- Jamf Nation Community
- Products
- Jamf Pro
- Re: Automating PPPC & System Extensions
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-02-2020 06:29 AM
I don't want to install every PPPC & System Extensions profile on every machine for all apps that need them. I work for a large organization and with the number of apps we have, doing that just seems messy. What I am considering is having a Smart Group configured for every app and scoping the individual config profiles to its respective smart group.
Perhaps I am overthinking this (which is not unheard of), but I am curious to know what other people are doing to control adding PPPC & System Extensions config profiles to endpoints.
Solved! Go to Solution.
3 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-02-2020 06:57 AM
That's pretty much how I am scoping them now. Each app that requires a PPPC profile gets a smart group to detect if it is installed and only then will it get the profile.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-02-2020 07:00 AM
@bhardawa You're overthinking. We just apply them to all since the overhead is pretty minimal.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-02-2020 08:18 AM
I agree with @sdagley - making more things to look over and troubleshoot seems like a waste of time as indeed, profiles are pretty minimal in taxing the system. I've not had any issues with this so far, but then again, I have maybe a dozen or so such profiles for the average customer, not 100's...
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-02-2020 06:57 AM
That's pretty much how I am scoping them now. Each app that requires a PPPC profile gets a smart group to detect if it is installed and only then will it get the profile.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-02-2020 07:00 AM
@bhardawa You're overthinking. We just apply them to all since the overhead is pretty minimal.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-02-2020 08:18 AM
I agree with @sdagley - making more things to look over and troubleshoot seems like a waste of time as indeed, profiles are pretty minimal in taxing the system. I've not had any issues with this so far, but then again, I have maybe a dozen or so such profiles for the average customer, not 100's...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-02-2020 03:27 PM
Thanks for the feedback, everyone. I will apply the config profiles to everything as a short term solution and build the smart group solution over the next few weeks. There are some other uses for infrastructure I would need to configure to make work. I like having fine control over what's on my endpoints.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-02-2020 03:56 PM
one other thing to consider. if you have smart groups to look for an app and then apply the profile, the profile won't be there for some time after that app is installed. depending on your inventory schedule any such software requiring the profile will error out the first couple times its run. or simply fail to install altogether. I scope the PPPC profiles to all devices and have the smart group to make sure the profile is there before installing the software.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-03-2020 11:48 AM
@jchurch has a good point. That's another benefit to scoping "all" when making profiles. The, if you have an exception such as level of macOS, you can put those smart groups in there (exceptions tab) to not deliver the Profile to those Macs. Some likely won't harm anything, others might cause trouble.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-03-2020 02:38 PM
@jchurch and @scottb, my app policies are structured like this:
AppName - Deploy
- Files and Processes option that executes: "/usr/local/bin/jamf policy -trigger [custom trigger]
AppName - Install
- General configured with a custom trigger
- Packages option with the installation payload
- Scripts option if needed
- Maintenance option with only "Update Inventory" selected
AppName - Self Service
- Files and Processes option that executes: "/usr/local/bin/jamf policy -trigger [custom trigger]
This setup gives me a lot of flexibility in scoping and I actually built out the smart groups this morning. It went faster than I was thinking because I forgot I can use "App Title" as a criteria instead of creating an Extension Attribute for each application. The actual installation package is in "AppName - Install" and triggers an inventory update after its contents install. This way, I always have current inventory of the applications installed on my endpoints, which means if use smart groups that look for an application title or some other similar criteria and scope the smart group to the respective configuration profile, the profile gets applied right away. In testing so far, the whole thing is actually pretty elegant.
