Jamf Nation Community

I was successful in running the Terminal command on a specific machine for:

defaults write com.apple.dock mcx-expose-disabled -bool true

This made Mission Control unusable (to reenable it just change "true" to "false". But how do I translate that to get it into JAMF? I attempted to put it in the Advanced > Run Command area of a policy, as well as made it a script that I added on a policy, but neither seems to work. Am I missing a user piece?

Try making it into either an MCX setting or a config profile.

For MCX, try these steps-
1. Create a new Managed Preference, choose Create Manually
1. Enter a name and description on the first tab, then click on the Definition tab
1. Choose User Level - Allowed and User Level Managed - Allowed
1. For Domain, enter: com.apple.dock
1. Key Name: mcx-expose-disabled
1. Change the Key type menu to "Boolean"
1. Now click back on the General tab and you should see the following settings-

• Apply Setting to: Make this preference unmanaged (with options for 3 different User Level settings under the menu)
• Domain: ~/Library/Preferences/com.apple.dock
• Key: mcx-expose-disabled
• Value: True / False

Just set those to the ones you want. For example, to User Level Enforced, and True, add in a Scope to a test group and see how it works.
Note that not all preferences can be user level enforced, but I'd try that first to see it it forces and locks down the setting on your user systems. If not, you may need to change to it User Level at Every Login for example.

For making this into a Config Profile, its a little more involved and I wouldn't be the person to guide you on that. There are some threads about adding in custom MCX stuff in Configuration Profiles. I just haven't done that much at all.

Hot diggity, I think that did the trick! Thanks for the clear and concise instructions! Making use of a custom MCX translated a bit of Greek to me and may make MCX more usable for us in the future too! Thanks Mike!

I followed the instructions to the "T" and it does not work for me. In fact, nothing I have ever tried with MCX in JSS has ever worked. I must be missing something. Does anybody have any other alternatives to disabling spaces?

@mm2270 Is the location for this preference file different now? I believe it's /Library/Preferences/com.apple.symbolichotkeys.plist

@mhatt Which OS version? I believe the above still worked as of 10.10 and 10.11, but I can't say I've ever tried it on 10.12, so perhaps something changed there. I'm not sure.

@mm2270 Quick response! We're trying to get mission control disabled on our macs in order for our state testing's secure browser to work properly. I've tried this solution at user level and at each login but haven't been able to get it working still. I even went the custom setting payload/profiles route. So far the only thing that works is to actually just completely delete the symbolichotkeys plist. (We're using 10.11 JSS version 9.96)

Hey @mhatt I think the issue is that it looks like you're trying to apply this as an MCX setting. Straight MCX is basically dead at this point, so I highly doubt its ever going to work that way, especially if you're trying to apply that to a recent version of OS X,.You'd probably fair better if you made a Configuration Profile out of this rather than the older MCX setting.

Have you looked at tools like mcxToProfile to help with converting MCX into a valid .mobileconfig profile?

We recently had this issue come up due to ELL (English Language Learner) testing using the ELPA software/app where Spaces needed to be disabled. Your testing software may vary of course, and normally we like to automate fixes for things like this via the JSS, but since this hit so few people we found the following solution to work and just instructed the user to do the fix as needed.

--->Further testing showed that the user can simply go to System Preferences > Keyboard > Shortcuts > and uncheck the bottom "Mission Control". Note that the first item in the list called "Mission Control" can be ignored. When done, close that window and then you can launch the ELPA NE Secure Browser successfully.

@mm2270 I get what you mean about MCX, I just thought that's what your original post meant so I tried it.

I have also tried uploading a xml converted plist as a custom setting via profiles. I get a weird result from that method, if I scope it out to a computer with a fresh install and go into keyboard > shortcuts it shows all mission control related boxes unchecked but the secure browser still flags it as enabled and won't continue. If I check the boxes and uncheck them again the browser runs just fine. My next thought was to set up a policy that just overwrites the plist.

@david.yenzer Hey David, we have our entire district doing the testing so turning it off by hand would def no be a viable option.

