Help

Policies Sticking When Exempted

Matt
Valued Contributor

Posted on ‎05-11-2011 09:23 AM

Hey everyone. I originally set a policy up for the 15 minute screen saver + password option. We have some units that do presentations and need to have this removed. I set up a new MCX user group with just some default MCX's sans the Screensaver options however, the exempted machines still are getting this policy (and the option to disable it in the Security pane is greyed out. I have tried the jamf -mcx options already. Anything else I can do?!?

--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>

Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST

0 Kudos
Reply
8 REPLIES 8

Matt
Valued Contributor

Posted on ‎05-11-2011 12:02 AM

Would this fix the policies sticking?
--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>

Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST

0 Kudos
Reply

jarednichols
Honored Contributor

Posted on ‎05-11-2011 12:17 AM

I would think so as you wouldn't have to flush MCX on machines that shouldn't get it.

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

0 Kudos
Reply

dderusha
Contributor

Posted on ‎05-11-2011 09:34 AM

Hey everyone. I originally set a policy up for the 15 minute screen saver + password option. We have some units that do presentations and need to have this removed. I set up a new MCX user group with just some default MCX's sans the Screensaver options however, the exempted machines still are getting this policy (and the option to disable it in the Security pane is greyed out. I have tried the jamf -mcx options already. Anything else I can do?!?
On 11-05-11 12:23 PM, "Matthew Lee" <Matt.Lee at fox.com> wrote:

--
Matt Lee

Matt-

sudo dscl . -delete /Local/Default/Config/mcx_cache

Then you can delete the /Library/Managed Preferences folder.

Dan De Rusha

0 Kudos
Reply

Matt
Valued Contributor

Posted on ‎05-11-2011 09:40 AM

Thank you sir!

--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>

Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST

0 Kudos
Reply

jarednichols
Honored Contributor

Posted on ‎05-11-2011 10:39 AM

For future reference, you can make an Extension Attribute for excluding MCX. (Set to 'yes' to exclude, for instance). Then on your Smart Group that you use to scope your MCX, have an attribute for the Extension Attribute (e.g. "Exclude MCX") where it's not 'yes'.

Follow?

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

0 Kudos
Reply

Matt
Valued Contributor

Posted on ‎05-11-2011 10:43 AM

Kinda... mind diving into that a little more :D

I see where you're going with this I think.

--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>

Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST

0 Kudos
Reply

Not applicable

Posted on ‎05-11-2011 11:03 AM

I'm having the same problem but with a different MCX manifest. I tried
using Matt Lee's command

sudo dscl . -delete /Local/Default/Config/mcx_cache

but get this error:

<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)

I understand that the command is trying to delete the MCX cache from
the local ds store, but don't know what this error means.

As much as I love MCX (my experience is with MCX on bound machines to
OS X Server, not MCX via JSS), this seems to be somewhat broken.

Why can't I easily toggle these MCX settings back off and have my
managed computers pick up that change from JSS? Why are these MCX
settings so persistent?

Thanks,

Damien Barrett

0 Kudos
Reply

jarednichols
Honored Contributor

Posted on ‎05-11-2011 11:57 AM

So let's step back a bit. You scope your MCXs just like you scope your policies. In a lot of cases, you use a smart group to scope your Policy.

What we want, is a smart group that says, for instance, (location) Department IS Accounting and (extension attribute) Ignore MCX IS NOT 'yes'. To do this, you set up a basic Extension Attribute populated by pulldown menu with only one value: yes. So, when you want to exclude a machine from the MCX, you simply trip that Extension Attribute on the computer's record in the JSS and the next time around that MCX is pulled down (through startup or policy) it will no longer fall into that smart group.

Savvy?

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

0 Kudos
Reply