Skip to main content

Hey all,



I work in a small school district & I'm working on our new images (10.7 for WhiMacs & 10.10 for all of the aluminum models) for deployment this summer. I was hoping to start using configuration profiles a little more heavily. We tried doing this last year and couldn't get it to work, but I could've sworn I saw something in one of the previous JSS version release notes that said they'd fixed scoping to local users... We've just recently upgraded our JSS to 9.62.



So, here's the dealio. Our image has 3 local users (student, teacher & hidden admin). I'm mostly concerned with the student account. Specifically, I want to be able to "lock down" both the student dock & desktop background (and a few other things). The problem is, I also am not allowed to lock down these items for the teacher user, so I need to scope only to the student user.



We have (in previous years), set the "system immutable" flag on these items. That worked up until last year, when Mavericks changed the desktop background from a plist to a .db file. Now, the system doesn't seem to honour the immutable flag on that file (student can still permanently change the background).



This current year (on our mavericks image), I set up a launch agent that runs a script which "refreshes" the student side on login. I'll go back to doing that if I need to, but it's clunky (takes a few seconds after login to run) and not very elegant (It had a tendency to eventually get caught in a repeating loop, for some reason). It's also not running reliably on the 10.7 image. I'd prefer to be able to use profiles if possible.



I've set up my config profile (user level) to customize the dock, scoped it to my test computer group and set a "limitation" on the scope to apply only to the "student" user. If I look at the Management tab (in the JSS) of one of the test computers and specify the local user "student", the profile appears (so far, so good). Unfortunately, the dock remains unchanged for both 10.7 & 10.10.



Any advice or insight would be greatly appreciated.

I'm under the impression that scoping config profiles to users only works for mobile accounts, the limitations tab is network segment/network users only.



Another option would be to download the config profiles and deploy them to the Student account via policy/at imaging, you'd just want to make sure they're exactly what you want before doing so.

Thanks Matt,



I got a similar response from our account rep. I was confused since the "limitations" tab specifically says "LDAP/Local Users", which had me assuming it would apply to local users (go figure).



I'm assuming we'll need to make changes to the student dock on the fly during the school year, so unfortunately a static config profile installed at imaging doesn't provide us with the flexibility we'd need.



I may have to use a static config profile to lock the desktop background and go back to setting the system immutable flag for the dock & other plists.

@yukonluke There are other ways possible to manage things such as the dock (e.g. https://github.com/kcrawford/dockutil ), it just means you may need to use multiple different tools to accomplish the job you are wanting to do.

@Matt.Sim I think you're right, we've been using dockutil to modify the dock for a few years now. Most of our dock scripts that we've added to our JSS use dockutil as the foundation.



I think we'll continue to use it this year as well. It's a great tool.



I was hoping that I could be lazy and use the Config. Profiles as a single-step, GUI based option, but I've come to terms with the fact that we'll likely need to continue scripting our dock modifications. I'm assuming our workflow will be something like:
- remove system immutable flag with chflags
- use dockutil to modify dock
- readd system immutable flag



Thanks again for taking the time to help.

Terms & ConditionsCookie settings