Push Configuration Policy via Script

New Contributor III


I am trying to install a Configuration Profile as soon as some software is installed. At the moment I am using a Smart Group, but that needs a Recon before the machine is added to the group and the profile is pushed. Is there a way I could push it via a script at the end of the software install?


Valued Contributor

In the policy where you deploy that package, you can have it run sudo jamf recon and have it update inventory. Have a smart group with the criteria have all Macs with that application installed. Then in the configuration profile scope it to that smart group. So, this way any Macs in that smart group will have that configuration profile pushed to the Mac.
The other option is to create a package in Composer with both your application and the Configuration Profile(which will be a .mobileconfig file). In the post install script you can deploy the configuration profile after the software installation by adding this command /usr/bin/profiles -I -F /private/tmp/profile.mobileconfig
Upload that package to Jamf and test deploy it.

Valued Contributor II

Be careful, as of Big Sur, the profiles command can no longer be used to install Configuration Profiles.

You best bet is to run a recon as part of your install policy (or include in post install script as mentioned in the previous post.) You may just want to consider installing the profile before install (just scope to the same computers that have the install policy scoped). It doesn't take much resources to have extra profiles installed.

Contributor III

You could use the API to add the computer to a static group that the profile is scoped to. Just have the script run the API command as a pre-install in the policy, sleep for 5 or however long it takes to ensure it has the profile, then run the actual installer in the policy.

New Contributor III

Thanks very much for the replies. I do run a recon at the end and the machine does get the Configuration Profile quite quickly. The problem is, the Configuration Profile is for Notifications. This means the user will see the Notifications to approve before the Configuration Profile applies. Once it does they will go away. I suppose it won't matter if they mess it up as I will have configured them. From my testing the application has to be installed before the Configuration Profile otherwise it has not affect.

Contributor II

Profiles are text files, They can be echoed in a script we use this process for non-dep enrollments, but as mentioned most of the time you want the profile installed before the software install