Force Configuration Profile Application

New Contributor II

We are experiencing the usual JSS inconsistencies and need a way to force a Configuration Profile to be applied to a computer outside of the normal method of scoping.

For the sake of testing and troubleshooting, is there an easy to use script or terminal command to achieve this?


Contributor II

I have been previously used a policy to push the profile to a folder on the local machine, then a second policy scoped to a smart group based on the existence of that folder/profile which installs the profile.

this is done by using the script:

profiles -I -F /path/to/file/name.mobileconfig

need to make sure if you are using a local script you run with sudo, otherwise using a policy in the JSS should install as root.

If you install using the above command with sudo/JSS policy, it will install as a computer config, if you don't use sudo it will be a user config.

Contributor II

@BOBW That's a nifty solution, but what about just using the jamf binary?

Is there a way, like sudo jamf policy or mcx, to force the profiles to be downloaded and installed? I don't see anything promising in jamf help.

This may make a good Feature Request.

Contributor II

@JayDuff I have found pushing out config profiles with the JSS will sometimes be dropped, especially the 8021x profiles. Resortiung to this gives nearly 100% success.
As long as you can get the profile onto the machine you can use any method to install it including policies etc.
not sure how you would use MCX to download and install the policy though.

My workflow is as follows:
1. create composer pkg with the profile in the correct folder (usually a hidden folder inside /usr/local/)
2. then have a EA with a detection on the existence of that mobileconfig file
3. create a smart group with the result of the EA to true I also have the criteria for the thing I am changing, eg, if doing 8021x, then criteria is file exists and IP address is not what it should be
4. create script to install mobileconfig
5. Policy to run the mobileconfig install script scoped to that smart group and update inventory so it drops from the smart group

good thing about this is that whenever it drops out it then runs the policy again to enforce the change required.

To use the jamf binary you could possibly have the policy ran on a custom trigger which is then called by the binary.

I think the best solution though is to let the JSS do the work for you