Jamf Nation Community

I've originally written this post to my Github.

This document examines critical implementation challenges with Jamf Pro Computer Configuration Profiles, specifically focusing on the Restrictions Payload deployment mechanism. Three key issues have been identified, along with potential solutions and important operational considerations for organizations to implement while awaiting platform updates.

The Jamf Pro Restrictions Payload for macOS devices continues to use an outdated deployment format, diverging from the modern "include/don't include" approach implemented in other payloads. This legacy system requires explicit value assignment for all available keys, forcing organizations to make decisions on settings they may prefer to leave unmanaged.

When viewing the Security and Privacy Payload, we can see Jamf implemented the modern approach of "Include/Don't Include"

In this example, Password Change is included and restricted. Set Lock Message is included and allowed, and Send diagnostics… is not set at all

Current Implementation: Let's now look at the Restrictions payload.

When a setting like "Lock desktop picture" remains unselected, the system automatically assigns it a "FALSE" value, rather than leaving it unconfigured. This contrasts with modern modules where organizations can selectively include only the specific keys they wish to manage.

The current implementation deploys all settings simultaneously, regardless of whether the target system meets the minimum OS requirements for specific features. This limitation has become particularly problematic with the release of macOS Sequoia 15 and Apple Intelligence features.

While Jamf's Restriction payload documentation clearly indicates the minimum macOS version required for each key, the system lacks automatic profile redeployment capability when systems achieve compatibility through updates. For example:

• A profile deployed to a macOS Sonoma 14 system containing Apple Intelligence keys will not automatically activate these features upon the system upgrading to macOS 15
• Profile redeployment becomes necessary after each system upgrade to enable new feature management
• Each macOS 15.x release introduces new keys, requiring additional profile management considerations

When Jamf Pro servers receive updates that introduce new Restriction keys, existing profiles do not automatically redeploy to include these additions, creating a split-state environment. Consider the following scenario (Please note the Jamf Pro Version numbers may not exactly line up with feature releases. They are there solely for the sake of example):

An organization upgrades their Jamf Pro server from version 11.11 to 11.12 on February 20th at 9:00 AM. The upgrade introduces Apple Intelligence keys to the Restrictions payload capabilities. Their existing "Company macOS Restrictions" profile is affected in the following ways:

• Systems enrolled prior to the upgrade (Jamf Pro 11.11 and earlier):

  • Retain the original "Company macOS Restrictions" profile
  • Do not receive the new Apple Intelligence keys
  • Continue operating with outdated profile configurations

• Systems enrolled after the upgrade (Jamf Pro 11.12):

  • Receive an updated "Company macOS Restrictions" profile
  • Include all new Apple Intelligence keys
  • Operate with current profile configurations

This creates an immediate fleet management challenge where identical systems may have different restriction profiles based solely on their enrollment timing. The only resolution is a manual redeployment of the profile to all existing systems, requiring additional administrative overhead and careful change management planning.

The deployment of configuration profiles through MDM commands introduces several important considerations:

1. Command Queue Behavior

   • Profile installation commands are queued and dependent on device availability
   • Network connectivity issues can delay profile application
   • Devices must be online to receive and process new profiles or updates
   • Large profiles or multiple simultaneous deployments may experience queuing delays

2. Profile Signing Implications

   • Profiles signed with Jamf's signing certificate require complete redeployment for any changes
   • Incremental updates are not possible with signed profiles
   • Organizations using custom-signed profiles face additional verification steps

When implementing stackable profiles, understanding precedence is crucial:

1. Profile Priority

   • Later-installed profiles override earlier ones for conflicting settings
   • User-level profiles may interact with device-level restrictions
   • Custom configuration profiles take precedence over managed preferences (ie. using the defaultscommand)

2. Conflict Resolution

   • Document clear hierarchies for overlapping restrictions
   • Maintain version control for profile modifications
   • Consider implementation order in deployment workflows

Organizations must maintain visibility into profile deployment status:

1. Monitoring Capabilities

   • Use Jamf Pro's built-in reporting for profile version tracking
   • Monitor failed profile installations and removals
   • Track profile updates across the fleet

