I have noticed buggy behavior in config policy exclusions and I can reproduce it reliably.
I have a config policy set that will only enable certain widgets in system preferences, and the scope is a computer smart group ("Student Computers"), and I have one exclusion set for a single LDAP/Local user ("Admin").
However, the first person to log in after a reboot sets the config profile and after that it doesn't matter who logs in. For example, on a freshly booted macbook if a student logs in they will have most of the widgets in system preferences disabled. Then, they log out, and I log in as Admin. I also have the widgets disabled. In order to have access to the widgets again I have to reboot the mac and log in as admin before any students does.
Conversely, if I log in as Admin first on a freshly booted macbook, I will have access to all the widgets. But then if I log out and a student logs in they also have access to all the widgets. In order for this not to be the case, the macbook must be rebooted.
I do not believe this is intended behavior, right? You should not have to reboot in between logins for a config profile to behave correctly.
