Policies Sticking When Exempted

Matt
Valued Contributor

Hey everyone. I originally set a policy up for the 15 minute screen saver + password option. We have some units that do presentations and need to have this removed. I set up a new MCX user group with just some default MCX's sans the Screensaver options however, the exempted machines still are getting this policy (and the option to disable it in the Security pane is greyed out. I have tried the jamf -mcx options already. Anything else I can do?!?

--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>

Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST

8 REPLIES 8

Matt
Valued Contributor

Would this fix the policies sticking?
--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>

Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST

jarednichols
Honored Contributor

I would think so as you wouldn't have to flush MCX on machines that shouldn't get it.

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

dderusha
Contributor

Hey everyone. I originally set a policy up for the 15 minute screen saver + password option. We have some units that do presentations and need to have this removed. I set up a new MCX user group with just some default MCX's sans the Screensaver options however, the exempted machines still are getting this policy (and the option to disable it in the Security pane is greyed out. I have tried the jamf -mcx options already. Anything else I can do?!?
On 11-05-11 12:23 PM, "Matthew Lee" <Matt.Lee at fox.com> wrote:

--
Matt Lee

Matt-

sudo dscl . -delete /Local/Default/Config/mcx_cache

Then you can delete the /Library/Managed Preferences folder.

Dan De Rusha

Matt
Valued Contributor

Thank you sir!

--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>

Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST

jarednichols
Honored Contributor

For future reference, you can make an Extension Attribute for excluding MCX. (Set to 'yes' to exclude, for instance). Then on your Smart Group that you use to scope your MCX, have an attribute for the Extension Attribute (e.g. "Exclude MCX") where it's not 'yes'.

Follow?

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Matt
Valued Contributor

Kinda... mind diving into that a little more :D

I see where you're going with this I think.

--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>

Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST

Not applicable

I'm having the same problem but with a different MCX manifest. I tried
using Matt Lee's command

sudo dscl . -delete /Local/Default/Config/mcx_cache

but get this error:

<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)

I understand that the command is trying to delete the MCX cache from
the local ds store, but don't know what this error means.

As much as I love MCX (my experience is with MCX on bound machines to
OS X Server, not MCX via JSS), this seems to be somewhat broken.

Why can't I easily toggle these MCX settings back off and have my
managed computers pick up that change from JSS? Why are these MCX
settings so persistent?

Thanks,

Damien Barrett

jarednichols
Honored Contributor

So let's step back a bit. You scope your MCXs just like you scope your policies. In a lot of cases, you use a smart group to scope your Policy.

What we want, is a smart group that says, for instance, (location) Department IS Accounting and (extension attribute) Ignore MCX IS NOT 'yes'. To do this, you set up a basic Extension Attribute populated by pulldown menu with only one value: yes. So, when you want to exclude a machine from the MCX, you simply trip that Extension Attribute on the computer's record in the JSS and the next time around that MCX is pulled down (through startup or policy) it will no longer fall into that smart group.

Savvy?

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436