iPhone,  Mac OS X,  Mac OS X Server,  Mac Security,  Mass Deployment

Dealing With Profile Manager Conflicts in Lion

Changing OS X Settings for Profiles bound to clients results in Managed Client changes (mcxread shows them) and inserts the info into Managed Client in this order:

  1. User
  2. Computer
  3. Computer Group
  4. Everyone
  5. User Group

The data in the managed client attributes is replaced completely and not per-key.

Installing profiles from the command line provides more information as to what is going on behind the scenes. Having said this, in some cases I can get a Provisioning Profile Validation: failed to read CMS (-25257) error when attempting to install the same profile a second time. In other cases it just fails if I try to run verbosely (in those cases it doesn’t ever install at all). For example, if I run a user group profile twice, the command completes. You should be able to use -CP or L to validate whether it ran and to validate whether it was already run. Keeping a good naming convention on the ProfileIdentifier should keep from too many weird conflicts and you can always read MCX to see if it got pushed out, since it’s all just MCX anyway.

Troubleshooting conflicts can be a bit tricky. The -v operator should return an exit code that indicates that there is overlapping namespace in the Organization but can cause a null return (in fact -v fails with some combinations outright when it shouldn’t). The “profiles -L” command does show that the profile is installed, so you could check that before running, escaping out the generated ID and .alacarte. Running with a -C shows the profiles for the computer, -P for everyone (btw, running profiles -CPL returns inconsistent results so I’ve been scripting them to run separately). Installing profiles from the command line seems to usually require a log out and log in in order to see the changes. killall dock or killall finder don’t result in the changes, unless they’re coming from MDM, at which point they are instant. Installing profiles from the GUI usually means instant changes though.

The above information includes installing profiles. When you have policies being overlaid from Exchange, the most restrictive settings will win and be read granularly. For example, if you have a passcode minimum in a profile and a complexity requirement in Exchange then both would be applied to clients.