Jamf 10.21 - Policy Deferrals

New Contributor III

Hello everyone,

I've had a chance to play with the new policy deferral feature by duration in 10.21. I think this is a great new feature, but it doesn't work quite like I expect it to and am interested in understanding if I'm doing something wrong.

I have a test policy set with a duration deferral of 14 days. For the trigger, I have it set to on-going.

The first time the policy runs, I get the option to defer, with some pre-populated entries including 1 hour, 2 hours, 4 hours, 1 day, and 2 weeks (my maximum).

When I select 1 hour, I am re-prompted with the same window the next time policy runs.

When I select a longer period of time, I get the same experience.

So if a user selects two weeks, it appears that they will not be reminded again, and the policy will just auto-install after two weeks (after they've completely forgotten about it).

I also have this policy in self-service, but trying to execute it does nothing (just flips to executing then back to install) after the policy has been deferred.

Ideally, I'd like the user to be re-prompted/nagged at the policy trigger interval (so for instance, I could set the trigger to daily and have the user nagged once a day). I believe it would also work if the user manually kicked the policy off in self service in that scenario. Is this option possible?


Esteemed Contributor II

@mnickels It sounds like you need a feature request to add a post deferment message telling the user that by deferring they have agreed the policy will automatically run at the time specified in the 1st deferment.

As for having a policy in Self Service and also triggering periodically, I'd say don't do that if you're going to use the deferral option . By deferring the periodically triggered policy you have told Jamf Pro you don't want to run it until the deferment expires. Running that policy via Self Service is essentially just a GUI driven way of doing jamf policy -trigger xxxx, so it shouldn't run.

Contributor II

Here is my question about Policy Deferrals. What if the user never views the policy? "Enter the number of days to defer the policy after the user first views the policy in the Duration field." Copied from release notes. Let say you have users that never follow instructions or launch Self Service for anything, thus policies are never viewed, much less run in a timely manner. I want it to nag the hell out of them and then run after a set amount of days, viewed or not. Patch Management Policies do a pretty good job of that.

Esteemed Contributor II

@erichughes I'd argue that the Policy Deferral feature is only intended for policies that have an automatic trigger. By definition Self Service only policies are ones that you expect users to manually initiate, so a deferral option doesn't make sense in that case.

New Contributor II

@mnickels Did you ever find a suitable workflow for a policy you want users to be able to run in Self Service but also implement a deferral limit?

We're trying to implement a deadline for remaining Catalina upgrades. I created a policy with a Defer limit of 1 day, but I'm stuck on scenarios like this, e.g.:
- User turns on his laptop at 10 am for a meeting
- He gets the deferral popup in meeting
- He selects 1 hour because he's busy
- Meeting ends at 10:20, he opens Self Service ready to run the policy because he has free time
- Self Service won't actually run the policy
- He must wait until the deferral expires at 11 am, with no on-screen timer reminding him how many minutes are left

We've had a second Self Service policy w/ no triggers or deferrals for months, but getting the last users to actually run it is time-consuming. I'd prefer not to have 2 policies for a singular purpose

Thought I'd share a solution to my above issue:
-Leave existing policy for users to upgrade Catalina in Self Service (Policy ID = 1234)
-Create new policy w/ 24 hour Deferral limit and 1 payload in Files & Processes containing the following command:

currentuser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
uid=$(id -u $currentuser)
/bin/launchctl asuser "$uid" sudo -u "$currentuser" /usr/bin/open "jamfselfservice://content?entity=policy&id=1234&action=execute"

-i.e. New policy simply triggers the original policy
-The new policy reminds the user, giving the choice to Start Now or Defer XX minutes. The user can still start from Self Service at any time
-New policy is lightweight and only requires managing the scope, frequency, and deferral limit, none of the "meat" of the original policy's scripts & parameters