One of my recent projects has been to start utilizing configuration profiles to replace existing MCX settings in the organization. I am also trying to exclusively use these for new settings/requests and a recent one that came across my desk included configuring settings in Safari for an upcoming online exam.
Let me get this out of the way… I don’t fully trust the MDM platform on Mac OS X. Nor do I like the reporting, or lack there of, that comes with it. I publish a configuration and just… wait… and hope that it sticks. Casper has improved the visibility in recent releases but I still don’t get much feedback if/when something goes wrong.
So, the approach I have been taking is to create the configuration profiles and then package them up for distribution. Once they are in a .pkg format, I can deploy them as a Policy on our Casper Server and easily monitor their installation.
This post won’t focus on specifics of creating a configuration profile so, for times sake, I am assuming you have a working (and tested) Configuration Profile that you would like to deploy.
First Step. Move your configuration profile to the path you would like it to be installed on your client. In my organization, I have created a custom folder under /Library/MyOrgName to store all these temporal type items as well as other information (logs, etc) that I want to maintain on each system.
Next, open Composer.
Once Composer has launched, drag your configuration profile into the left-side of the Composer window. This will create a new project that contains your configuration profile(s).
Next, click the arrow next to the profile name to expose the Scripts, Settings and Snapshots Folders.
Ctrl-Click or Right-Click on the Scripts folder and choose Add Shell Script, next select postinstall.
Note: If you would like to know more about the various types of scripts, Rich Trouton has a great writeup and description in the following article: Understanding Payload-Free Packages
Now we can add in the logic to install the profiles we have copied over to the client. In this case, I also show you how you can remove a profile then install your newly created configuration profile.
# Remove Old Profile
/usr/bin/profiles -R -F /Library/MyOrgName/TestNav\ 8\ Safari\ Settings.mobileconfig
# Install New Profile
/usr/bin/profiles -I -F /Library/MyOrgName/TestNav\ 8\ Safari\ Settings\ No\ Homepage.mobileconfig
# Clean Up After ourself
rm -f /Library/MyOrgName/TestNav\ 8\ Safari\ Settings\ No\ Homepage.mobileconfig
rm -f /Library/MyOrgName/TestNav\ 8\ Safari\ Settings.mobileconfig
exit 0 ## Success
I have added the sleeps in there as I had some older clients that weren’t reliably processing the remove/add without a smidgen of a pause.
Once I’m satisfied with the script, I verify permissions of my packaged content. In my case, root:wheel ownership.
When you’re ready to test, build it as a package and test that all settings are getting applied as desired. One note, is on 10.7/10.8 I often need a logout/restart for restrictions to fully apply.