Support Apple Service Configuration Files (Declarative, Tamper-Resistant)

[AdamBaali]

Gong snippet: TODO

Problem

customer-sondy needs a way to deploy configuration files on macOS devices in a tamper-resistant / immutable fashion so that key configuration data cannot be altered by users or rogue processes. The existing approach (scripts + checks) is reactive and error-prone.

Apple’s “Service Configuration Files” declarative model allows supervised macOS devices (on macOS 14+) to have managed configuration files that take precedence over local settings, mounted in special service-specific locations, and designed to be immune to tampering.

Fleet currently lacks support for this native declarative configuration model, limiting its ability to enforce service-level configurations reliably.

What have you tried?

• Deploying files with scripts or profiles, then using verification scripts to detect drift.
• Periodically reapplying the correct version.
• But these are not atomic, not enforced by the OS, and delay detection/recovery.

Potential solutions

Implement support in Fleet for Apple’s Service Configuration Files declarative:

• Accepting a .zip archive containing the service configuration file(s), mirroring the directory layout, per Apple’s spec. Apple Support
• Exposing payload settings:
  • ServiceType (reverse-DNS identifier for the service)
  • DataAssetReference (reference to the archive)
• Ensuring the archive is expanded into the OS’s special tamper-resistant location so it takes precedence over local files.
• Reporting drift or tampering via status reporting / compliance metrics.
• Supporting deployment only on supervised macOS devices with macOS 14+ (per Apple’s requirements).
• UI/UX for administrators to upload the asset, map it to services, and view compliance status.

What is the expected workflow as a result of your proposal?

1. Admin creates a .zip archive of configuration files, mirroring the directory structure.
2. In Fleet, admin configures a “Service Configuration” policy:
   • Sets ServiceType (e.g. com.mycompany.myservice)
   • Uploads the archive as DataAssetReference
   • Targets it to supervised macOS (macOS 14+) devices.
3. On each device, Fleet ensures the archive is expanded to the OS-managed, tamper-resistant location.
4. If the service or local configuration attempts to change those files, the OS honors the managed version instead.
5. Fleet monitors for compliance / drift (e.g. if the archive is missing or corrupted) and reports in UI.

[noahtalerman]

Gong snippet: TODO

Hey @Patagonia121 can you please add a Gong snippet?

[Patagonia121]

Hey @AdamBaali @noahtalerman - I spoke with customer-sondy today and this is not an issue for them, so I'm going to close out this issue for now since there's no other customers tagged to it. Feel free to reopen if that's not the right call, but we don't need to deliver this for the customer. Thanks.