Help setting up Kext Config Profile as a dependency for Software Install Policy

bcbackes
Contributor III

I'm currently running JamfPro 10.7.1. I have a Kext configuration profile setup for Cisco AnyConnect and one setup for Palo Alto Traps. I then have a policy setup to install Cisco AnyConnect and another for Palo Alto Traps.

My question: What is the best way to setup the policy so the Kext is installed beforehand?

I'm suspecting a smart group might be the way to go, which, pulls in all the devices that have the Kext config profile installed on them. However, I'm not sure what to use for criteria for that smart group.

Any thoughts?

3 REPLIES 3

dmueller
Contributor

Hi @bcbackes

One though, depending on the version of OS you're supporting, if you know the profile UUID/identifier, you can set up an extended attribute to check if that particular UUID/Identifier is present.

You can run this to find the UUID on a system that has it already installed:

sudo profiles list -verbose

You can then write an extended attribute to look for that particular profile:

Example:

#!/bin/bash

myProfileID="EE9F75EB-384B-4222-87A2-268192973C49"
profileFound=$(profiles list | grep "$myProfileID" | awk '{print $NF}')

if [[ ! $profileFound == "" ]]; then
    echo "<result>present</result>"
else
    echo "<result>not present</result>"
fi

You can then create a smart group and base your deployment on that group membership.

Kind regards,
-dmueller

mschroder
Valued Contributor

@bcbackes As criteria for the smart group you can use 'Profile Identifier ' 'is' '...' directly, no need to create an extra EA or run anything in addition on the clients to report on the installed profiles. To find the id of the profile go to the Inventory / Profiles entry for a Mac that does have the profile installed already.

psliequ
Contributor III

Depending on how often you collect inventory or do check-ins you may see significant delays between the time a profile is installed and Jamf's acknowledgement of it in inventory. Have you considered just making static/smart groups in Jamf of computers that are eligible, authorized to run the software in question and just scope the profile to that? The presence of the profile if the software isn't installed does no harm and the OS will have had plenty of time to whitelist the kext by the time the software install happens.