Profile Creator .mobileconfigs lose payload when uploaded as Configuration Profiles

sdickson02
New Contributor II

Hello! I am relatively new to Jamf, so I am currently exploring all of the ways I can use it to customize the user experience for my university's computer labs.

I have been working with Profile Creator to make custom Configuration Profiles and then uploading them to Jamf. This works great for third party applications, but when I try to use some of the System Settings payloads (for settings that do not seem to exist in Jamf), the payloads disappear when I upload the .mobileconfig file.

It is possible that some of these settings are deprecated, but they should in theory be modifying common .plist files.

I have tested this with both signed and unsigned profiles.

Any suggestions, insight, or advice would be much appreciated!

(Please none of the "why do you want to lock down the user experience" comments -- we all have our reasons for managing our spaces the way we do.)

2 ACCEPTED SOLUTIONS

mm2270
Legendary Contributor III
...when I try to use some of the System Settings payloads (for settings that do not seem to exist in Jamf), the payloads disappear when I upload the .mobileconfig file.

I think what you're experiencing here is exactly what you described. These settings don't exist in Jamf, but because Profile Creator is using one of the actual profile payloads for the OS, when it's uploaded to Jamf, those settings don't appear, at least in the GUI. However, have you tried pushing one of these uploaded profiles to a system to see what gets applied? It's possible that the settings are in fact in the profile but just can't be shown in the UI. You should be able to see all the settings in the profile in the Profiles preference pane once it gets deployed to a machine. If it's there, then you'll know it's all good, but you won't be able to visually see them in the UI.
If that's not acceptable, then the only other option might be to use the Custom Settings payload and upload specially crafted plist files, assuming the settings you're trying to apply can be written to plist files that is.

Edit:
@sdagley & @tlarkin - from the OP:

I have tested this with both signed and unsigned profiles.

Seems she has already done what you suggest. I think the actual issue here is that Jamf can't display items in profiles that it doesn't specifically know how to manage.

An example of this: you can create a profile in Profile Creator that lets you manage some Safari settings, like the HomePage (though it doesn't seem to work reliably) and the behavior of new tabs and windows, as a simple example. Whether the profile is signed or unsigned, when it's uploaded to Jamf Pro, what you see is a profile with just a General payload and nothing else, because Jamf doesn't have a Safari payload option, so it can't actually show it. However, if you push the profile to a Mac, the settings get applied (usually) and show up when viewing it in the Profiles pane in System Preferences.

View solution in original post

sdagley
Honored Contributor III

@sdickson02 User level profiles do not install immediately unless you're installing them through Self Service. Try logging out of your test Mac and then back in and it should install.

View solution in original post

8 REPLIES 8

sdagley
Honored Contributor III

@sdickson02 If you want Jamf Pro to not mangle a Configuration Profile you're importing, sign the Profile before you import it. If you import an un-signed Profile Jamf Pro will ry to "adopt" it, and that can mangle some settings in the payload. When a signed Profile is imported Jamf Pro will not make any modifications to the payload.

tlarkin
Honored Contributor

yup +1 on signing the profile, it makes them immutable. Many jamf customers have seen this issue, and luckily jamf is putting in a lot of effort I hear on revamping profile payloads. I would definitely go upvote all feature requests related to this and ask your jamf rep to tie your account to any known PI (product issues) internally at jamf so they will better know the impact score of said issue.

mm2270
Legendary Contributor III
...when I try to use some of the System Settings payloads (for settings that do not seem to exist in Jamf), the payloads disappear when I upload the .mobileconfig file.

I think what you're experiencing here is exactly what you described. These settings don't exist in Jamf, but because Profile Creator is using one of the actual profile payloads for the OS, when it's uploaded to Jamf, those settings don't appear, at least in the GUI. However, have you tried pushing one of these uploaded profiles to a system to see what gets applied? It's possible that the settings are in fact in the profile but just can't be shown in the UI. You should be able to see all the settings in the profile in the Profiles preference pane once it gets deployed to a machine. If it's there, then you'll know it's all good, but you won't be able to visually see them in the UI.
If that's not acceptable, then the only other option might be to use the Custom Settings payload and upload specially crafted plist files, assuming the settings you're trying to apply can be written to plist files that is.

Edit:
@sdagley & @tlarkin - from the OP:

I have tested this with both signed and unsigned profiles.

Seems she has already done what you suggest. I think the actual issue here is that Jamf can't display items in profiles that it doesn't specifically know how to manage.

An example of this: you can create a profile in Profile Creator that lets you manage some Safari settings, like the HomePage (though it doesn't seem to work reliably) and the behavior of new tabs and windows, as a simple example. Whether the profile is signed or unsigned, when it's uploaded to Jamf Pro, what you see is a profile with just a General payload and nothing else, because Jamf doesn't have a Safari payload option, so it can't actually show it. However, if you push the profile to a Mac, the settings get applied (usually) and show up when viewing it in the Profiles pane in System Preferences.

tlarkin
Honored Contributor

Ok I get that, but jamf doesn't know about any of my custom payloads because they are plists for keys that are not built in, but they still work and apply. The only time jamf removes keys is typically when a profile isn't signed with a dev cert. I could be wrong, that is just my experience.

sdagley
Honored Contributor III

I did miss the line in the OP about having tried signing, but I have never seen Jamf Pro modify a signed profile unless one does a "Remove Signature" after uploading. If @sdickson02 is not removing the signature, and the uploaded profile is in fact not installing properly (as opposed to not displaying in the Jamf Pro Config Profile GUI), that sounds like it's time to contact Jamf support.

sdickson02
New Contributor II

@mm2270 Thank you for reading my entire post! I had not tried deploying these seemingly empty profiles before, but just now tried it out. I created a profile to modify the screensaver at a user level (it is called Screensaver User in Profile Creator), signed and uploaded it to Jamf and deployed to my test machine. Unfortunately it's not even showing up in the Profiles tab in System Preferences.

Profile Creator indicates that this particular payload is meant to be modifying a plist file called com.apple.screensaver.user, but that plist is not uploaded as a Custom Setting. Maybe this is either an issue for Jamf support (as @sdagley suggested) or a bug within Profile Creator?

In the meantime, I'll see if I can manually upload the plists as Custom Settings instead of a mobileconfig file.

sdagley
Honored Contributor III

@sdickson02 User level profiles do not install immediately unless you're installing them through Self Service. Try logging out of your test Mac and then back in and it should install.

sdickson02
New Contributor II

@sdagley I did not know this -- looks like that worked! The screensaver seems to have applied as expected. :) Thank you!

Looks like the payloads are just hiding, then. Strange that they wouldn't at least show up as Custom Settings.