Configuration Profiles best practice?

AVmcclint
Honored Contributor

When I started my job, the whole Casper 9.x environment was already setup by my boss' boss who is now completely hands-off with the Macs. I was a relative Casper newbie, but not a Mac admin/engineer newbie. My first few months on the job were spent going over the setup to determine how to improve it and streamline it. There were some things that were done 100% right. There were some things that had room for improvement. And then there were things that were just flat out wrong. But without a solid Casper background, there are some things I really don't know if they are good or not. Initially, the Configuration Profile was an obvious mess. Every possible configuration and AD Certificate and network setting we would ever need were rolled into a single Configuration Profile. I discovered that this wasn't such a good idea because when I needed to change a single setting, it involved pushing the entire Profile out to all the machines again which would mess up the AD Certificates and the 802.1x setup. "There's got to be a better way" So I decided to break up the monolithic Configuration Profile into bits that made more sense and more manageable. Now I have a profile for 802.1x & AD Certs (since they are tied together), a profile that controls removable media, and a profile for various things like Energy Settings, Login screen text, screen saver, etc. This means there are 4 Profiles installed on each Mac including the MDM Profile. My Questions: What constitutes too many? What constitutes not enough? Does it make sense to create a Configuration Profile that only contains a single setting so you can change just that one setting and not worry about upsetting the rest of the configuration? I'd also like to be able to add & remove settings as needed with minimal impact. Is there a more efficient way? My personal preference is to handle things like OS and app preferences via MCX in Workgroup Manager, but apparently those days are behind us now. "It's profiles all the way down!"

7 REPLIES 7

bpavlov
Honored Contributor

I've got about ~40 profiles. Not every computer gets every profile, but they will get most. You're on the right track regarding breaking things up. That I know of, I don't think the OS has a restriction on how many profiles it can have loaded so knock yourself out. I wish there were more things that were manageable via Profiles. Apple has been making improvements with each OS over the years but some things just can't be managed.

davidacland
Honored Contributor II

I agree breaking them up into separate profiles. When we do a school deployment we typically have around 20-30. For businesses slightly less as we don't feel we need to manage or lock down the users devices quite as much.

I'm a big fan of profiles now. With tools like mcxtoprofile, managing third party custom settings and with the once, often or always flags mean they are very useable.

10.9 and 10.10 have improved the reliability a lot as well.

I think there is still room for improvement when a profile fails to deploy to a device around the retry / re-push options but apart from that its a good system.

Chris_Hafner
Valued Contributor II

Yea, the advice I've received from both Apple and JAMF engineers is to create a separate profile for each configured item. At the moment I'm still using a lot of default write commands. Hopefully I'll be shifting back to profiles this summer. Unfortunately they gave me my biggest administrative heart-a-stroke about a year and a half ago and I'm still smarting from it. Fortunately only two or three of my users notices and gave me enough time to sort out the issue for my other ~640ish folks did.

gachowski
Valued Contributor II

Yep,

One setting at a time, if possible. I have spent days trying to get just one system pref blocked. All but my login window Configuration Profiles are one setting.

Might be a was of time/work but I think if there is ever an issue it will make troubleshooting many many times easier.

I was thinking about open an Apple tix/bug about this exact issue. Because Apple just shifted MCX to Configuration Profiles, the Profiles are not really set up to create one setting at a time like they should be. It would be a mess of setting but having 4 sub menus and tons of single setting like the Login Window doesn't make sense in a Configuration Profile world.

C

bentoms
Release Candidate Programs Tester

Yep one profile per payload.

Profiles don't composite as nicely as MCX did. So better to keep it simple.

CasperSally
Valued Contributor II

Unlike most, we group settings. We do this because of the unreliability of profiles coming down in our environment. I want to make sure 100% students get all security settings, and I don't know how you do that if they are broken out separately unless you're manually checking every machine.

One of our settings is to set a login window text. Techs know to check for that post image. If it's not there, the config profile didn't come down and they know something is wrong and computer cannot go out without it.

I've seen various errors with config profiles failing to come down (unable to decrypt profile, or I had one today with a weird error code). It's not a high percentage of errors - but even a few % of machines if they are missing security settings is too much.

So I have ~5 config profiles, one for students, one for staff, etc all with a bunch of settings in them. I know JAMF wishes they were separated for ease of troubleshooting, but until I get rid of the various failures there's no way that will happen here, at least the most important security settings. I've never had trouble grouping settings with certain settings not working, etc. This matches how we used to manage MCX.

It would be even better if there was some mechanism that if a profile install fails, have an option to re-try install.

At least the latest versions of JSS make seeing the failed profiles easier to see. It was messy in 9.32 trying to gather what machines had which config profiles via extension attribute.

bpavlov
Honored Contributor

You can tell which machines the profile has installed on, failed on, or is still pending on through Casper. Obviously you have your reasons for doing things the way you do, but just wanted to point that out in case you weren't aware.