Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Set Policy Order

When executing more than one policy to a newly enrolled unit, it would be great if we could set the order in which the policies run.

Comment
Order by:

Posted: by calum_rmit

if you are using HTTP distribution, you could have a policy call other policies by manual triggers. that would give you control over the order.

Like

Posted: by bentoms

@calum_rmit][/url, you can still chain when using AFP/SMB.

@bhonan, do you mean as a post-imaging policies? You can have 1 policy that is called by a manual trigger & then runs the scripts.

Like

Posted: by calum_rmit

@bentoms, hmm i've often had many failures with chained policies trying to mount the distribution point each time a policy trigger fires off, even though the DP is already mounted, the policy ends up failing. I'll have to retest it again in the latest version and see if it might have been a bug that has since been squashed :)

Like

Posted: by bentoms

@calum_rmit.. Ah then yes that's an issue.

Sorry, wasn't clear.. The timing is the key thing, but you're right for standard policies.

Postflight install scripts can use AFP/SMB

Like

Posted: by iJake

Policies should have priority just like packages and scripts. I want my inventory policy to run before others so that smart groups are up to date.

Like

Posted: by bpavlov

Just wanted to voice my vote for this feature as well. It would be great if policies could have priorities/indexes similar to packages in Casper Admin.

Like

Posted: by tnielsen

Agree.

Like

Posted: by o.lahmar

Totally agree, we should have some mechanism to determine the policy execution order!

Like

Posted: by cgolebio

+1
Just to be clear this is if you have a single policy and are running multiple things within, like scripts, packages, create users, directory binding, etc. and setting the order of those elements within the policy?
Or is it multiple policies and the priority order for which the separate policies are performed?

I think both would be beneficial!

As mentioned above SMB file shares are problematic when mounting, but that seems to be an OS X thing related to SMB version used.

Like

Posted: by loceee

They fire do alphabetically, so a workaround is
A1 - ProvisionScripts
A2 - rename computer
A3 - Bind
A4 - enable FV
B1 - reboot
B2 - deploy software

But it's certainly a workaround. Voted up!

Like

Posted: by wakco

Or as @calum_rmit suggested, set the policies to run on custom events (or triggers if you prefer), then set up a script to jamf policy -event customevent calling each custom event in the order you desire.

i.e.

#!/bin/bash

jamf policy -event first
jamf policy -event second
jamf policy -event third
...
Like

Posted: by Kedgar

How is everyone doing thin imaging if you cannot currently prioritize or order policies? To me this seems quite important.

Like

Posted: by relliott

We order our policies. Just create the policy name with a number first. ie. 01_POLICY_NAME will run before 05_POLICY_NAME. Just leave some gaps in the numbers for future policies.

Like

Posted: by KSchroeder

Thanks for this; may help with some of our enrollments that don't go according to plan, though randomly. Does the same apply for Configuration Profiles? We have one that drops our trusted root and issuing CA certs and it occasionally seems to not take on the first go-round.

Like

Posted: by hinrichd

A policy priority like package priority would by helpful and could handle policies or config profile that have to run in strict order at the same trigger/checkin.

@relliott We order our policies in the same way you do it. But actually there is a Product Issue PI-003216: "Reboot in Policies Doesn't Attempt To Run If Policy To Run Script or Update Inventory or Restart On The Same Checkin Are Named Before It Alphabetically In The JSS". So with that you can run in other issues. And if you have the policy in self service active the naming is not very common for your users. 05_Flash_Player mmmh. Keep that in mind.

Like

Posted: by relliott

@KSchroeder

I try to stay away from Config Profiles as much as possible. In my experience they are flaky and unreliable at the best of times. I push most things including certs by a scripted policy. Extremely rare that the policy engine fails. Of course I'm just talking about Imacs here and not mobile devices.

Like

Posted: by jbourgui

Bumping this OLD thread, as this is still a huge issue... thx, JAMF for considering this!

-j

Like

Posted: by GM_Malisorn

Any updates on this?

Like