Switching Profiles with Self Service

bizzaredm
Contributor

I cannot wrap my head around the solution for this and I feel like im missing something:

Desired Outcome:
User opens Self Service and picks "15 minute" or "Immediate" screen lock, On the backend, if you pick 15minutes we want the 15minute security profile to install and remove Immediate if its there. And same on the flip side.

Suggestions on how to scope/excluded these?

  • The added issue is we want 15 minute to be applied by default then be able to switch
1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

That sounds like a decent plan. Keeping them both on the Mac locally and installing them (or removing them) with the profiles command should work OK. And it would be much faster than my proposed workaround.

The only possible caveat you should be aware of is that manually installed profiles (as opposed to deployed from an MDM product) can be removed pretty easily with the profiles command, if someone knows how. That can be mitigated by adding a "removal password" to the profile, which only you and some other IT folks would know. I'm not even sure if that would be an issue in your case, but did want to mention that, just in case it was something to consider.

View solution in original post

5 REPLIES 5

bvrooman
Valued Contributor

Doing this through MDM may be tough, but I can think of a way to do it with packages and scripted profile installation/removal.

You could make two packages; one to deploy each of the profiles to a temp folder, with a postinstall script that installs the newly-selected profile and removes the other. Create policies to install each package, and scope them to smart groups containing computers which have the opposite profile installed (and if that isn't part of the normal smart group criteria then you may need to make an EA that collects the data you need). Make sure there's a recon on each policy, so the JSS is aware that the profiles have "switched."

mm2270
Legendary Contributor III

The other possible way to do this, though maybe less reliable, would be to write some values into a local file or plist to indicate which setting the user chose, then pick that setting up in an Extension Attribute script. Create some Smart Groups that use that EA value as criteria, for machines in either group and use them as either inclusion or exclusion for whichever profile you want deployed.
For example, if the Mac lands in the "15 minute" group, have that Smart Group scoped as the group for the Profile that deploys that setting. Have the "Immediate" Smart Group scoped as the group under the Exclusion tab for that same 15 minute profile. Do the reverse for the Immediate profile.

Make sure the policy runs a full recon/inventory collection. The Mac should then land in the correct group, which will then remove one profile and install the other.

The only issue is one of timing. It may take several minutes or longer for the correct Config Profile to get deployed with the above setup. But it could work.

I would probably also consider not allowing the user to switch the setting too often to avoid issues with profile deployment getting "stuck" Maybe make it only appear once a day in Self Service to prevent frequent runs or abuse of the policy.

bizzaredm
Contributor

Thanks for the suggestions!

Im thinking based of research that storing both profiles on the machine in some hidden folder. Then Installing them/ removing the other one, via script in a policy, in SS may work... I guess it would be safer to have both packaged and install incase the chosen one is not there,

mm2270
Legendary Contributor III

That sounds like a decent plan. Keeping them both on the Mac locally and installing them (or removing them) with the profiles command should work OK. And it would be much faster than my proposed workaround.

The only possible caveat you should be aware of is that manually installed profiles (as opposed to deployed from an MDM product) can be removed pretty easily with the profiles command, if someone knows how. That can be mitigated by adding a "removal password" to the profile, which only you and some other IT folks would know. I'm not even sure if that would be an issue in your case, but did want to mention that, just in case it was something to consider.

bizzaredm
Contributor

@mm2270 THANK YOU! I had no idea that removal password was even an option! Not too worried about people removing them.. but good to know.