Cool Solutions

Using #ZENworks to Distribute MacOS Management Profiles

jblackett

By:

October 25, 2018 1:00 pm

Reads:967

Comments:2

Score:Unrated

Print/PDF

Over the last little while I’ve had several questions about whether you can use ZENworks to deploy MacOS profiles. While it’s true that at this time ZENworks doesn’t yet support the native MDM-based deployment method for applying management profiles, it is possible to distribute profiles in another fashion. This solution looks at how to use the built-in ‘profiles’ command in conjunction with the free ‘profilecreator’ tool and ZENworks to build profiles and then deploy them with ZENworks. Moving forward, we still intend to extend the MDM capabilities we’ve introduced for iOS to the MacOS platform, but it’s going to take some time. As such, those who need a solution for profile management today,  may find this solution useful.

  1. You will first need to create the MacOS Management Profile that you wish to enforce on the device. There are several ways that you can do this, but I’ve found the easy way is with a great community tool called ProfileCreator (available at https://github.com/erikberglund/ProfileCreator/releases). While this solution is currently in beta I’ve had good success with it creating profiles. To use Profile Creator:
    1. Download the ProfileCreator tool from the github link above.
    2. Mount the DMG and drag ProfileCreator to the Applications folder on your administrative device.
    3. Launch ProfileCreator. The following screen is displayed:
    4. Click the + button in the application.
    5. In the Name field, enter the name that you want to give to the profile.
    6. In the Description field, enter a description that the user will see if they view the installed profiles.
    7. In the Organization field, enter your organization’s name.
    8. In the Payload Identifier field, change the starting part of the name from com.github.erikbergland.ProfileCreator to something specific to your organization like com.zenguru.zenworks, leave the GUID portion to ensure it is unique. The payload properties should now look something like this: 
    9. Next, you can add one or more payload keys to the profile. In this example, we are going to set the Desktop Background. To do this browse to and click the Desktop Picture option in the Payloads list on the left side column. The following screen is displayed:
    10. Click the + sign next to Lock Desktop Picture to enable this key; then click the checkbox to the right of the plus.
    11. Click the + sign next to Desktop picture path to enable this key.
    12. In the text field enter $PWD/.profiles/wallpaper.png. Your screen should now look like this:
    13. Click the Add button in the upper right-hand corner of the screen to Add this payload to the profile.
    14. At this point, you could add any other MacOS or App Payloads that you wanted to set as part of this profile. When you are done, select File > Save…
  2. Next, you will need the .mobileconfig file that was just created so you can distribute with ZENworks. To do this, select File > Export… and then save the file somewhere on your filesystem. If you have a signing certificate installed on the device you can optionally choose which certificate should be used to sign the profile. Click Save.
  3. Have acces to the wallpaper you want to deploy so that it can be made part of the bundle.
  4. Next, we need to create a ZENworks bundle that deploys the MobileConfig profile to set the Desktop Wallpaper using the built-in profiles command. To do this:
    1. Launch ZCC and log in as a user with rights to create a Bundle. This can be done from your Mac or a Windows device.
    2. Browse to the folder where you want to create the bundle.
    3. Select New > Bundle…
    4. Select Mac Bundle; then click Next.
    5. Select Empty Bundle; then click Next.
    6. Enter a descriptive name and description text; then click Next.
    7. Click Finish.
    8. Click the Install tab so that you can configure Install action set properties.
    9. Select Add > Create/Delete Directory.
    10. Change the Action Name to Create Profiles Folder.
    11. In the Directory Name field, enter /Users/${ZENUSER}/.profiles
    12. Set Execution Security level to Run as logged in User. This is important because in order to use the wallpaper or other files the user will need to be able to read the file and the directory they are in.
    13. Click OK.
    14. Select Add > Install File(s).
    15. Change the action name to Install Wallpaper.
    16. Click Add.
    17. Click Add.
    18. Click Choose File…
    19. Browse to the wallpaper you want the profile to enforce and click Choose.
    20. Click OK.
    21. In the Destination folder enter /Users/${ZENUSER}/.profiles
    22. Change the Copy Option to Copy If Newer so you can update the wallpaper later on if desired.
    23. Click OK.
    24. Click the link to the file you just added.
    25. Change the filename so that it is wallpaper.png or whatever you used in the profile. The action details should now look similar to this:
    26. Click OK twice to return to the Install action set.
    27. Select Add > Edit Text File.
    28. Change the action name to Create Profile.
    29. Set the File Name field to /tmp/<mobileconfig file> where this is the name of the mobile config file.
    30. Click the magnifying glass next to Import contents from file and browse to the .mobileconfig file you created earlier.
    31. Expand the Contents of the File by pulling the lower right-hand corner.
    32. Replace the $PWD reference in the profile with /Users/${ZENUSER}. This resolves to the username of the ZENworks user currently logged into to the system. This should match the user’s home directory as long as their eDir/AD login name matches their MacOS username.
    33. Check the box that says, Create file, if does not exist. This should now look something like the picture below:
    34. Click OK.
    35. Click Add > Launch Mac Executable.
    36. Change the Action Name to Enforce Profile.
    37. Set the executable name to /usr/bin/profiles
    38. Set the command line parameters to -I -F /tmp/<mobileconfig filename> where you replace the last value with the name of the mobileconfig file you created.
    39. Set Executable Security Level to Run as root
    40. Select the When action is complete option. Your action properties should now look like this:
    41. Click OK.
    42. Click Apply.
  5. Test the bundle by assigning the new bundle to a test device in the zone.
    1. Select Relationships.
    2. Under Device Assignments, click Add.
    3. Browse to the devices that you want to be added.
    4. Click OK.
    5. Uncheck the Application Window checkbox, then click Next.
    6. Check the Distribution Schedule checkbox, then click Next.
    7. Leave the schedule set to Refresh, and then check the Install immediately after distribution checkbox.
    8. Click Next.
    9. Click Finish.
    10. Refresh the device you assigned the bundle to so that it is deployed. The wallpaper should be updated to be the one in the profile.
    11. Right click on the Desktop and select Change Wallpaper. Notice that regardless of the wallpaper you select it stays the same.

If you have users such as the helpdesk where you want them to be able to override the profile, you can create a simple bundle that executes the ‘/usr/bin/profiles -D -f’ command which will remove all of the profiles. Just be sure to execute as root, and ensure that they either reapply the profiles before they leave or ensure that the profile bundle is set to automatically apply frequently.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Tags: , ,
Categories: Configuration Management, Endpoint Security, IT Operations Management, Mobile, Security, Technical, Unified Endpoint Management, ZENworks, ZENworks Configuration Management, ZENworks TKB

2

Disclaimer: This content is not supported by Micro Focus. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

2 Comments

  1. By:warper2

    Well written and gives other opportunities for expansion. The only thing that have not figured out id how to tie Kanaka into all of this. I have Kanaka setup for a couple education clients. Can’t see a way to implement it without touching every device. Do you know if there any plans for that?

    • By:jblackett

      Can you provide a little more clarification regarding what you want to do? Do you just want to distribute and configure Kanaka with ZENworks or something else?

Comment

RSS