It appears support for the manifest key pfm_value_inverted has not been implemented, therefore manifests which make use of this to invert boolean values end up with reversed behaviour for example com.apple.preference.security.plist.

Good call. Should be able to normalize that

Another great example is com.apple.loginwindow and the keys SleepDisabled,RestartDisabled,Shutdown Disabled.

The problem is in the descriptions, which state "Show the X button", yet a true value for these keys will "Hide the X Button" in practice. I believe other boolean keys in that schema are affected as well.

Due to a bug in Sonoma with the HideAdminUsers key, and the way that Jamf handles this payload in their built-in GUI for configuration profiles, this particular schema might be seeing some additional use right now.

How would this be implemented in this repo, given that Jamf doesn't have any "inverted" concept? If pfm_value_inverted is true we would just reverse the boolean value?

@homebysix I think that would be the most sensible solution. Since we are only dealing with booleans, we know all the possible values (2) so inverting the value during conversion should provide the intended result.

I took a shot at implementing this. Does this diff look right?

Is there a reason for the double-parenthesis on all()?

The double-parens provides a single tuple to all(). Without it, you get this:

TypeError: all() takes exactly one argument (3 given)

I don't think flipping the default values is the right thing to do here. Looking at a couple examples, the defaults as documented by Apple were correct before the change.

For example: com.apple.AssetCache → DenyTetheredCaching. The default value is false: https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.AssetCache.managed.yaml#L96

But this change would make it true incorrectly:

I don't see a path forward for supporting this feature now, but we can revisit if Jamf ever adds support for inverted values.