System Settings Configurations

New Contributor

Hello All. Had a question on system settings that I wanted to see if anyone else had any recommendations on. When we deploy or repurpose machines there are many default settings we usually deploy the machine with. We can accomplish  all of the settings we want to hand the machines off with config profiles or policy. However many of these settings we want the user to be able to change if they choose to after we hand of the machine. If we use a config profile for a setting it locks the setting from the user changing it. I know that is the point, however we have a lot of users that do development and testing and they need to have access to change some of the settings. I know they may be a little off topic but I just wanted to see if anyone had run into this or may have some suggestions. Any info is greatly appreciated.


Legendary Contributor II

Settings applied with a script instead of a profile would typically not be immutable, so an end user can presumably change them, keeping in mind that admin level access might be a requirement to change them in some cases.

There used to be a way to apply a profile as a "once only" kind of setting, but it was a hack, since profiles don't normally support that type of application.

Honored Contributor II

@JalteredM My approach for settings I want to force initially but allow users to modify is deploy a Configuration Profile with the default settings to all machines and use a Smart Group as a Scope Exclusion. That Smart Group is composed of Macs that have a hidden flag file present that indicates the user wants to remove the enforced setting. There is a Policy available in Self Service for each removable profile that doesn't already have the flag file which will create the flag file when it's run. An Extension Attribute is used to detect the presence of the flag file, and the value of that EA is the basis of membership in the Smart Group used for the Scope Exclusion.

As an example of usage I deploy a Set Desktop Configuration Profile that sets the default Desktop image and a Smart Group named DesktopUnlock is a Scope Exclusion for it. In Self Service a user will see an Unlock Desktop item. Running it will create a flag file named UnlockDesktop. There is an EA that looks to see if that file exists, and when it does that Mac becomes a member of the DesktopUnlock Smart Group which excludes it from the Set Desktop Configuration Profile. When that profile is removed the user is then able to change their Desktop image.