Posted on 02-12-2016 10:02 AM
I created a config profile to enable time machine. Since most of the Macs in our environment are not MDM capable, pushing that profile is not going to serve the purpose. So I though of creating a policy that can be made available through self service. I have the profile downloaded as a .mobileconfig file. Can someone please guide me as to how should I package it so that I can add it to a profile ? Also the mobile users are not local admins on their Macs.
Solved! Go to Solution.
Posted on 02-12-2016 12:53 PM
Well, that could be why. So, in your postinstall script, you need to either escape the spaces with a backslash , or enclose the entire path in double quotes.
Examples of both.
Escaping spaces
/usr/bin/profiles -I -F /private/tmp/my settings.mobileconfig
Quoting the path
/usr/bin/profiles -I -F "/private/tmp/my settings.mobileconfig"
The spaces would explain why it likely didn't work, unless you did one of the above to ensure the spaces were handled in the script. I suggest next time avoid using spaces in the profile name if possible, just to make things less error prone, but overall it should be OK to use them.
Posted on 02-12-2016 10:18 AM
.mobileconfig profiles can be installed on a Mac using the profiles
command.
Generally to do this in a .pkg format, you would place the .mobileconfig file in a standard directory on the Mac you're creating your package on. A simple example would be to place it in /tmp/
Once there, open Composer and drag the mobileconfig file into the sidebar in Composer to create a new source. it will copy in and should show you something like this once all the arrows are turned down:
▼ private
▼ tmp
▼ my.mobileconfig
Now from here, you can turn down the arrow in the Composer source panel, then right/control click on the Scripts folder, and choose Add Shell Script > postinstall Click into the script and add code like this:
/usr/bin/profiles -I -F /private/tmp/my.mobileconfig
Change the "my.mobileconfig" to the actual name of the mobileconfig file in the above. When your package is built, this script will run after it drops the payload of the mobileconfig into /tmp/ and attempt to install it.
I may be glossing over a few items or steps, but that's the general idea. Hope that helps.
Posted on 02-12-2016 12:35 PM
thanks for your response @ mm270. I tried the steps you mentioned above. After that I added the .pkg to a policy and ran it through self service on a test Mac. The profile is not getting added. I also tried "Install on boot drive after imaging" and "Requires restart" option (although not sure if that's reqd or not) but that too didn't help. Did I miss some steps in composer that you forgot to mention may be. How about building it as a dmg ? Thanks again.
Posted on 02-12-2016 12:40 PM
@pawan.joshi you need to package it as a .pkg in order to be able to run the
/usr/bin/profiles -I -F /private/tmp/my.mobileconfig
that @mm2270 mentions.
Posted on 02-12-2016 12:48 PM
@pawan.joshi You can't build something like the above as a DMG, since DMG's can't run scripts. dmgs are used for simply placing files on the system in whatever directories they are in within the disk image.
As for why it didn't install from your .pkg, the first thing I would do is try manually installing your mobileconfig file on a test system using a command similar to the above, but put sudo
in front of it. For example, say your mobileconfig file is currently on your Desktop, you might try doing something like this.
sudo profiles -I -F ~/Desktop/my.mobileconfig
If you get any errors when manually installing it, then there's something wrong with the Configuration Profile itself and that would need to be fixed before going forward. If that works OK and you can see the new profile installed in System Preferences, then post back and we'll see if we can figure out why it won't work in your package.
Posted on 02-12-2016 12:49 PM
I did exactly the same. There are spaces in the filename of the .mobilconfig file. Is that a problem?
Posted on 02-12-2016 12:53 PM
Well, that could be why. So, in your postinstall script, you need to either escape the spaces with a backslash , or enclose the entire path in double quotes.
Examples of both.
Escaping spaces
/usr/bin/profiles -I -F /private/tmp/my settings.mobileconfig
Quoting the path
/usr/bin/profiles -I -F "/private/tmp/my settings.mobileconfig"
The spaces would explain why it likely didn't work, unless you did one of the above to ensure the spaces were handled in the script. I suggest next time avoid using spaces in the profile name if possible, just to make things less error prone, but overall it should be OK to use them.
Posted on 02-13-2016 11:10 AM
Perhaps Tim Sutton's Make Profile Pkg would help?
Posted on 02-17-2016 01:23 PM
Thanks @ mm270. It worked after a little change. I placed the mobileconfig file under privatevar mp folder and also added -f switch in the profiles command. Thanks for all your help.
Posted on 02-19-2016 05:14 AM
Personally I completely agree with @mm2270s statement that you should use a .pkg. However, because I like being the Devil's advocate from time to time, I'll point out that you could technically use a .dmg is your script were separate but still run after the .dmg was loaded... or if you used the 'execute command' box in your policy under "Files and processes".
Posted on 02-19-2016 07:51 AM
@Chris_Hafner Excellent point. You could indeed use any method to deploy the .mobileconfig profile to the Mac, and then have it installed using a script run as "After"
That being said, my preference is often to make things as contained as possible so they can, if necessary, be used outside of a Casper Suite policy.
A DMG + script run after is confined to work from a Casper Suite policy. That can actually be either good or bad depending on your point of view.
A pkg with an embedded postinstall script can be distributed in other workflows or just given to someone to run manually and it will work. That can also be good or bad.
Posted on 02-19-2016 11:17 AM
I personally use a standard bash script in the JSS. I echo the mobileconfig profile to a temp file and then the script uses the profiles command to install it.
It's just so much easier to modify a script than it is to rebuild and re-replicate a pkg if you want to make a change.
Posted on 04-03-2016 06:47 PM
I have tried the above with no avail, each time the pkg installation fails, any special permissions required on the file?
I have tried running the script as sudo aswell
Posted on 02-23-2017 06:38 AM
@scharman Did you get this resolved? I'm running into the same problem. The pkg installs the config file but then the postinstall script doesn't install it as a profile. However if I run the same line on terminal it goes thru without a problem.
Posted on 10-10-2018 12:52 PM
@herbiehandal I am having the exact same issue. To make matters worse, the dock payload is buggy (i.e. duplicate app icons in the dock) against Mojave. I can install manually, but the postinstall script doesn't install the profile. Anyone solve this?
[update] ok I got it ... needed to ensure that the mobileconfig file was chmod 777 and (for some unk reason) the /usr/bin/profiles command required sudo preceding it in the package postinstall script.
Posted on 10-10-2018 12:53 PM
@alexjdale do you have an example of your method of echoing to a temp file?
Posted on 01-22-2019 04:50 PM
@troyewebster This is the darndest thing but I had a very different configuration and package from 02/18 and it has been working as of last week. No changes on packages and jamf. And only notice that it did not work last week. I packaged it the same fashion as yours with 777. Originally it was at 755 and it worked fine. Below is the following postinstall script. Any help is appreciated.
pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3
sudo /usr/bin/profiles -I -F /private/tmp/mdm.mobileconfig
rm -rf /private/tmp/mdm.mobileconfig
exit 0 ## Success
exit 1 ## Failure
Posted on 02-01-2019 10:57 AM
Just updating this incase anyone has a similar question. Tim Sutton has a tool for this make-profile-pkg. It install as a .pkg..done
L