how to package mobileconfig

pawan_joshi
New Contributor II

I created a config profile to enable time machine. Since most of the Macs in our environment are not MDM capable, pushing that profile is not going to serve the purpose. So I though of creating a policy that can be made available through self service. I have the profile downloaded as a .mobileconfig file. Can someone please guide me as to how should I package it so that I can add it to a profile ? Also the mobile users are not local admins on their Macs.

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

Well, that could be why. So, in your postinstall script, you need to either escape the spaces with a backslash , or enclose the entire path in double quotes.

Examples of both.
Escaping spaces

/usr/bin/profiles -I -F /private/tmp/my settings.mobileconfig

Quoting the path

/usr/bin/profiles -I -F "/private/tmp/my settings.mobileconfig"

The spaces would explain why it likely didn't work, unless you did one of the above to ensure the spaces were handled in the script. I suggest next time avoid using spaces in the profile name if possible, just to make things less error prone, but overall it should be OK to use them.

View solution in original post

17 REPLIES 17

mm2270
Legendary Contributor III

.mobileconfig profiles can be installed on a Mac using the profiles command.
Generally to do this in a .pkg format, you would place the .mobileconfig file in a standard directory on the Mac you're creating your package on. A simple example would be to place it in /tmp/ Once there, open Composer and drag the mobileconfig file into the sidebar in Composer to create a new source. it will copy in and should show you something like this once all the arrows are turned down:

▼ private
    ▼ tmp
        ▼ my.mobileconfig

Now from here, you can turn down the arrow in the Composer source panel, then right/control click on the Scripts folder, and choose Add Shell Script > postinstall Click into the script and add code like this:

/usr/bin/profiles -I -F /private/tmp/my.mobileconfig

Change the "my.mobileconfig" to the actual name of the mobileconfig file in the above. When your package is built, this script will run after it drops the payload of the mobileconfig into /tmp/ and attempt to install it.

I may be glossing over a few items or steps, but that's the general idea. Hope that helps.

pawan_joshi
New Contributor II

thanks for your response @ mm270. I tried the steps you mentioned above. After that I added the .pkg to a policy and ran it through self service on a test Mac. The profile is not getting added. I also tried "Install on boot drive after imaging" and "Requires restart" option (although not sure if that's reqd or not) but that too didn't help. Did I miss some steps in composer that you forgot to mention may be. How about building it as a dmg ? Thanks again.

mpermann
Valued Contributor II

@pawan.joshi you need to package it as a .pkg in order to be able to run the

/usr/bin/profiles -I -F /private/tmp/my.mobileconfig

that @mm2270 mentions.

mm2270
Legendary Contributor III

@pawan.joshi You can't build something like the above as a DMG, since DMG's can't run scripts. dmgs are used for simply placing files on the system in whatever directories they are in within the disk image.

As for why it didn't install from your .pkg, the first thing I would do is try manually installing your mobileconfig file on a test system using a command similar to the above, but put sudo in front of it. For example, say your mobileconfig file is currently on your Desktop, you might try doing something like this.

sudo profiles -I -F ~/Desktop/my.mobileconfig

If you get any errors when manually installing it, then there's something wrong with the Configuration Profile itself and that would need to be fixed before going forward. If that works OK and you can see the new profile installed in System Preferences, then post back and we'll see if we can figure out why it won't work in your package.

pawan_joshi
New Contributor II

I did exactly the same. There are spaces in the filename of the .mobilconfig file. Is that a problem?

mm2270
Legendary Contributor III

Well, that could be why. So, in your postinstall script, you need to either escape the spaces with a backslash , or enclose the entire path in double quotes.

Examples of both.
Escaping spaces

/usr/bin/profiles -I -F /private/tmp/my settings.mobileconfig

Quoting the path

/usr/bin/profiles -I -F "/private/tmp/my settings.mobileconfig"

The spaces would explain why it likely didn't work, unless you did one of the above to ensure the spaces were handled in the script. I suggest next time avoid using spaces in the profile name if possible, just to make things less error prone, but overall it should be OK to use them.

JMR
New Contributor II

Perhaps Tim Sutton's Make Profile Pkg would help?

https://github.com/timsutton/make-profile-pkg

pawan_joshi
New Contributor II

Thanks @ mm270. It worked after a little change. I placed the mobileconfig file under privatevar mp folder and also added -f switch in the profiles command. Thanks for all your help.

Chris_Hafner
Valued Contributor II

Personally I completely agree with @mm2270s statement that you should use a .pkg. However, because I like being the Devil's advocate from time to time, I'll point out that you could technically use a .dmg is your script were separate but still run after the .dmg was loaded... or if you used the 'execute command' box in your policy under "Files and processes".

mm2270
Legendary Contributor III

@Chris_Hafner Excellent point. You could indeed use any method to deploy the .mobileconfig profile to the Mac, and then have it installed using a script run as "After"
That being said, my preference is often to make things as contained as possible so they can, if necessary, be used outside of a Casper Suite policy.
A DMG + script run after is confined to work from a Casper Suite policy. That can actually be either good or bad depending on your point of view.
A pkg with an embedded postinstall script can be distributed in other workflows or just given to someone to run manually and it will work. That can also be good or bad.

alexjdale
Valued Contributor III

I personally use a standard bash script in the JSS. I echo the mobileconfig profile to a temp file and then the script uses the profiles command to install it.

It's just so much easier to modify a script than it is to rebuild and re-replicate a pkg if you want to make a change.

scharman
New Contributor

I have tried the above with no avail, each time the pkg installation fails, any special permissions required on the file?
I have tried running the script as sudo aswell

herbiehandal
New Contributor

@scharman Did you get this resolved? I'm running into the same problem. The pkg installs the config file but then the postinstall script doesn't install it as a profile. However if I run the same line on terminal it goes thru without a problem.

troyewebster
New Contributor III

@herbiehandal I am having the exact same issue. To make matters worse, the dock payload is buggy (i.e. duplicate app icons in the dock) against Mojave. I can install manually, but the postinstall script doesn't install the profile. Anyone solve this?

[update] ok I got it ... needed to ensure that the mobileconfig file was chmod 777 and (for some unk reason) the /usr/bin/profiles command required sudo preceding it in the package postinstall script.

troyewebster
New Contributor III

@alexjdale do you have an example of your method of echoing to a temp file?

tomatoes27
New Contributor II

@troyewebster This is the darndest thing but I had a very different configuration and package from 02/18 and it has been working as of last week. No changes on packages and jamf. And only notice that it did not work last week. I packaged it the same fashion as yours with 777. Originally it was at 755 and it worked fine. Below is the following postinstall script. Any help is appreciated.

!/bin/sh

postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

sudo /usr/bin/profiles -I -F /private/tmp/mdm.mobileconfig
rm -rf /private/tmp/mdm.mobileconfig

exit 0 ## Success
exit 1 ## Failure

Nix4Life
Valued Contributor

Just updating this incase anyone has a similar question. Tim Sutton has a tool for this make-profile-pkg. It install as a .pkg..done

L