Genesis of Presentation Mode for Jamf Pro
Some time ago, one of our C-level leaders — who wisely prefers macOS — was presenting to a group of other C-level leaders (most of whom use a different operating system).
The PDF-only presentation was going well and a particular page sparked a discussion; a discussion which lasted more than 15 minutes.
We all know what happens when a MacBook Air running on battery power sits idle for more than 15 minutes (especially a MacBook Air which has a battery-saving Configuration Profile installed):
- Put the display to sleep after: 15 minutes
- Require password immediately after sleep or screen saver begins
As the discussion concluded and our C-level leader woke up his Mac to resume his PDF-only presentation, his Mac greeted with a login prompt, a login prompt which required multiple attempts to complete, all while projecting in front of the group of other C-level leaders.
Thus was Presentation Mode born.
Overview
Presentation Mode leverages the Jamf Pro API to switch between one of two Configuration Profiles:
- Security & Privacy: Security-approved settings for screensaver password timeouts, computer sleep options, etc.
- Presentation Mode: Security-approved relaxed settings for screensaver password timeouts, computer sleep options, etc.
Using lessons learned from Your Internal Beta Test Program: Opt-in / Opt-out via Self Service, a Presentation Mode 2 Pop-up Menu Extension Attribute includes two options:
- Disabled
- Enabled
Two Smart Groups — Presentation Mode 2: Enabled and Presentation Mode 2: Disabled — are used to scope the Configuration Profiles
- Security & Privacy is scoped to Presentation Mode 2: Disabled
- Presentation Mode is scoped to Presentation Mode 2: Enabled
A LaunchDaemon created just-in-time executes a Jamf Pro policy via a Custom Event after a configurable duration to disable Presentation Mode and restore standard security-approved settings.
Setup and Configuration
API Permissions for Computer Extension Attributes
Create a Jamf Pro Standard Account …
- Username: apiPresentationMode2
- Access Level: Full Access
- Privilege Set: Custom
… with the following privileges:
Extension Attribute
Create the Presentation Mode 2 Extension Attribute with the following settings:
- Data Type: String
- Input Type: Pop-up Menu
- Pop-up Menu Choice: Disabled
- Pop-up Menu Choice: Enabled
Smart Groups
Create two Smart Groups using the following criteria:
Presentation Mode 2: Disabled
- Presentation Mode 2 is Disabled
- or Presentation Mode 2 is {blank}
Presentation Mode 2: Enabled
- Presentation Mode 2 is Enabled
Configuration Profiles
Security & Privacy: Security-approved settings for screensaver password timeouts, computer sleep options, etc., scoped to Presentation Mode 2: Disabled.
- Restrictions
- Login Window
- Security and Privacy
- Energy Saver
Presentation Mode: Security-approved relaxed settings for screensaver password timeouts, computer sleep options, etc., scoped to Presentation Mode 2: Enabled. (Most frequently created from a clone of the Security & Privacy Configuration Profile.)
- Restrictions
- Login Window
- Security and Privacy
- Energy Saver
Scripts
Delayed Policy Trigger Create
Customize the plistDomain variable and add the following Parameter Labels to the Delayed Policy Trigger Create.bash script:
- Parameter 4: Unique Daemon Label
- Parameter 5: Jamf Pro policy trigger name
- Parameter 6: Interval (in minutes)
Delayed Policy Trigger Disable
Customize the plistDomain variable and add the following Parameter Label to the Delayed Policy Trigger Disable.bash script:
- Parameter 4: Unique Daemon Label
Display Message: JAMF binary
Add the following Parameter Label to the Display Message JAMF binary.bash script:
- Parameter 4: Text of end-user message
Extension Attribute Update
Generate Encrypted Script Parameters for the encrypted API account password and update the following variables in the Extension Attribute Update.sh script:
-
apiURL
-
Salt
-
Passphrase
I add the following snippet to the bottom of EncryptedStrings_Bash.sh so the values will be output to Terminal when called via: ./EncryptedStrings_Bash.sh 'Purple Monkey Dishwasher'
# Output to Terminal args=("$@") password="${args[0]}" GenerateEncryptedString "${password}"
Add the following Parameter Labels to the Extension Attribute Update.sh script:
- Parameter 4: API Username (Read / Write)
- Parameter 5: API Encrypted Password (Read / Write)
- Parameter 6: EA Name (i.e., "Presentation Mode 2")
- Parameter 7: EA Value (i.e., "Enabled" or "None")
Policies
Policies Overview
The following provides an overview of both policies:
Presentation Mode Enable
Options
General
- Display Name: Presentation Mode Enable (2.0.0)
- Execution Frequency: Ongoing
- Trigger: Self Service
Scripts
- Delayed Policy Trigger Create
- Unique Daemon Label: presentationMode2
- Jamf Pro policy trigger name: presentationMode2
- Interval (in minutes): 75
Scripts
- Extension Attribute Update
- API Username (Read / Write): apiPresentationMode2
- API Encrypted Password (Read / Write): See Encrypted Script Parameters
- EA Name (i.e., "Presentation Mode 2"): Presentation Mode 2
- EA Value (i.e., "Enabled" or "None"): Enabled
- Scripts
- Display Message: JAMF binary
- Text of end-user message: Presentation Mode has been enabled for 75 minutes; screen saver idle time has been set to two hours.
- Display Message: JAMF binary
Scope
- Targets: All Managed Clients
- Limitations: None
- Exclusions: Presentation Mode 2: Enabled
Self Service
- Make the policy available in Self Service: Enabled
- Self Service Display Name: Presentation Mode (2.0.0)
- Description: Click Enable to temporarily set the screensaver idle time to two hours. After 75 minutes, Presentation Mode will be automatically disabled and the screensaver settings will be restored to IT Security standards.
Presentation Mode Disable
Options
General
- Display Name: Presentation Mode Disable (2.0.0)
- Trigger
- Custom: presentationMode2
- Execution Frequency: Ongoing
Scripts
- Delayed Policy Trigger Disable
- Unique Daemon Label: presentationMode2
Scripts
- Extension Attribute Update
- API Username (Read / Write): apiPresentationMode2
- API Encrypted Password (Read / Write): See Encrypted Script Parameters
- EA Name (i.e., "Presentation Mode 2"): Presentation Mode 2
- EA Value (i.e., "Enabled" or "None"): Disabled
- Scripts
- Display Message: JAMF binary
- Text of end-user message: Presentation Mode has ended. The screensaver timeout is again set to the IT standards. If additional time is required, please return to the Workforce App Store and re-enable Presentation Mode.
- Display Message: JAMF binary
Scope
- Targets: Presentation Mode 2: Enabled
User Interaction
- Complete Message: Presentation Mode has been disabled.
Automatic Policy Execution Scope
Add the Presentation Mode 2: Enabled Smart Group as an Exclusion for automatic Patch Policies and any Ongoing, Recurring Check-in Policies which could interrupt users' presentations (i.e., operating system update policies, etc.)
End Notes
Subscribe to the Jamf Blog
Have market trends, Apple updates and Jamf news delivered directly to your inbox.
To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.