lt string gt lt key gt PayloadVersion lt key gt lt integer gt 1 lt integer gt lt key gt Services lt key gt lt dict gt lt key gt SystemPolicyAllFiles lt key gt lt array gt lt dict gt lt key gt Allowed lt key gt lt true gt lt key gt CodeRequirement lt key gt lt string gt identifier launcher and anchor apple generic and certificate 1 field 1 2 840 113635 100 6 2 6 exists and certificate leaf field 1 2 840 113635 100 6 1 13 exists and certificate leaf subject OU = YZ3EM74M78 lt string gt lt key gt Comment lt key gt lt string gt lt string gt lt key gt Identifier lt key gt lt string gt usr local launcher bin launcher lt string gt lt key gt IdentifierType lt key gt lt string gt path lt string gt lt dict gt lt dict gt lt key gt Allowed lt key gt lt true gt lt key gt CodeRequirement lt key gt lt string gt identifier osqueryd and anchor apple generic and certificate 1 field 1 2 840 113635 100 6 2 6 exists and certificate leaf field 1 2 840 113635 100 6 1 13 exists and certificate leaf subject OU = B89LNTUADM lt string gt lt key gt Comment lt key gt lt string gt lt string gt lt key gt Identifier lt key gt lt string gt usr local launcher bin osqueryd lt string gt lt key gt IdentifierType lt key gt lt string gt path lt string gt lt dict gt lt array gt lt dict gt lt dict gt lt array gt lt key gt PayloadDescription lt key gt lt string gt Kolide Launcher FDE lt string gt lt key gt PayloadDisplayName lt key gt lt string gt io osquery launcher fde lt string gt lt key gt PayloadIdentifier lt key gt lt string gt io osquery launcher fde lt string gt lt key gt PayloadOrganization lt key gt lt string gt Example lt string gt lt key gt PayloadType lt key gt lt string gt com apple TCC configuration profile policy lt string gt lt key gt PayloadUUID lt key gt lt string gt D3F2BC82 B1FE 4A08 9ACD DB72CFDD4F71 lt string gt lt key gt PayloadVersion lt key gt lt integer gt 1 lt integer gt lt key gt payloadScope lt key gt lt string gt system lt string gt lt dict gt lt plist gt ```

Gavin · Answer

Also <https github com jamf PPPC Utility> is an amazing tool

theopolis · Answer

This looks expected accurate

theopolis · Answer

Can confirm that s my signing team name too slightly smiling face