Posted on 10-20-2020 06:36 AM
Basically the title, does pushing the same config profile with different settings applied cause conflicts?
Here is a very specific example:
Security and Privacy
One profile has the firewall turned on and another has the firewall off (not checked).
Basically, which wins? Do they fight? We had some weird behavior happen when pushing the same payload multiple times with different settings.
Any advise or guidance is appreciated.
Solved! Go to Solution.
Posted on 10-20-2020 06:48 AM
They definitely clash and it is a bit random which one 'wins' so to speak. The unofficial Apple response about this MDM 'feature' about which one wins is usually 🤷🏻♂️
I think that in certain Mobile Device profiles Jamf Pro now allows you to pick which parts of a payload actually get deployed (I think the Restrictions payload) and I would anticipate more of this sort of thing in the future. Where this isn't available you could potentially create a custom profile that includes only the payloads you need in it... but this has potential to be a bit fiddly and error prone!
Best practice is usually to have only one of each payload scoped to a device. If you had a set of devices that don't need your default security settings I'd probably create a group for excluding these from your defaults. Then I'd reuse that group to scope my desired settings for those devices.
Posted on 10-20-2020 06:48 AM
They definitely clash and it is a bit random which one 'wins' so to speak. The unofficial Apple response about this MDM 'feature' about which one wins is usually 🤷🏻♂️
I think that in certain Mobile Device profiles Jamf Pro now allows you to pick which parts of a payload actually get deployed (I think the Restrictions payload) and I would anticipate more of this sort of thing in the future. Where this isn't available you could potentially create a custom profile that includes only the payloads you need in it... but this has potential to be a bit fiddly and error prone!
Best practice is usually to have only one of each payload scoped to a device. If you had a set of devices that don't need your default security settings I'd probably create a group for excluding these from your defaults. Then I'd reuse that group to scope my desired settings for those devices.
Posted on 10-20-2020 07:01 AM
As @rjashton says, there will be a clash but my experience has shown that, especially with CP's with 'Restrictions' payload, the most restrictive will win. I had two CP's with the same settings but one had Touch ID disabled and it won out.
Best way to discover the effect is scope both to a test device and see if the firewall is on or off
Posted on 10-20-2020 08:19 AM
Thanks for the responses! It seems the best solution to make sure you don't have multiple payloads of the same type competing, and consolidate as much as reasonable.
Posted on 09-23-2021 08:01 AM
Also when using Profile Creator on macOS you will see in the General payload 2 settings that make the profile unique
1- Payload Identifier
A reverse-DNS style identifier (com.example.myprofile, for example) that identifies the profile. This string is used to determine whether a new profile should replace an existing one or should be added.
and
2 - Identifier
A globally unique identifier for the profile.
Both of these need to be Globally Unique.
What I do is use the unix command line tool uuidgen to create a unique identifier and add to the end of the Payload Identifier like:
com.example.myprofile.F168DDBD-67FF-4CCA-ACCE-72A9315CEXXX
And then change the Identifier to the the same unique id like:
F168DDBD-67FF-4CCA-ACCE-72A9315CEXXX
This way I can use the exact same profile in whatever Site I want and Jamf and macOS see them as different profiles buy they set the same keys.
Also if you forget to change one of these Jamf will give a "Can't make object from file" error when the upload is attempted.
I hope this helps save someone time.