Skip to main content

Jamf School & Custom Configuration Profiles

Updated over 3 weeks ago

Description

A custom configuration profile is a configuration profile (.mobileconfig) that was created outside of Jamf School and uploaded for deployment.

This could a configuration profile that was created with a tool like the iMazing Profile Editor or a configuration provided by a software vendor (commonly seen with content filters).

Uploading a Custom Configuration Profile

  1. Locate the configuration file you want to upload.

  2. In Jamf School, go to Profiles > Overview.

  3. In the upper right click + Create Profile.

  4. Select the option for Upload Custom Profile from the platform selection options in the pop-up and click the Next button in the lower right of the pop-up.

    This photo shows where to select the Upload Custom Profile from the platform selection.

  5. Drag and drop your file onto the designated area (or click the drag and drop area to open a file explorer and select the file) and then click Next.

    If done correctly, you should see your file name and some basic information that gets parsed from the configuration profile provided (parsed information may vary).

    This photo shows an example of how your file name would display if done correctly. It also shows the Next button to continue.

  6. Give your profile a name and a description.

    • This is the name for the profile as it will be display in Jamf School, note that the display name of the profile may differ on the device as it will look the PayloadDisplayName key from within the configuration profile.

  7. (Optional) Enable your time filter and configure it accordingly if desired, the click the Finish button.


Updating a Custom Configuration Profile

When updating custom configuration profiles the updated profile needs to have the same PayloadIdentifier as the original profile otherwise the original profile will be orphaned on the devices in scope.

To avoid ending up with orphaned profile use these techniques one of these 2 techniques:

  • Upload a New Configuration Profile (less technical option)
    This scenario will be used most commonly when a configuration profile is provided by a vendor.

    1. Create a new configuration profile using the steps outlined previously.

    2. Scope this configuration profile to the devices that need it.

    3. Un-scope the old configuration profile from devices.

    Note:

    • Steps 2 and 3 may need to be swapped depending on the settings in your profile as some configurations can only have one on a device at a time.

    • It is recommended to wait at least 7 days before deleting a configuration profile from your instance after un-scoping.

  • Download your configuration from Jamf School and modify it (much more technical option)
    This option requires unsigning the profile and modifying XML or modifying in a tool like iMazing Profile Editor).

    1. Navigate to your profile in Jamf School and click the Download button to get the current configuration profile.

      This photo shows where to find the Download button to get the current configuration profile.

    2. In Terminal run: openssl smime -inform DER -verify -in your_file.mobileconfig -noverify -out unsigned_file.mobileconfig

      • You need to provide the path to your downloaded configuration profile as well as a path for unsigned configuration profile that will be output

      • For example, if the profile is in downloads and the unsigned profile will be put on the desktop: openssl smime -inform DER -verify -in ~/Downloads/configuration_profile.mobileconfig -noverify -out ~/Desktop/configuration_profile.mobileconfig

    3. (Optional) Delete the signed profile to avoid confusion when you go to make changes.

    4. Make the desired changes to the unsigned configuration profile.

      • Depending on what payloads are in the profile you can open the profile with a tool like the iMazing Profile Editor and use that application to make changes to the configuration.

      • Or you can open the file with a text editor and modify the XML keys as needed

      • Make sure not modify the PayloadIdentifier keys with in the profile if you are doing this.

    5. Save your changes to the file.

    6. While viewing the profile in Jamf School click the Replace button and provide the file for the updated configuration profile then click Save.

      This photo shows where the Replace button can be found to add a new file.

Orphaned Profiles

In the event of an orphaned profile you will likely see one of two scenarios:

  1. Your profile fails to install because one or more of the payloads requires exclusivity (the only payload of its type on the device).

    • Since your profile is orphaned on the device the new profile cannot install.

  2. Your device is not behaving the way you expect.

    • This is likely because both your new profile and your orphaned profile are still installed on the device and are fighting over what settings should be applied.

Checking Jamf School for Orphaned Profiles

To check for an orphaned profile do the following:

  1. In Jamf School navigate to Device > Inventory.

  2. Search for the device in questions and view the inventory record.

  3. From the inventory record navigate to the Other Profiles and view the User Installed Profiles table.

    • Note: Not all profiles listed in this table are orphaned, look for a profile that is one that you deployed from Jamf School as evidence.

    • If you have any orphaned profile you might see something like this:

This photo shows an example of what you might see if you have an orphaned profile.

Fixing Orphaned Profiles

If you find that you have an orphaned profile on your device(s) try the steps to resolve.

macOS

  1. Open a terminal and run the following command to get the PayloadIdentifier for the profile: sudo profiles show

    • Note: This command requires admin access so the sudo is required.

  2. In the output find the name of the Profile that is orphaned and collect the PayloadIdentifier which should look like this:

    • _computerlevel[1] attribute: profileIdentifier: 3066A2DF-FA29-4C8B-A4F9-62574C80E049

    • Not be confused with a very similar line that has some additional whitespace (this is interior PayloadIdentifier and not what is needed):

      • _computerlevel[1] payload[1] identifier = 70379E7C-8D86-4A0E-924B-AD97A7C27FC0

  3. Open iMazing Profile Editor and create a new macOS configuration profile (no payloads need).

  4. In the General settings for the profile enter the identifier that you collected in step 2 into the Identifier field (example below).

    This photo shows an example of what you can find collected in step 2 in the Identifier field.

  5. Save the configuration profile.

  6. Upload this configuration profile to Jamf School as a new custom configuration. See Uploading a Custom Configuration Profile section above these for steps.

Note: Do not scope this profile to any device we want it to remove the orphaned profile from devices when they check in.

Once the device(s) check in they will see they are no longer in scope of a profile with that identifier and they orphaned profile will be removed from the device.

iOS

For iOS devices with orphaned profile please reach out to support of assistance with gathering the PayloadIdentifier of the orphaned profile.

Related Articles
Custom Profiles in Jamf Now
Can I disable Apple Intelligence with Jamf Now?
Deploying Google Chrome Extensions to macOS devices in Jamf School
How to Configure Cross-Website Tracking and Device Supervision for DRC INSIGHT on iPads
Set Google Chrome as the default browser for macOS in Jamf School
Did this answer your question?