Jamf Nation Community

@mm2270 Yes, when I add the computer specifically to the group it works instantaneously.

When I look at the configuration profile when it isn't pushing it out automatically, the pending says N/A, but the smart group does have 2 computers currently in it.

Configuration Profile:

Smart Group:

Hmm. Curious. I wonder if there is some bug here you're seeing. Unless I'm just missing something, when a system enters a Smart Group, anything using that Smart Group as the scope for a push/deployment, etc. should become active for that system/systems. If it's a policy, the policy becomes active (assuming all other things are correct) and will run the next time the specific trigger runs. In the case of Configuration Profiles, it should push down right away since it's over the Apple Push service.

I'll do some testing to see if I have any similar problems. Just wondering, but what version of Jamf Pro are you on? I can only test with our cloud instance, which is on the latest, 10.10.1.

@mm2270 we are on 10.9 still, updating soon, I would be interested in what you find, thank you,

Is the Configuration Profile level set to Computer level or User level?

What @ryan.ball asked. I asked the same question earlier but I didn’t see an answer on that.

I’m happy to run some tests, but before I do that, can you let us know what level the profile is set to? Because user level profiles act differently than system ones.

@ryan.ball , it is set at the user level.

@jcalvert That's why it shows n/a. User level profiles install at login If the user falls in the scope of the profile. So it could be installed on a single machine multitudes of times depending on if the users fall into scope.

Do you want it to apply to all users on the system? If so, then choose computer level. If you only want to install it for specific users you'd need to additionally limit the scope to a ldap group or local/ldap user list. It will still show n/a there but you can check the completed management commands for the device or the profile section to make sure the profile installed.

@ryan.ball you got it. I changed it to computer and it fired instantly. The reason I wanted to do the user, was I didn't want the configuration profile to affect the management account, which it appears to do.

Basically, we want to restrict our users from creating accounts and are disabling the users and groups in System preferences. However, if we (management account owners) need to do something it appears to be disabled for us too.

In my testing, what I probably did was set it to computer, noticed the issue, changed it to user level and noticed I could get in on the management account side again, then came time to test on other computers and it was broken - hence the discussion today.

Any suggestions on how to best handle this, want it disabled for the user, but not the management account?

@jcalvert Two options:

1. You could change it to user level, under scope > targets, target the machines you want the config profile on using the smart group you already have. Then under exclusions, add in an LDAP/Local user specifying the management account name.
2. You could leave it computer level and have it apply to all of those machines, then you can create a self service policy which runs a script that allows you to create users on the fly pretty easily based on osascript dialog user input or cocoadialog input. This policy could be scoped to all machines and limited to only those users who should be able to create users. I'm sure somebody has an example script for this somewhere.