2. Compliance Verification

   • Regular audits of applied restrictions
   • Verification of settings enforcement
   • Documentation of profile deployment state

While awaiting native improvements to Jamf's Restrictions payload implementation, organizations can implement the following strategies:

This approach offers two implementation methods:

• Create separate profiles for different macOS versions (e.g., "Company macOS Restrictions - Sonoma" and "Company macOS Restrictions - Sequoia")
• Implement version-based scoping rules. Even if the profiles are identical, the scoping will allow for the profile to essentially redeploy as systems upgrade to macOS Sequoia and have Apple Intelligence keys enforced properly
• Note: May become complex with frequent minor OS updates where macOS 15 introduces new keys with each minor release.

• Replace Jamf's native Restrictions payload with custom profiles
• Implement a stackable profile structure:
  • Base profile: "Company macOS Restrictions" for pre-Sequoia configurations
  • Version-specific profiles: "macOS 15.0 Restrictions," "macOS 15.1 Restrictions," etc.
• Benefits:
  • Granular control over key deployment
  • Enhanced compatibility management
  • Allows for simplified beta testing integration by prepping new profiles as new keys are made known through the Appleseed for IT program.
  • Ability to consolidate profiles as fleet OS versions standardize and earlier versions of macOS Sequoia are no longer prevalent among one’s fleet.

This structured approach ensures precise feature management while maintaining deployment flexibility for organizations managing diverse macOS environments.

Organizations moving from single to multiple profiles for managing Restrictions on macOS should:

1. Planning Phase

   • Inventory current restrictions and their OS requirements
   • Identify critical vs. optional restrictions
   • Design new profile structure and naming conventions

2. Implementation

   • Maintain detailed documentation of profile versions and changes
   • Establish profile update procedures for future OS releases

3. Validation

   • Test all profile combinations in a staging/development environment
   • Verify restriction enforcement after migration
   • Monitor system performance with new profile structure
   • Document successful migration criteria

When working with Jamf Pro's Restrictions payload, organizations should avoid these common pitfalls:

• Don't combine security-critical restrictions with non-security settings in the same profile

  • Keeps security enforcements separate from preference management
  • Prevents accidental security restriction removal when modifying preferences
  • Simplifies security audit processes

• Don't rely on profile updates alone to remove restrictions

  • Some restrictions require explicit removal rather than just profile updates
  • Always test restriction removal workflows in a controlled environment
  • Document which restrictions need manual intervention for removal

• Don't skip testing new restrictions on each macOS version in your environment

  • Behavior can vary between OS versions
  • Some restrictions may have unintended side effects
  • Testing prevents widespread compatibility issues

• Don't assume all restrictions work the same way on all devices

  • Intel-based Macs and Apple Silicon Macs are two different architectures. Not every new feature introduced by Apple will be available on all systems
  • Apple silicon impacts certain security-related restrictions
  • Different hardware generations may require different approaches

• Don't use overly broad scoping without exclusions
  • Always maintain ability to exclude problematic devices
  • Keep test devices in exclusion groups
  • Maintain escape route for troubleshooting

• Don't implement new restrictions without documenting purpose and impact

  • Each restriction should have clear business justification
  • Document expected behavior and testing results
  • Include troubleshooting guidelines for help desk

• Don't modify restrictions without change management process

  • Changes can have wide-ranging effects
  • Maintain detailed changelog for each profile version
  • Include rollback procedures in change documentation

• Don't maintain multiple copies of the same profile

  • Creates confusion about which version is authoritative
  • Increases risk of inconsistent settings
  • Complicates troubleshooting and auditing

• Don't edit profiles directly in production without version control

  • Always stage changes in test environment
  • Maintain backup of working profiles
  • Document all changes in change management system

Jamf Learning Hub | Deploying Custom Configuration Profiles Using Jamf Pro iMazing | Create or edit Configuration Profiles for iOS, macOS, tvOS, or watchOS Mod Titan | Quick look: using Application & Custom Settings to restrict 2024 fall release features with Jamf Pro Jamf Nation Community Feature Request:

• Modernise the 'Restrictions' payload with 'include/exclude' toggle
• Auto re-evaluation and/or redeployment of Configuration Profiles after macOS Updates/Upgrades for ne...