Linking a Configuration Profile and Policy

gregbr
New Contributor II

I have an app PKG file to deploy as a Policy in Jamf Pro.  The app requires a certificate be placed on the Keychain and some System Extensions be configured.  I can deploy the certificate and extensions as part of a Configuration Profile.  Is there a way I can deploy both to a user's Mac so that they will have them at about the same time?  

1 ACCEPTED SOLUTION

You could create a smart group based on if the computer has the configuration profile that you are deploying for the cert/system extension and scope the pkg to that

View solution in original post

7 REPLIES 7

ljcacioppo
Contributor

There is no harm in the certificate and system extension being on the machine before the pkg. As long as the computer is in scope for both, I would have those deploy before the pkg personally.

gregbr
New Contributor II

Thanks.  I agree the cert and extensions can be on a machine first.  I would like, once a machine has the cert and extension, for it to then trigger getting the app.

You could create a smart group based on if the computer has the configuration profile that you are deploying for the cert/system extension and scope the pkg to that

View solution in original post

kburns
New Contributor III

This is what I've done for an application that requires the configuration profile to be installed prior to the app installation.

gregbr
New Contributor II

Thank you both.  I am trying this now.  I think the only drawback is there is a delay until the computer is added to the Smart Group, but this sounds like the best option.

mm2270
Legendary Contributor II

Yes, there will be a delay, since profiles won't auto trigger an inventory collection. It's not like a policy where you can add in a way for inventory to be collected at the end of the deployment.

There aren't any good ways to get around that issue unfortunately.

stevewood
Honored Contributor II

Actually, my experience is that devices do populate in a Smart Group checking for Profile Identifier fairly quickly after the profile drops and do not require a recon at all.

I just tested myself by creating a test profile that dropped settings for Software Update. I installed on one machine, grabbed the profile identifier, and then created a Smart Group with criteria "Profile Identifier is" and the identifier. I then scoped an additional machine to the profile. The second machine showed up in the Smart Group shortly after the profile installed on the device.

YMMV, but I would test that. We use that method for deploying SentinelOne and other packages that require profiles in place first.