Skip to main content

Apple Profiles & Dependencies

Description

Dependencies offer a structure for Fileset installations, ensuring one or more Filesets are installed prior to one or more other Filesets.  This works great, apart from where Apple MDM Filesets are involved.

Fileset Activation Quick Re-cap

Standard Fileset

  1. Client checks-in.
  2. Manifest is observed
  3. New items are pushed to device and activate

Apple MDM Fileset (Profiles)

  1. APNs request sent to Apple
  2. Device pulls queued APNs requests from Apple
  3. For each APNs request, device reaches out to relevant servers, for MDM requests, this is the FileWave Server
  4. Device checks-in
  5. Queued MDM commands are pushed to device, e.g. InstallProfile
  6. Profile instals

For standard Filesets, FileWave is in control of the communication.  However, for Apple MDM, there is an unknown amount of delay until the Profile is installed.

The Issue

Since Filesets are installed sequentially, if a Fileset were allowed to depend upon an Apple MDM Fileset, the client would be held waiting for an unknown period time, preventing other Filesets and configuration from actioning.  For this reason, Apple MDM Filesets can only depend on a different Fileset type and not the other way around.

Requirement Scripts

Requirement Scripts allow a Fileset to fail, let the client continue and then 2 minutes later try the requirement again.  The Requirement Script will continue with this process, whilst there is a non-zero exit code.  By way of this process, the Requirement Script gives the ability to delay the installation of the Fileset, until any required Profiles are installed beforehand.

Ingredients

  • Fileset designed to use a Requirement Script to ensure Profile is installed prior to activation
  • Associated Profile ID(s)

Profile Dependency Fileset Template.fileset.zip

Directions

Download the Fileset, import into FileWave and edit to match requirements.  Select the ‘check_for_profile.sh’ script and click ‘Get Info’:

Pasted Graphic 14.png

The Launch Arguments will initially appear empty.

Pasted Graphic 16.png

For each Profile that needs to be considered for installation prior to this Fileset, its ID must be added to the list of Launch Arguments (one entry per Profile ID).  Profile IDs can be obtained from within the Payload details of the Profile Filesets.

For eah Profile that must be installed, open the Profile for editing, highlight the Identifier and copy.


Pasted Graphic 15.png

Copy these IDs into the LaunchArguments of the Fileset.  Example below shows 5 Profile IDs added for a Microsoft Defender Installer.

Pasted Graphic 13.png

The script allows for the idea of either by way of an Environment Variable (all_or_one).  Set the value appropriately:

allAll of the listed Profiles must be installed prior to the Fileset becoming active.
oneAt least one of the included Profiles must be installed prior to the Fileset becoming active

The below, shows a Fileset set to require all Profiles are installed, before Fileset activation for the same Microsoft Defender example:

Pasted Graphic 12.png

With this set, add any additional installers into the Fileset, that would need to be installed, once the provided Profiles are installed.

Create a Fileset Group and add this Fileset and all necessary Profiles to the same group (not necessary, but somewhat neater to manage)

For example:


Pasted Graphic 17.png

Associate the Fileset Group, test and then rollout to more devices once happy.

This Fileset is particular useful with Apple TCC Privacy Settings Profiles.  Privacy settings provide access permissions for software to function.  However, typically these Profiles need to be installed before the process that they are allowing is started.  This means, if the software is allowed to instal before the Profile is installed, the software process would need restarting after the Profile is installed.  The above Fileset offers the solution around this, where the Fileset will only attempt download and installation once the Profile is in place.