Our Visual Arts department kept bugging us about restricting all preference panes in their labs except Wacom Tablets, so I was obviously excited after reading this KB article (https://jamfnation.jamfsoftware.com/article.html?id=204) on adding custom preference panes to the restrictions payload. The only problem was...our JSS was hosted. We had no access to its backend and therefore could not make the necessary changes outlined in the article. I contacted support and this was their reply:
Unfortunately, because it is a shared instance of Tomcat, we're not able to make that kind of change. This might be something that can be changed in the future, I'm wondering if it might be a feature that we could try to developer right in the JSS or something, without having to adjust the Tomcat instance. But until then, our only option would be to host the JSS locally or change hosted to a dedicated hosted instance
I have since found a workaround and hope it helps others in the same situation. It felt more like a "duhh" moment than anything else. I'm pretty sure many of you already knew this was possible, but in case you didn't, here it is:
- On JSS, navigate to Computers > Managed Preferences and click "New" to create a new profile
- Name your profile, then scroll down the Options list and select "System Preferences" (not Global Preferences)
- Click the + sign to the right of "Enabled System Preference Panes"
- Keep the level set to "Computer-level enforced". User-level will not work - if you choose this and run "sudo jamf mcx" it'll say "There are no MCX Settings to apply at the computer level", so yeah...
- You can now remove the Preference Panes you want disabled, and add custom ones to be enabled. In my case I added "com.wacom.settingsPrefPane" to enable Wacom Tablets.
- Set the scope, save and you're done!
NOTE:
The new MCX settings might not apply right away if you're deploying to 10.9 machines most likely due to Mavericks' ridiculous plist caching thingy. A quick reboot did the job for me though.
