RFE: Inspector for "stdout" on macOS

Please vote!

Given Apple’s recent security-oriented changes to macOS – in particular increasingly constrained abilities of root due to SIP – BigFix is no longer able to access certain parts of the files system. This limitation increasingly prevents reading .plists or other files in cases where inspectors are not available. In addition, there are wide variety of Apple shell utilities which can easily provide information only available to them, or in a form that is only otherwise available through complex chicanery (e.g. ioreg).

An inspector of “stdout of”, perhaps constrained to limited subcommands in a read-only context, and a narrow timeout window, would be very useful in filling this gap.


Voted! fdesetup status would be fantastic too.

Nice catch. I’ve added fdesetup status to the list.

Just be aware that this will likely never happen. The issue is that our rules are that inspectors cannot alter the system in any way and running an executable can definitely do this. In an action this makes a lot of sense but not in an inspector. Also its possible to run something that hangs and never comes back so thats an issue as well.

I’d rather add inspectors for what is needed, making some things a bit more generic. The executable dscl has been mentioned and as we use that for AD, we have code to inspect the underlying data but not in a generic way.

For sure, I’d love to see native inspectors negate this need. But given the lack of platform parity in inspectors, particularly in Windows vs not-Windows, and the lack of an inspector for an escape valve API (.e.g WMI), it seems like limited access to stdout would be such an escape valve.