Enabling 3rd-Party Preference Panes when your JSS is hosted by JAMF

JAMAUAI
New Contributor II

Our Visual Arts department kept bugging us about restricting all preference panes in their labs except Wacom Tablets, so I was obviously excited after reading this KB article (https://jamfnation.jamfsoftware.com/article.html?id=204) on adding custom preference panes to the restrictions payload. The only problem was...our JSS was hosted. We had no access to its backend and therefore could not make the necessary changes outlined in the article. I contacted support and this was their reply:

Unfortunately, because it is a shared instance of Tomcat, we're not able to make that kind of change. This might be something that can be changed in the future, I'm wondering if it might be a feature that we could try to developer right in the JSS or something, without having to adjust the Tomcat instance. But until then, our only option would be to host the JSS locally or change hosted to a dedicated hosted instance

I have since found a workaround and hope it helps others in the same situation. It felt more like a "duhh" moment than anything else. I'm pretty sure many of you already knew this was possible, but in case you didn't, here it is:

- On JSS, navigate to Computers > Managed Preferences and click "New" to create a new profile
- Name your profile, then scroll down the Options list and select "System Preferences" (not Global Preferences)
- Click the + sign to the right of "Enabled System Preference Panes"
- Keep the level set to "Computer-level enforced". User-level will not work - if you choose this and run "sudo jamf mcx" it'll say "There are no MCX Settings to apply at the computer level", so yeah...
- You can now remove the Preference Panes you want disabled, and add custom ones to be enabled. In my case I added "com.wacom.settingsPrefPane" to enable Wacom Tablets.
- Set the scope, save and you're done!

NOTE:
The new MCX settings might not apply right away if you're deploying to 10.9 machines most likely due to Mavericks' ridiculous plist caching thingy. A quick reboot did the job for me though.

6 REPLIES 6

bentoms
Honored Contributor III
Honored Contributor III

@JAMAUAI, FWIW if you want to check for user level MCX you need to run:

sudo jamf mcx -username <username you want to check mcx for>

PhillyPhoto
Contributor III

How is this done in Configuration Profiles?

jcshofner
New Contributor III

I may be blind, but I do not see those settings anywhere! Using version 10.2.2...

Any guidance would be appreciated!

coev
New Contributor III

We are at 10.9 now and trying to see if this is doable.

drose66pens
New Contributor

Has anyone had any luck in getting this to work in 10.9? I'm stuck in the same predicament. I have a bunch of angry Wacom users with torches and pitchforks heading my way!

mm2270
Legendary Contributor II

@jcshofner, @coev and @drose66pens - The original post above is from 2014. It references Managed Preferences or MCX, which is outdated tech that doesn't exist anymore, unless you happen to be managing some Macs on pretty old versions of macOS. It was replaced long ago with Configuration Profiles, and Managed Preferences was removed from the Jamf Pro interface a while back as a result. So a config profile is the way you need to go now.

I would suggest when creating a profile using the Restrictions payload that you choose the "disable selected items" radio button as opposed to the "enable selected items" one. The latter ends up blocking any additional 3rd party Preference Panes not specifically listed in the "enable" list. The former only blocks or disables the ones you check, and will let extra ones to be used without being disabled.