Help

Policy Triggers based on installation of a configuration profile

bmack99
Contributor III

Posted on ‎07-26-2019 12:09 PM

Greetings. I have a scenario that I'm sure I am missing something and need to run by someone. I realize there are probably a ton of better ways to do the below, and if the theory I have won't work then I am willing to explore other options...

In a nutshell, is it possible to ONLY trigger a software install from a policy if a configuration profile exists and is found on the system?

So:

If config profile 'A' exists
Then Run Policy 'B'
Else Install config profile 'A'; Run Policy 'B'

(for inquiring minds: I have a config profile which approves the Crowdstrike Kernel Extension in order to install the Crowdstrike client. The problem I have is that if the kernel extension is not in place then the script which licenses the Crowdstrike client has a return code of 1, meaning the installation "failed" bc of the unapproved kext).

0 Kudos
3 REPLIES 3

mm2270
Legendary Contributor III

Posted on ‎07-26-2019 12:18 PM

Using Smart Group criteria this can be done. All Configuration Profile UUIDs and display names are captured in Jamf Pro, and are criteria items you can use with a Smart Group. Those show up as Profile Identifier and Profile Name respectively.
So build a Smart Group for Macs that have the proper CP installed, and whatever other criteria items are needed to capture the right machines for the Crowdstrike client installation.

The only issue with this method is that installation of a Config Profile does not cause an inventory collection since that comes over Apple's APNs. I don't believe there's a way to cause an immediate inventory collection after a profile is pushed to a device. That means the Macs with the profile successfully installed may not end up in the Smart Group for a while. How long that delay is depends on a) what execution frequency your default inventory collection is set to and/or b) if another policy happens to run on the Mac prior to the next scheduled inventory collection that has an inventory collection set in it.

Hope that helps.

bmack99
Contributor III

Posted on ‎07-26-2019 12:22 PM

@mm2270

Thank you, this helps tremendously - I was originally going the route of trying to scope the install to a smart computer group that 1) doesn't have the app installed and 2) doesn't have the config profile installed.

The issue I ran into was not knowing that the configuration profiles showed up as Profile Identifier and Profile Name (was looking for 'configuration profile name')

Thanks again!

Brian

0 Kudos

pmarsteller
New Contributor

Posted on ‎07-10-2020 11:51 AM

Thank you for this post. I am in a similar scenario and this worked perfectly!