Creating configuration profiles: Manually? Profile Manager? Some other tool?

stevenjklein
Contributor II

I have two requirements that Jamf thinks are in conflict. I need to:

  • "require password" after sleep or screen saver, and
  • Allow users to turn their firewall on/off.

I should be able to create a config profile that just does the "require password" bit while not touching the firewall setting, right? And then use Jamf to push that profile to our Macs?

It's been years since I've had to create config profiles from scratch. Is Apple's Profile Manager the best tool? (Requiers buying macOS Server, but that's only $20.)

Are there other apps for creating config profiles?

Is there a tutorial for creating configuration profiles manually (with a text editor, for example)?

8 REPLIES 8

cpresnall
Contributor

We've been using Profile Creator for those simple options where you don't want to lock out a whole panel for a single item.
https://github.com/ProfileCreator/ProfileCreator

rhooper
Contributor III

@cpresnall Are you using JAMF to push out the selected item(s) restrictions? If so, How?
If I Am reading this right the program can be used to limit certain aspects of System Prefs item? Example: We would like to block access to FileVault2, but cannot do that in JAMF without blocking access to Security and Privacy (S&P) as a whole. Will the program allow only the blocking of FV2 without blocking the entirety of S&P in System Preferences?

stevenjklein
Contributor II

@cpresnall : Thanks! I hadn't previously heard of ProfileCreator, but it's just what I needed.

@rhooper : I've never heard of someone trying to block access to FileVault2. We actually use a Jamf config profile to force FV2.

I'm not sure why you want to block it, but perhaps if you explain your reasoning, your fellow Jamfers might be able to offer a better suggestion.

If your concern is that users might block access to data you need, then you can enable FV, and use Jamf's "recovery key redirection" and "enable escrow" to get a copy of the key on the Jamf server.

rhooper
Contributor III

I was just using FV2 as an example.

cpresnall
Contributor

@rhooper Correct. We use it to create a much smaller profile (fewer features touched or locked) and then push out the profile through Jamf. Create your profile and save it. Go to Jamf and upload the profile. Scope as appropriate and enjoy.

sdagley
Honored Contributor II

To expand on @cpresnall said, be sure to sign the profile you're saving from ProfileCreator so that Jamf Pro won't make any changes to it before deployment.

rhooper
Contributor III

Thanks. I will try it. and see if there are any issues. It sounds like a pretty cool and easy to use program.

stevenjklein
Contributor II

Thanks again to @cpresnall and @sdagley!
I created a profile using ProfileCreator, then signed it and uploaded it. Worked perfectly!