Managing Policies and Profiles - Best Practices

kwoodard
Contributor III

Currently we have profiles and policies created that handle multiple different settings within one profile/policy. Now that we are expanding and are having more and more specialized needs for some of these computers, it's getting harder for me to manage with the current set of profiles/policies.

I'm also starting to see issues where items set with a policy/profile are not being enabled on some computers within a scoped set or smart group. My biggest headache is keeping Fast User Switching turned on. It should be on for EVERY computer on my campus because damn near every computer has multiple users and my faculty rarely remember to log out when they are done. Often, the worst offending computers are locked in a cabinet or behind glass so the next user cannot force restart the computer.

How are all managing your policies and profiles? Are you assigning each setting to its own profile and/or policy? Are you setting up some sort of tree where every computer gets these couple settings, then lab 1 has this additional set, lab 2 a different additional set, lab 1 computers hooked to specialized equipment has a third additional set...etc.

My campus wants to update from a physical server to the Cloud service. Currently, our server is spread across 4 campuses and a couple outlying departments not attached to any campus. Going into the web portal is sometimes a nightmare and if going to individual policies/profiles for each setting will make things even more scary. Need some ideas before we switch over.

And if anyone can help me figure out why FUS just stops working on a few computers, I would be most grateful.

2 REPLIES 2

marklamont
Contributor III

personally I don't use the built in Jamf version of Restrictions and Security and privacy because they deploy loads of settings you may or may not want, which is probably your issue. I do all of these as custom settings using profile creator, using the plist export method. I also split each setting type into a separate profile, easy to work out what is what when you name them well; Compliance - Preferences lockdown type standard names. It also means if you make a change then only a small number of settings get changed. You can easily track where settings are coming from and avoid overlap this way.

LRZ_Jamf
Contributor

@marklamont do you use Recovery Key Escrow for FileVault?