- Jamf Nation Community
- Products
- Jamf Pro
- Config Profiles best practices
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Config Profiles best practices
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-02-2015 12:32 PM
I believe it's best to use a layer config profile, with as few settings as possible for each one, and then layer them on top of each other. Does that mean I should create a FULLY open profile where everything is allowed, and then layer on more restrictive ones?
Taking login window for example.
Should I enable everything and then create another one that disables what I want? How does that work when a config has multiple tabs (Keeping with login window, it has "Window" "Options" "Access" "Script")
I want to have some settings in Window set, as well as some in options but probably ignore the Access/Script sections. In my head, I want to create a profile for Login Window to set, and then a 2nd with Login Options. But then what about the other Access/Script sections? I don't want to set anything in them, but they are tied to each config profile...
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-03-2015 11:00 AM
Don't scope two profiles to one computer that will conflict with each other. That means no to your fully open profile question.
Use separate profiles if it makes sense, like VPN for example. If you have two needs that are in the same payload section, I would put them in one profile unless you are scoping them to different sets of users.
I have login window and security preferences in one profile since they are scoped to all users and are two payloads.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-03-2015 01:22 PM
We actually had Apple come in this past week to witness what we were seeing. Two device level Restrictions Configuration Profiles applied to one computer, did not behave as expected. He went back to Apple with what might be a bug.
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-03-2015 03:58 PM
I strongly subscribe to the "one profile per category" theory (except for those in areas that won't conflict, like Certificates or VPN). Having 2 Restrictions profiles with different composite settings is asking for trouble.
Also, be aware that some settings used to add more than one category to a profile... Not sure if that is still the case, but...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-03-2015 06:19 PM
Agreed, it may be that Apple has to build in controls to prevent creating race/conflict conditions, but we figured we'd ask them. Apple visited to test and left with info, should get a response soon, hopefully with a clear article specifying what may or may not be combined, etc.
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-04-2015 09:10 AM
Yeah, its a little hard to predict how two profiles, with differing settings applying to the same domain will react, other than to say the results may not be what you'd expect. Generally speaking I think the rule is that the more restrictive profile wins, but how it actually determines what's more restrictive is the part that isn't so clear. In some cases, its easy to figure out. For example, one profile that leaves all System Preferences enabled and another profile that locks down a few Pref Panes - the one that locks a few down will get applied. But what if they both lock down Preference Panes, but a differing set? Does it merge them, or does it figure out which one to apply? I'm sure you can test that to figure it out, but my opinion on it is as @RobertHammen and @adamcodega both mentioned, just don't do it. One profile per category is what you should be doing. Overlapping profiles trying to affect the same stuff is just asking for trouble.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-05-2015 07:42 AM
but what about the different tabs in each config?
lets take the restrictions settings. It's nice that they are all grouped together, but then I have to set all restrictions tabs the same because I have 2 different policies. One that restricts the MAS and one that doesn't.
Some machines I need the MAS opened, but on the rest do not. But they share the other parts of the restrictions (system preferences).
...
I guess to try and explain better my question.
I want to create Profile XYZ that will be used on some machines but not all
Inside Profile XYZ there's options under
Tab 1 | Tab 2 | Tab 3
Would I create 3 Profile XYZs? One for each tab? And then assign the profiles as needed? What about the times when a profile pre-sets some options for each tab but I can't de-select the option (like a radio button type where at least one has to be selected, even though I don't want to do any settings in that tab)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-05-2015 05:05 PM
I ranted about this an another thread. Apple needs to get this cleaned up ... they took a messed up MCX interface and just slapped config profiles on top.. my fav example there too many places to set the screen saver time and lock ... and they are in different profile setting....
I know they will never do it but there can't be any sub menus... with profiles it should be one setting on or off per profile. Yes the UI would be a pain but from the management of the clients point of view it's the best way.
I have to set the screensaver time but I could care less what screen saver.... but because they used messed up MCX UI and structure I have to try set to null or hope that they won't be enforced setting that I don't want to manage. The login window setting the sub menus have sub menus setting, yep that is going to easy to set up ..
I understand back in X.7 when Apple was a small company but it's been 4 years and Apple has replaced enough old code ( experience) and has the resources to do it right.
C
I guess I should try and help you out John : ) I don't think you can do what you want easily, I think you are going to have build your own custom profiles...
I would use profile manager on Mac OS X server and cut out the setting you don't want then upload that profile to the JSS. That said I have had issues upload custom profiles, that are the same as one in the JSS. I have assumed that It's my server is messed up and add the profile manually in my build. It's a lot of testing and time but you should be able to get what you need...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-07-2015 02:09 PM
Got a response from Apple SE, basically "Don't do that". :)
They pointed to:
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-05-2016 06:11 AM
I like this part:
"If you have multiple profiles containing similar payloads with different settings, the resulting behavior is undefined."
There's a couple of places I've seen the login window being affected within the JSS and the Configuration Profiles:
- Security and Privacy
- Login Items
- Login Window
... Would the best practise then be to just build one big one big profile? Hrm..
