Bug in Config Policy Exclusion Logic

Morningside
Contributor II

I have noticed buggy behavior in config policy exclusions and I can reproduce it reliably. 

I have a config policy set that will only enable certain widgets in system preferences, and the scope is a computer smart group ("Student Computers"), and I have one exclusion set for a single LDAP/Local user ("Admin").

However, the first person to log in after a reboot sets the config profile and after that it doesn't matter who logs in. For example, on a freshly booted macbook if a student logs in they will have most of the widgets in system preferences disabled. Then, they log out, and I log in as Admin. I also have the widgets disabled. In order to have access to the widgets again I have to reboot the mac and log in as admin before any students does.

Conversely, if I log in as Admin first on a freshly booted macbook, I will have access to all the widgets. But then if I log out and a student logs in they also have access to all the widgets. In order for this not to be the case, the macbook must be rebooted.

I do not believe this is intended behavior, right? You should not have to reboot in between logins for a config profile to behave correctly.

3 REPLIES 3

Anonymous
Not applicable

Hi, try to reconnect the client via "sudo jamf -recon" and look for changes after the client was reconnected to the Jamf® server. Sometimes, the changes are not transmitted to the client after saving the changes in the Jamf® backend. I found out, that after reconnect the client the settings were active.
If it would be possible to do an active push to the client, I would be glad. (like immediately push an installation job). Unfortunately the only way to push an installation job to the clients is the timer for the check-in.

Thank you for the input. I have tried this on several macbooks in my school but they are all still exhibiting this behavior. If you want to exclude a user from a config profile you have to reboot between logins. 

Morningside
Contributor II

Incidentally, I got this resolved. I was using the wrong option in General. I needed user-based, instead I was using computer-based.