Configuration profiles best practice

swhps
Contributor III

What is the best way to make config profiles, all in 1 or separate them out?  Trend Apex one has listed out 6 of them and I wonder if combining them all into one profile is better than having 6 different ones.  

swhps_0-1627495665073.png

 

3 REPLIES 3

twall
New Contributor III

In my experience, separating them out into one payload per config profile is the best practice. I just last week had an issue where a config profile with two separate payloads was set up and intermittently failing on my new fleet of M1 macs. Splitting the payload allowed me to keep the failing portion of the profile excluded from the M1s, while still keeping the good portion scoped. 

AJPinto
Contributor III

General best practice. Keep one payload per Configuration Profile where it makes sense. Certainly do not manage more than one application or function with a single Configuration Profile if they are not related.

 

For example if you are Managing FileVault, MacOS Updates, and something else random like the wallpaper in a single Configuration Profile. If you need to change the wallpaper you will also need to mess with FileVault and MacOS Updates when you make this change. Where if everything was separate you update wallpapers it can crash and burn and all other Configuration Profile will keep working without issue. Nothing like losing control of macOS updates because you had a problem with Wallpapers. Dont even get started on exclusion, say someone needs to be excluded from the standard wallpaper if its nested with updates and FileVault they also get exempted from those.

 

The only time I put multiple payloads is if they pertain to the same application, security application typically need multiple payloads to get the permissions they need for example. 

jefff
Contributor II

I agree with the above recommendations and I remember being taught in Jamf 300 class that it is best to limit profiles to one payload per profile.