So far the only thing that's worked for us is a script that goes and deletes /Library/Preferences/com.apple.symbolichotkeys.plist

@mhatt Well, true, I was referring to MCX, but it was also a post from over 4 years ago! :) A lot has changed in that time, and Apple has declared MCX dead for OS X versions from about 10.9 and up (technically it still more or less worked on 10.9, but 10.10 really killed it for us)

So let me help you out in doing this. Here's how I would make this setting into a config profile:

1. Create a new plist on your Desktop with just the setting you want, named the same as the domain of the original Dock plist, by running: defaults write ~/Desktop/com.apple.dock.plist mcx-expose-disabled -bool true This creates a new "com.apple.dock.plist" file with just that one setting in it on your Desktop.
2. From Terminal again, run plutil -convert xml1 ~/Desktop/com.apple.dock.plist This is necessary to convert the plist into xml format for the JSS.
3. Log into your JSS, go to Configuration Profiles and click on "New" Name the profile. Configure anything else needed in that General section, like Site, Category, Distribution Method, and the Level. I suggest trying it as User level first since its a Dock setting, but it may also work as Computer level. I'm not sure though.
4. Click on the Custom Settings payload item, and click Configure. Click the Upload Property List File button there and locate the "com.apple.dock.plist" file on your Desktop. Upload it when its selected. It should bring in the settings, showing com.apple.dock as the domain, and with something like {mcx-expose-disabled=true} as the setting.
5. Now, test this profile out after saving it by scoping it to your Mac, or another test Mac you have access to. Once it applies, the Dock should automatically restart. If it works, once it restarts, Mission Control should no longer work, either by clicking the Mission Control icon, or by using the Mission Control key (F3) on the keyboard. I don't know if there's some other way to activate it, but I would try all the possible methods to see if it worked. Hopefully it does.

Keep in mind you can also create a standalone Config Profile, either with the method above and downloading it from the JSS after, or by using the mcxToProfile python script from Tim Sutton, that I mentioned above. And that .mobileconfig profile can then be deployed and installed using the profiles command in a pkg. That method may work a little more reliably, but I would try the above steps first to see if works before going the manual install route.

Post back if you decide to give this a try and let us know how it worked, or if it didn't.

@mm2270 Thank you for the detailed response!

I went ahead with trying the com.apple.dock.plist as a custom setting in a profile at user and computer level. Neither one worked for our secure browser.

I looked into Tim Sutton's mcxToProfile script but have run into some weird errors. For example I ran:

git clone https://github.com/timsutton/mcxToProfile.git

To get mcxToProfile installed.

I then ran the command:

./mcxToProfile.py --plist ~/Library/Preferences/com.apple.symbolichotkeys.plist --identifier MissionControlSpaces --manage Always --output MissionControlSpaces.mobileconfig

But I keep getting the output:

-bash: ./mcxToProfile.py: No such file or directory

Not sure what I'm doing wrong! Must be something with my script but if you spot something let me know!

As of now we've moved forward with the script:

rm -f /Users/*/Library/Preferences/com.apple.symbolichotkeys.plist

We've set this up in a policy that runs at logon ongoing. The reason for ongoing is that we have another policy that creates a local user that we want students to use for taking the test. The issue is even though the script is set to run after the user account is created and has a wildcard those setting can't be changed until the user account has been logged into at least once. So right now we have our techs using ARD to login a whole cart, logout, and log back in. It's tedious but we want them to check that the browser is working either way.

Hi @mhatt I'm sorry that didn't work. I actually went thru the same steps around the time I posted them and its working for me. I did have to killall Dock I believe one more time to fully activate it, but as of now, I cannot activate Mission Control either from the built in key on my MBP, or from the icon in the Dock or anywhere else I've tried. Its dead for me. But that's good, since it means it worked. I should note that I did not test on Sierra, so its possible if you're trying to do this on 10.12 that that is the difference and the reason for the discrepancy. I'll need to go back and test on Sierra when I get a chance.

But one other question. You said this in your post above

Neither one worked for our secure browser.

Can you elaborate on that? What is the secure browser you're using? And how are you determining that its not working? Does the browser try to detect settings when it runs and exits if things like MC are still enabled? Or does having MC on make the browser act weird? Sorry for the blast of questions. I don't work in edu so just trying to understand the situation better.

@mm2270 The browser we use is located here:

AzMERIT

We're basically trying to find an easy way to disable mission control and spaces in order for the secure browser to get to the login screen. Preferably via profile that way it's an instant push. Under your own user account on an individual computer it'd be easy to just run another killall dock but we're trying to find a one push mass solution.

The only other post I've found on here with the same problem is this:

Jamf Nation Post

However the launchagent solution that got the answer no longer works.

I know it's an old post. But, we are having the same issues. Any solutions to getting mission control disabled via JAMF? AZMerit coming up and in need of a solution. My only thought or idea is to create a custom user profile and let it recreate the profile after every login which has all the settings disabled. How to do this I'm not exactly sure just yet.