Using Payload Variables in Profile Manager

Profile Manager allows you to leave certain fields that are user-centric blank and it will prompt at the time that the profile is installed for the blank information. These are usually user-centric fields, such as short name and password. You can also create a profile in Profile Manager for each user you want to setup mail, Exchange, iCal, Address Book and other services that are tied to a specific user. You can enter the username for each and leave the password blank and the user will be prompted for the password but have the username filled in. And then there are payload variables. Note: Before we get started on Payload Variables, it’s worth noting that many did not work well prior to 10.7.3, most notably %email%. Profile Manager provides a number of ways to configure accounts and settings on iOS based devices. When a user logs in, the user’s name, email address, title, phone number and both the short name and GUID of the user’s account are able to be substituted using variables. These variables have a % in front of and behind the name of the variable, making them easy to identify when looking at accounts. These can easily be put into a profile’s payload. When a user logs in the contents of the payload variable are replaced with the information for the account that logged in using the /MyDevices page in the web enrollment interface. When the enrollment profile is downloaded to the device, the variable is substituted with the user’s information from directory services (for user payloads) or from the device itself (for device payloads). Using payload variables is a really straight forward process. First, create a profile by logging into the Profile Manager web interface (the name of the server followed by /ProfileManager. When prompted, provide the username and password for an administrative account. Click on a group or user who you would like to configure a profile for. From the profile screen, select the payload that you’d like to configure. Enter the variable into the field(s) you’d like the substitution to occur in. For example, here I’m using a variable everywhere currently possible. Note: You can wrap the variable with other text. For example, if you enter then for a user of cedge the variable would expand as, useful in doing Exchange configurations. Variables available for use include user and device variables. These user variables are as follows:
  • %email% – The email address (the EMailAddress attribute)
  • %first_name% – The first name (the FirstName attribute)
  • %full_name% – The full name (the RealName attribute)
  • %guid% The guid (the GeneratedID attribute)
  • %last_name% – The last name (the LastName attribute)
  • %job_title% The job title (the JobTitle attribute)
  • %mobile_phone% The mobile number (the MobileNumber attribute)
  • %short_name% The short name (the RecordName attribute, typically the name of the account )
The device variables are as follow:
  • %BuildVersion% – Full OS version on the device
  • %ICCID% – ICCID (from the SIM card)
  • %IMEI% – IMEI (International Mobile Equipment Identity)
  • %OSVersion% – Common version number of the device’s OS
  • %ProductName% – Product name
  • %SerialNumber% – Serial number
  • %WIFIMAC% – MAC address of the WiFi interface
There are also 802.1x variables, which include the following:  
  • %AD_ComputerID%
  • %AD_Domain%
  • %AD_DomainForestName%
  • %AD_DomainGuid%
  • %AD_DomainNameDNS%
  • %AD_KerberosID%
  • %ComputerName%
  • %HardwareUUID%
  • %HostName%
  • %LocalHostName%
  • %MACAddress%
  • %SerialNumber%

10 thoughts on “Using Payload Variables in Profile Manager”

  1. Hey Charles.

    I wonder if you tried tampering with variables and setting up a network share?
    I’ve tried creating a profile for mounting a users personal network share, but I’m not getting variables to work in the payload context (i. e. something like: smb://
    Is that something you’ve tried?

    Thanks in advance!

    1. I have successfully put variables in the middle of other data and it worked pretty well. Any time I see the % character wrapping the variable it’s been that it didn’t expand either because I fat fingered it (I do that a lot) or because I am pulling funky information from directory services.

  2. I have never gotten payload variables to work at all. I push the profile, but the short username in Profile Pane still shows as %user_name% and Mail still wants me to set up an account as if there isn’t one configured.

    My user is in AD, and the profile is applied to the computer, not the user.

    1. I’ve found that with AD accounts, I’ve had to extend the schema so AD has the attributes Profile Manager is pulling for those variables. They don’t seem to augment/expand properly otherwise…

  3. Question (no possibility of testing this for myself just now): is there a way to set a ByHost preference with Profile Manager? is There a payload variable for a Mac’s hardware UUID (i haven’t found any mention online of e.g. %udid%)? i’d like to enforce the enabling of the web start Java applet setting for my client’s users because their VPN portal requires it. At the CLI I’d use the following: /usr/libexec/PlistBuddy -c “Set :GeneralByTask:Any:WebComponentsEnabled true” ~/Library/Preferences/ByHost/`ioreg -rd1 -c IOPlatformExpertDevice | awk ‘/UUID/ {print $3}’ | sed ‘s/”//g’`.plist

    1. Not yet. I’m hoping this gets introduced soon. In the meantime, we’re scripting it similar to how you mention in your comment. Sorry I don’t have more to throw out there, but I will post when I do. Good luck!

  4. Is there any way to create some sort of custom variable? Specifically, I am configuring IMAP, CalDAV and CardDAV, which are separate accounts and payloads. This creates a condition where the user is prompted for their password 4 times for each account (including the SMTP auth). It would be nice if I could create something like %UserPass%, which would only ask for the pass once and populate that to any other fields using that custom variable.

  5. Regrettably, with IMAP, CardDAV and CalDAV, the user is always prompted 4 times. There’s no way around this at this time. 🙁

  6. %short_name% did’t work anymore on Server OS X 10.11 Client OS X 10.10.5 … On the client as username the system writes %short_name% not the user name … ???

Comments are closed.