| // Copyright 2019 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "base/enterprise_util.h" |
| |
| #import <OpenDirectory/OpenDirectory.h> |
| |
| #include <string> |
| #include <string_view> |
| #include <vector> |
| |
| #include "base/apple/foundation_util.h" |
| #include "base/logging.h" |
| #include "base/process/launch.h" |
| #include "base/strings/string_split.h" |
| #include "base/strings/string_util.h" |
| #include "base/strings/sys_string_conversions.h" |
| |
| namespace base { |
| |
| bool IsManagedDevice() { |
| // MDM enrollment indicates the device is actively being managed. Simply being |
| // joined to a domain, however, does not. |
| base::MacDeviceManagementState mdm_state = |
| base::IsDeviceRegisteredWithManagement(); |
| return mdm_state == base::MacDeviceManagementState::kLimitedMDMEnrollment || |
| mdm_state == base::MacDeviceManagementState::kFullMDMEnrollment || |
| mdm_state == base::MacDeviceManagementState::kDEPMDMEnrollment; |
| } |
| |
| bool IsEnterpriseDevice() { |
| // Domain join is a basic indicator of being an enterprise device. |
| DeviceUserDomainJoinState join_state = AreDeviceAndUserJoinedToDomain(); |
| return join_state.device_joined || join_state.user_joined; |
| } |
| |
| MacDeviceManagementState IsDeviceRegisteredWithManagement() { |
| static MacDeviceManagementState state = [] { |
| std::vector<std::string> profiles_argv{"/usr/bin/profiles", "status", |
| "-type", "enrollment"}; |
| |
| std::string profiles_stdout; |
| if (!GetAppOutput(profiles_argv, &profiles_stdout)) { |
| LOG(WARNING) << "Could not get profiles output."; |
| return MacDeviceManagementState::kFailureAPIUnavailable; |
| } |
| |
| // Sample output of `profiles` with full MDM enrollment: |
| // Enrolled via DEP: Yes |
| // MDM enrollment: Yes (User Approved) |
| // MDM server: https://applemdm.example.com/some/path?foo=bar |
| StringPairs property_states; |
| if (!SplitStringIntoKeyValuePairs(profiles_stdout, ':', '\n', |
| &property_states)) { |
| return MacDeviceManagementState::kFailureUnableToParseResult; |
| } |
| |
| bool enrolled_via_dep = false; |
| bool mdm_enrollment_not_approved = false; |
| bool mdm_enrollment_user_approved = false; |
| |
| for (const auto& property_state : property_states) { |
| std::string_view property = |
| TrimString(property_state.first, kWhitespaceASCII, TRIM_ALL); |
| std::string_view state = |
| TrimString(property_state.second, kWhitespaceASCII, TRIM_ALL); |
| |
| if (property == "Enrolled via DEP") { |
| if (state == "Yes") { |
| enrolled_via_dep = true; |
| } else if (state != "No") { |
| return MacDeviceManagementState::kFailureUnableToParseResult; |
| } |
| } else if (property == "MDM enrollment") { |
| if (state == "Yes") { |
| mdm_enrollment_not_approved = true; |
| } else if (state == "Yes (User Approved)") { |
| mdm_enrollment_user_approved = true; |
| } else if (state != "No") { |
| return MacDeviceManagementState::kFailureUnableToParseResult; |
| } |
| } else { |
| // Ignore any other output lines, for future extensibility. |
| } |
| } |
| |
| if (!enrolled_via_dep && !mdm_enrollment_not_approved && |
| !mdm_enrollment_user_approved) { |
| return MacDeviceManagementState::kNoEnrollment; |
| } |
| |
| if (!enrolled_via_dep && mdm_enrollment_not_approved && |
| !mdm_enrollment_user_approved) { |
| return MacDeviceManagementState::kLimitedMDMEnrollment; |
| } |
| |
| if (!enrolled_via_dep && !mdm_enrollment_not_approved && |
| mdm_enrollment_user_approved) { |
| return MacDeviceManagementState::kFullMDMEnrollment; |
| } |
| |
| if (enrolled_via_dep && !mdm_enrollment_not_approved && |
| mdm_enrollment_user_approved) { |
