Smart Computer Group that is based on configuration profile

jcaiii
New Contributor II

I am in the process of installing Sophos using a policy. Sophos has several PPPCs, and Kernels that need to be put in place. These are being pushed by a configuration profile.

I do not want the install of sophos to happen before the configuration policy is on the system, yet I do not see any option when creating a smart computer group to determine if the configuration policy has been applied.  How do I verify the policy is in place before the install?

 

Thanks in advance for your help!

1 ACCEPTED SOLUTION

gachowski
Valued Contributor II

@jcaiii 

Profile Identifier is in the built in Smart group criteria, all you need is that ID number of the profile and you can create a a smart group based on it...  : )  and you can get that ID in the computer record under Profiles... no coding needed

View solution in original post

8 REPLIES 8

jcarr
Release Candidate Programs Tester

You could build an EA that looks for the presence of your PPPC profile.  The following command will list profiles:

 

/usr/bin/profiles -P

 

You can then grep for the profile in question and conditionally set the result to INSTALLED or NOT INSTALLED as appropriate.

gachowski
Valued Contributor II

@jcaiii 

Profile Identifier is in the built in Smart group criteria, all you need is that ID number of the profile and you can create a a smart group based on it...  : )  and you can get that ID in the computer record under Profiles... no coding needed

jcarr
Release Candidate Programs Tester

That's a better solution.  🙂

sdagley
Esteemed Contributor II

@gachowski Profile Name is also an available Smart Group Criteria, and might be more maintainable/recognizable than Profile Identifier

jcaiii
New Contributor II

Thank you all very much for your replies!

ewu-it
New Contributor III

Another way you can implement this is by using a two step policy method that caches the installer on the machine, then subsequently does the install.

The basic steps are:
1. Create a smart group based on the Sophos installer package being cached on the system. Create another smart group based on the Sophos application being on the system.

2. Set the scope of the Sophos related config profile(s) to BOTH of the new smart groups.

3. Create an on-going policy that caches the Sophos package on the system and scope it all machines (or a small subset for testing) and exclude the new cached smart group. Make sure the policy runs a recon (via file & processes per this DerFlounder blog post )
4. Create an on-going policy that installs the Sophos package on the system and scope it to the cached smart group and excludes the installed smart group. Make sure the policy runs a recon (via file & processes)

The first policy will cache the installer to the machines and should ensure the configuration profiles get installed as well.  During the next check-in cycle the machine will perform the installation with the config profiles in place.  If the user unintentionally or purposely removes the Sophos application the two policies together will direct the machine to reinstall it depending on how often your machines typically run a recon.

--
Howard Griffith--Endpoint Systems Engineer--Eastern Washington University

Jacek_ADC
Contributor

Hi Guys

someone an idea how to find on MacOS Ventura the profile identifier for an config profile? Its no more visible under the profiles in system preferences.

It is visible in Jamf admin console.  Do a search and select a machine.  Choose Inventory and then select Profiles.  All assigned Configuration Profiles names and identifiers are listed.