Does pushing the same payload from multiple config profiles cause a problem?

dlprentice
New Contributor III

Basically the title, does pushing the same config profile with different settings applied cause conflicts?

Here is a very specific example:

Security and Privacy

One profile has the firewall turned on and another has the firewall off (not checked).

Basically, which wins? Do they fight? We had some weird behavior happen when pushing the same payload multiple times with different settings.

Any advise or guidance is appreciated.

1 ACCEPTED SOLUTION

rjashton
New Contributor II

They definitely clash and it is a bit random which one 'wins' so to speak. The unofficial Apple response about this MDM 'feature' about which one wins is usually 🤷🏻‍♂️

I think that in certain Mobile Device profiles Jamf Pro now allows you to pick which parts of a payload actually get deployed (I think the Restrictions payload) and I would anticipate more of this sort of thing in the future. Where this isn't available you could potentially create a custom profile that includes only the payloads you need in it... but this has potential to be a bit fiddly and error prone!

Best practice is usually to have only one of each payload scoped to a device. If you had a set of devices that don't need your default security settings I'd probably create a group for excluding these from your defaults. Then I'd reuse that group to scope my desired settings for those devices.

View solution in original post

4 REPLIES 4

rjashton
New Contributor II

They definitely clash and it is a bit random which one 'wins' so to speak. The unofficial Apple response about this MDM 'feature' about which one wins is usually 🤷🏻‍♂️

I think that in certain Mobile Device profiles Jamf Pro now allows you to pick which parts of a payload actually get deployed (I think the Restrictions payload) and I would anticipate more of this sort of thing in the future. Where this isn't available you could potentially create a custom profile that includes only the payloads you need in it... but this has potential to be a bit fiddly and error prone!

Best practice is usually to have only one of each payload scoped to a device. If you had a set of devices that don't need your default security settings I'd probably create a group for excluding these from your defaults. Then I'd reuse that group to scope my desired settings for those devices.

Tangentism
Contributor III

As @rjashton says, there will be a clash but my experience has shown that, especially with CP's with 'Restrictions' payload, the most restrictive will win. I had two CP's with the same settings but one had Touch ID disabled and it won out.

Best way to discover the effect is scope both to a test device and see if the firewall is on or off

dlprentice
New Contributor III

Thanks for the responses! It seems the best solution to make sure you don't have multiple payloads of the same type competing, and consolidate as much as reasonable.

ega
Contributor III

Also when using Profile Creator on macOS you will see in the General payload 2 settings that make the profile unique

1- Payload Identifier
A reverse-DNS style identifier (com.example.myprofile, for example) that identifies the profile. This string is used to determine whether a new profile should replace an existing one or should be added.

and

2 - Identifier

A globally unique identifier for the profile.

Both of these need to be Globally Unique.  
What I do is use the unix command line tool uuidgen to create a unique identifier and add to the end of the Payload Identifier like:

com.example.myprofile.F168DDBD-67FF-4CCA-ACCE-72A9315CEXXX

And then change the Identifier to the the same unique id like:

F168DDBD-67FF-4CCA-ACCE-72A9315CEXXX

This way I can use the exact same profile in whatever Site I want and Jamf and macOS see them as different profiles buy they set the same keys.
Also if you forget to change one of these Jamf will give a "Can't make object from file" error when the upload is attempted.

I hope this helps save someone time.