| return MacDeviceManagementState::kDEPMDMEnrollment; |
| } |
| |
| return MacDeviceManagementState::kFailureUnableToParseResult; |
| }(); |
| |
| return state; |
| } |
| |
| DeviceUserDomainJoinState AreDeviceAndUserJoinedToDomain() { |
| static DeviceUserDomainJoinState state = [] { |
| DeviceUserDomainJoinState state{.device_joined = false, |
| .user_joined = false}; |
| |
| @autoreleasepool { |
| ODSession* session = [ODSession defaultSession]; |
| if (session == nil) { |
| DLOG(WARNING) << "ODSession default session is nil."; |
| return state; |
| } |
| |
| // Machines that are domain-joined have nodes under "/LDAPv3" or "/Active |
| // Directory". See https://stackoverflow.com/questions/32470557/ and |
| // https://stackoverflow.com/questions/69093499/, respectively, for |
| // examples. |
| NSError* error = nil; |
| NSArray<NSString*>* node_names = [session nodeNamesAndReturnError:&error]; |
| if (!node_names) { |
| DLOG(WARNING) << "ODSession failed to give node names: " |
| << error.localizedDescription.UTF8String; |
| return state; |
| } |
| |
| for (NSString* node_name in node_names) { |
| if ([node_name hasPrefix:@"/LDAPv3"] || |
| [node_name hasPrefix:@"/Active Directory"]) { |
| state.device_joined = true; |
| } |
| } |
| |
| ODNode* node = [ODNode nodeWithSession:session |
| type:kODNodeTypeAuthentication |
| error:&error]; |
| if (node == nil) { |
| DLOG(WARNING) << "ODSession cannot obtain the authentication node: " |
| << error.localizedDescription.UTF8String; |
| return state; |
| } |
| |
| // Now check the currently logged on user. |
| ODQuery* query = [ODQuery queryWithNode:node |
| forRecordTypes:kODRecordTypeUsers |
| attribute:kODAttributeTypeRecordName |
| matchType:kODMatchEqualTo |
| queryValues:NSUserName() |
| returnAttributes:kODAttributeTypeAllAttributes |
| maximumResults:0 |
| error:&error]; |
| if (query == nil) { |
| DLOG(WARNING) << "ODSession cannot create user query: " |
| << error.localizedDescription.UTF8String; |
| return state; |
| } |
| |
| NSArray* results = [query resultsAllowingPartial:NO error:&error]; |
| if (!results) { |
| DLOG(WARNING) << "ODSession cannot obtain current user node: " |
| << error.localizedDescription.UTF8String; |
| return state; |
| } |
| |
| if (results.count != 1) { |
| DLOG(WARNING) << @"ODSession unexpected number of user nodes: " |
| << results.count; |
| } |
| |
| for (id element in results) { |
| ODRecord* record = base::apple::ObjCCastStrict<ODRecord>(element); |
| NSArray* attributes = |
| [record valuesForAttribute:kODAttributeTypeMetaRecordName |
| error:nil]; |
| for (id attribute in attributes) { |
| NSString* attribute_value = |
| base::apple::ObjCCastStrict<NSString>(attribute); |
| // Example: "uid=johnsmith,ou=People,dc=chromium,dc=org |
| NSRange domain_controller = |
| [attribute_value rangeOfString:@"(^|,)\\s*dc=" |
| options:NSRegularExpressionSearch]; |
| if (domain_controller.length > 0) { |
| state.user_joined = true; |
| } |
| } |
| |
| // Scan alternative identities. |
| attributes = |
| [record valuesForAttribute:kODAttributeTypeAltSecurityIdentities |
| error:nil]; |
| for (id attribute in attributes) { |
| NSString* attribute_value = |
| base::apple::ObjCCastStrict<NSString>(attribute); |
| NSRange icloud = |
| [attribute_value rangeOfString:@"CN=com.apple.idms.appleid.prd" |
| options:NSCaseInsensitiveSearch]; |
| if (!icloud.length) { |
| // Any alternative identity that is not iCloud is likely enterprise |
| // management. |
| state.user_joined = true; |
| } |
| } |
| } |
| } |
| |
| return state; |
| }(); |
| |
| return state; |
| } |
| |
| } // namespace base |
