From f4c090468c8a86ea72f2554cb2cbcb3bd031b9e7 Mon Sep 17 00:00:00 2001
From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Date: Fri, 14 Mar 2025 15:22:59 -0400
Subject: [PATCH] Custom OS settings: how to unsign profiles (#27100)

Fleet signs profiles for you

- Add redirect for the following user story
  - #26688
---
 articles/custom-os-settings.md | 6 ++----
 website/config/routes.js       | 1 +
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/articles/custom-os-settings.md b/articles/custom-os-settings.md
index 9f6cdf17d7..2dc2336bba 100644
--- a/articles/custom-os-settings.md
+++ b/articles/custom-os-settings.md
@@ -8,7 +8,7 @@ Currently, Fleet only supports system (device) level configuration profiles.
 
 You can enforce OS settings using the Fleet UI, Fleet API, or [Fleet's GitOps workflow](https://github.com/fleetdm/fleet-gitops).
 
-For macOS, iOS, and iPadOS hosts, Fleet recommends the [iMazing Profile Creator](https://imazing.com/profile-editor) tool for creating and exporting macOS configuration profiles.
+For macOS, iOS, and iPadOS hosts, Fleet recommends the [iMazing Profile Creator](https://imazing.com/profile-editor) tool for creating and exporting macOS configuration profiles. Fleet signs these profiles for you. If you have self-signed profiles, run this command to unsign them: `usr/bin/security cms -D -i  /path/to/profile/profile.mobileconfig | xmllint --format -`
 
 For Windows hosts, copy this [Windows configuration profile template](https://fleetdm.com/example-windows-profile) and update the profile using any configuration service providers (CSPs) from [Microsoft's MDM protocol](https://learn.microsoft.com/en-us/windows/client-management/mdm/). Learn more about Windows CSPs [here](https://fleetdm.com/guides/creating-windows-csps).
 
@@ -20,9 +20,7 @@ Fleet UI:
 
 3. Select **Upload** and choose your configuration profile.
 
-4. To modify the OS setting, first remove the old configuration profile and then add the new one.
-
-> On macOS, iOS, and iPadOS, removing a configuration profile will remove enforcement of the OS setting.
+4. To edit the OS setting, first remove the old configuration profile and then add the new one. On macOS, iOS, and iPadOS, removing a configuration profile will remove enforcement of the OS setting.
 
 Fleet API: API documentation is [here](https://fleetdm.com/docs/rest-api/rest-api#add-custom-os-setting-configuration-profile)
 
diff --git a/website/config/routes.js b/website/config/routes.js
index bcf6361486..ce8d1c81f4 100644
--- a/website/config/routes.js
+++ b/website/config/routes.js
@@ -877,6 +877,7 @@ module.exports.routes = {
   'GET /learn-more-about/ui-gitops-mode': 'https://github.com/fleetdm/fleet-gitops/?tab=readme-ov-file#fleet-ui',
   'GET /learn-more-about/certificates-query': '/tables/certificates',
   'GET /learn-more-about/gitops': 'https://github.com/fleetdm/fleet-gitops/',
+  'GET /learn-more-about/unsigning-configuration-profiles': 'https://fleetdm.com/guides/custom-os-settings#enforce-os-settings',
 
   // Sitemap
   // =============================================================================================================