mobile configurations versus MCX on OS X 10.8 and Casper

Ahhhh, mobile configurations. I’ve fallen in love with them. Maybe a bit too much, but the ability to add certificate, wireless configurations, and VPN configurations among many, many others is just too tempting. So tempting in fact that I’ve been experimenting with Casper’s ability to create “custom” configuration profiles from nothing more than what used to be an MCX, or managed preference.

I first started experimenting with config profiles on 10.8.0, and turned several settings that were previously MCXs into config profiles, based on Apple’s threat that MCX is deprecated in 10.8. Knowing what I know about Apple, it’s a crapshoot that they’ll be eliminated in 10.9 and beyond, or they might stick around for years and years to come, like ‘nslookup.’

I created the following setting on Mountain Lion, as Apple IDs are not always welcome in an enterprise, and must be restricted in many cases. What better way to restrict Apple ID usage than to eliminate the possibility of using one in the first place?

com.apple.SetupAssistant
Name Apply To Key Name Type Value
  DidSeeCloudSetup   User Level At Next Login Only  DidSeeCloudSetup  boolean true
  LastSeenCloudProductVersion   User Level At Next Login Only  LastSeenCloudProductVersion  string 10.8

This is how the MCX will show in Casper, and it gets rid of the annoying iCloud and Apple ID prompt that Mountain Lion prompts every user with when they log in for the first time. It worked like a charm. I decided to turn it into a custom config profile (since in Casper there was no option to use any built-in settings for this):

{DidSeeCloudSetup=true, LastSeenCloudProductVersion=10.8}

It also worked like a charm, and all was right with the world. That is, until the 10.8.1 update came out. I updated my test Macs to 10.8.1, and all of a sudden this custom config profile (along with several others managing finder preferences, Safari preferences, etc) just stopped working. No errors, just… didn’t work anymore. As in not even being applied. Jamf support seemed to think it might have been because I am redirecting the Users folder to a different partition via a symlink, but if that was the case it never would have worked. No, something more sinister was going on here…

completely by mistake, I moved one of the device level profiles to the user level in my testing of what the hell was happening to my beautiful config profiles. One of the ones that was configured with built-in settings. To my amazement, it applied immediately and worked like a charm. As another quick test, I created a second dummy profile, also with built-in settings, and IT applied almost immediately. Huh. Turns out that custom profiles are keyed to the OS THEY WERE CREATED ON unlike MCX settings.

I moved all of my custom profiles back to MCXs, restarted the client, and they applied like they were before. Note I have NOT tested changing the LastSeenCloudProductVersion=10.8 to 10.8.1, so I don’t know if that will actually work, and quite frankly I do not care if that does end up being the fix. That will create an absolute management nightmare for me every time there is a point update to OS X if that is indeed the fix, not to mention the fact that while our environment is fairly standard, there are always stragglers that will be at 1 or 2 point updates behind the rest, but still need these settings managed. No sir, I am NOT interested in maintaining 42 different profiles for the same setting. My only hope is that MCX doesn’t in fact go away any time soon, or Apple gets its act together and starts playing the enterprise management game – I’m not holding my breath for either.


About this entry