Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Deploying Custom Configuration Profiles using Jamf Pro

Overview

This article explains how to deploy custom configuration profiles to computers using Jamf Pro.

Custom computer configuration profiles can be used to set preferences for specific application or preference domains that are not native to Jamf Pro. You can use the following methods in Jamf Pro to deploy custom configuration profiles:

  • Use the Custom Settings payload to upload and deploy .plist files.
  • Upload a complete .mobileconfig file to a computer or device

Requirements

  • Jamf Pro
  • Text editor

Uploading Configuration Profiles using the Custom Settings Payload

To deploy a custom .plist profile to computers, complete the following steps:

  1. Create a .plist file text editor.
  2. Enter key-value pairs that define the application preferences you want to manage.
  3. In Jamf Pro, create a computer configuration profile: a. Click Computers, and then click Configuration Profiles. b. Click New. c. Click Custom Settings, and then click Configure.
  4. Complete the Custom Settings pane: a. Enter the preference domain for which you want to set preferences. The preference domain should look similar to this: "com.vendor.application". b. Click Upload PLIST File, and then choose the .plist file previously created. Note: If the .plist file contains formatting errors, follow the on-screen instructions to remediate the issue, and then execute the following command before re-uploading the file: /usr/bin/plutil -convert xml1 /path/to/file.plist
  5. Scope the configuration profile to target computers. For more information, see the Scope section of the Jamf Pro Administrator's Guide.
  6. Click Save.

Uploading Configuration Profiles to Jamf Pro

You can also upload .mobileconfig files with Jamf Pro. Consider the following scenarios when uploading:

  • If a configuration profile is not cryptographically signed (unsigned) before uploading, Jamf Pro will attempt to import all file's values to associate with known settings within the Jamf Pro console and allow further editing. If the <PayloadType> or specific <key> values in the profile are unknown to Jamf Pro, the deployed configuration profile may not contain those values or install correctly.

Note: Unsigned profiles with payload types and key-value pairs known to Jamf Pro should deploy as intended..

  • If the <UUID> (universally unique identifier) field of a configuration profile matches an existing configuration profile in Jamf Pro, the profile cannot be uploaded.
  • Signed configuration profiles cannot use configuration profile variables available in Jamf Pro.

For more information, see the Computer Configuration Profiles section of the Jamf Pro Administrator's Guide.

Uploading Signed Configuration Profiles to Jamf Pro

Cryptographically signed configuration profiles can be uploaded to Jamf Pro for deployment. Signed configuration profiles are not modified during the import or deployment processes. If the <PayloadType> or specific <key> values in the profile are unknown to Jamf Pro, those values will not display in the Jamf Pro interface but should install correctly.

After uploading a signed configuration profile, Jamf Pro will alert administrators that the profile is read-only and cannot be edited unless the signature is removed. If you click Remove Signature, Jamf Pro will attempt to import the contents of the profile and allow administrators to edit it.

For more information, see the Computer Configuration Profiles section of the Jamf Pro Administrator's Guide.

Creating a Signing Certificate with Jamf Pro's Built-in Certificate Authority

Configuration profiles can be signed using the certificate of your choice, but creating a signing certificate generated by the Jamf Pro Certificate Authority (CA) provides the following benefits:

  • Marks the custom configuration profiles as trusted since managed devices have established trust with the Jamf Pro built-in CA
  • Ensures the custom configuration profile displays the same organization name as other configuration profiles created in Jamf Pro

For step-by-step instructions, see the Creating a Signing Certificate with Jamf Pro's Built-in Certificate Authority Knowledge Base article.

Additional Information

For additional information, see the following Apple Documentation: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf

Like Comment
SOLVED Posted: by donmontalvo

This ought'a save you time when creating a plist file for upload...for example Google Chrome security baseline.

Set -bool false or -bool true or <key> <value>, etc...then run the script. It'll put a com.google.Chrome.plist file, ready to upload as a Custom Configuration profile (script formats as XML for you too).

#!/bin/sh

currentDir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
cd "$currentDir"
plistFile="com.google.Chrome"

/usr/bin/defaults write "$currentDir/$plistFile" AllowOutdatedPlugins -bool false
/usr/bin/defaults write "$currentDir/$plistFile" AlwaysAuthorizePlugins -bool false
/usr/bin/defaults write "$currentDir/$plistFile" AutoFillEnabled -bool false
/usr/bin/defaults write "$currentDir/$plistFile" BackgroundModeEnabled -bool false
/usr/bin/defaults write "$currentDir/$plistFile" BlockThirdPartyCookies -bool false
/usr/bin/defaults write "$currentDir/$plistFile" CloudPrintProxyEnabled -bool false
/usr/bin/defaults write "$currentDir/$plistFile" DefaultBrowserSettingEnabled -bool false
/usr/bin/defaults write "$currentDir/$plistFile" DeviceAutoUpdateDisabled -bool true
/usr/bin/defaults write "$currentDir/$plistFile" HomepageLocation "https://hostname.domain.com"
/usr/bin/defaults write "$currentDir/$plistFile" ImportAutofillFormData -bool false
/usr/bin/defaults write "$currentDir/$plistFile" ImportBookmarks -bool true
/usr/bin/defaults write "$currentDir/$plistFile" ImportHistory -bool false
/usr/bin/defaults write "$currentDir/$plistFile" ImportSavedPasswords -bool false
/usr/bin/defaults write "$currentDir/$plistFile" ImportSearchEngine -bool false
/usr/bin/defaults write "$currentDir/$plistFile" MetricsReportingEnabled -bool false
/usr/bin/defaults write "$currentDir/$plistFile" PasswordManagerEnabled -bool false
/usr/bin/defaults write "$currentDir/$plistFile" SafeBrowsingEnabled -bool true
/usr/bin/defaults write "$currentDir/$plistFile" ShowAppsShortcutInBookmarkBar -bool false
/usr/bin/defaults write "$currentDir/$plistFile" ShowHomeButton -bool true
/usr/bin/defaults write "$currentDir/$plistFile" SitePerProcess -bool true
/usr/bin/defaults write "$currentDir/$plistFile" SyncDisabled -bool true 

/usr/bin/plutil -convert xml1 "$currentDir/$plistFile".plist

exit 0
Like