There is an actual question at the end but I am just laying at where I am at so far.
We normally only deploy computer level config profiles but we have a password policy config profile that we want to deploy at the user level so we can avoid certain accounts getting it.
Since we have a mix of AD bound users and local users, deploying user level configs from the JSS through push is not going to do it since local users can't automatically get user level profiles unless they get enabled and get users to enter their admin credentials entered to allow it, etc, and that's not going to happen for something we want users to not be able to opt out of.
I have set up an installer package in the typical way someone would do for manually deploying system level config profiles where you dump the file in a directory and the post install script runs the profiles command (profiles -I -F /tmp/configprofile.mobileconfig).
Since its a user level config I have to do the other steps in the script to make it run the profiles command so it gets installed under the logged in user's account. I had to use the launchctl bsexec trick to target the loginwindow's PID space of the user since if I only did the regular su <username> command it would complain about XPC issues and not run.
If you run the package manually while that user logged in it works fine and installs the config profile for that user and that user alone. When I have it set to run the installer as a login policy, I think the user isn't completely logged in yet so when the script runs it actually installs the user level policy as a system level policy. If I run the same policy with a manual trigger after the user's desktop is up, it works fine and installs as a user level config profile only under the logged in user's account.
So, question is: am I missing something in the profiles command that would make it easier to target installing a config profile to a specific user? Do you have any recommendations or experience how you have done this before? Should I do this as a launchagent so I can space out the time for the actual config profile to get installed to ensure the user is fully logged in before the script to install the config profile runs? Thanks!