Jamf Nation Community

Ever since JSS 9.90 (?) there have been configuration profile issues. The Login Window may have an improper payload that sets that setting which may conflict with the one from Security and Privacy which then means it is impossible to tell which setting will take priority. I have not heard anything about them fixing that issue but we are still on JSS 9.91.

Also, we recently has the Security and Privacy profile start having a payload that disables iCloud Drive. We changed nothing in the profile but when the JSS randomly decided to re-install all the profiles on a station like it does, that payload it being included.

Fun with configuration profiles.

It has to be some disconnect as to what the JSS thinks should be included and what Apple thinks should be included? It is getting really annoying that you never know what setting will be deployed and is making this job really difficult.

I also do NOT like the solution of making a custom profiles for every setting I want to use. I pay to have the JAMF software to do this for me, waste of money at that point. It has been about 8 months now and there are still problem arising and no definite solutions from Jamf.

The only Band-Aid of which I know is to build the Configuration Profile in Profile Manager, sign it (prevents the JSS from making changes) and upload it to the JSS.

Far from ideal.

We had three individual config profiles for login window, Security and restrictions - we had lots of issues,including the one above, when we amalgamated these into one policy everything started behaving on the majority of our machines.

@dan.snelson Yes it was working before the upgrade to 9.93 (previous version 9.91).

Exact same issue, the end result was what @Parm mentioned.

Disclaimer: do not know if it will work in your environment.

For now our work around is to create another configuration profile and setting the level to "User Level"
instead of using "Computer Level"

we also have another configuration profile "Security & Privacy" set to "Computer Level"
along with the "Login Window" payload.

and that seems to work for us.

For us is important to have the message Banner and the screen saver to activate "immediately".

Hopefully this workaround/lucky guess works for you.

Hi @scentsy , have you tried looking at this fix? Worked for me first time and been using it like this ever since

Here seems to be an explanation for I have been experiencing. The workaround has been working for me. Similar to above posts

@Sachin_Parmar I have not done that fix on our new version 9.93; I've done it on our previous version 9.91 and it has worked.

I was going to do that fix, but that's when I decided to test what I've posted, and since it worked for me (at the moment) I'll leave it the way it is.

Thank you for posting the link.

my newly imaged machines are setting this to required and I don't even have a configuration profile setup for this since changing to 9.93.

@KCH080208 Do you happen to have a Configuration Profile with the FileVault 2 Redirect payload?

I created a custom plist for this that defines the two keys and then deployed to only our 10.11.x Macs via a CP.

askForPassword=1
askForPasswordDelay=0.0

Works a treat.

Here seems to be an explanation for I have been experiencing. The workaround has been working for me. Similar to above posts

So remember I told you I created two configuration profiles for the screen saver to work “properly” weelllll, it turns out it was causing other issues.

So I contacted the Jamf support and they send me a link (http://www.johnkitzmiller.com/blog/security-privacy-configuration-profile-bug-in-casper-9-82/), I was going to do the custom property list file, but I just set it to “Require password 5 seconds after sleep or screen saver begins” and that worked!

I pushed that configuration (the same one we had, only changed the “immediately” to “5 seconds”).

I had a weird feeling having two configuration profile of the same settings it will cause problems.

So now there’s only one configuration profile (as it should) for the screen saver.

Thanks.

After a few days I notice the screen saver keeps switching randomly to "Ask for password" and it goes back to when the screen saver turns on and when I wake it up it doesn't ask for a password.

I'm on 9.93 JSS and macs running 10.11.6

as I posted on 08/18/16 I tried the suggestion from johnkitzmiller blog and it doesn't work for me.

@scentsy - Do you have multiple config profiles? Try merging them into one and try johnkitzmiller fix and see if that helps.

This is the way we have it setup.

FWIW, this method still seems to work for us with askForPasswordDelay & even works to get over the FV2 redirection auto logout issue in 9.93.