Apple Profiles & Dependencies
Description
Dependencies offer a structure for Fileset installations, ensuring one or more Filesets are installed prior to one or more other Filesets. This works great, apart from where Apple MDM Filesets are involved.
Fileset Activation Quick Re-cap
Standard Fileset
- Client checks-in.
- Manifest is observed
- New items are pushed to device and activate
Apple MDM Fileset (Profiles)
- APNs request sent to Apple
- Device pulls queued APNs requests from Apple
- For each APNs request, device reaches out to relevant servers, for MDM requests, this is the FileWave Server
- Device checks-in
- Queued MDM commands are pushed to device, e.g. InstallProfile
- Profile instals
For standard Filesets, FileWave is in control of the communication. However, for Apple MDM, there is an unknown amount of delay until the Profile is installed.
The Issue
Since Filesets are installed sequentially, if a Fileset were allowed to depend upon an Apple MDM Fileset, the client would be held waiting for an unknown period time, preventing other Filesets and configuration from actioning. For this reason, Apple MDM Filesets can only depend on a different Fileset type and not the other way around.
Requirement Scripts
Requirement Scripts allow a Fileset to fail, let the client continue and then 2 minutes later try the requirement again. The Requirement Script will continue with this process, whilst there is a non-zero exit code. By way of this process, the Requirement Script gives the ability to delay the installation of the Fileset, until any required Profiles are installed beforehand.
Ingredients
- Fileset designed to use a Requirement Script to ensure Profile is installed prior to activation
- Associated Profile ID(s)
Profile Dependency Fileset Template.fileset.zip
Directions
Download the Fileset, import into FileWave and edit to match requirements. Select the ‘check_for_profile.sh’ script and click ‘Get Info’:
The Launch Arguments will initially appear empty.
For each Profile that needs to be considered for installation prior to this Fileset, its ID must be added to the list of Launch Arguments (one entry per Profile ID). Profile IDs can be obtained from within the Payload details of the Profile Filesets.
For eah Profile that must be installed, open the Profile for editing, highlight the Identifier and copy.
Copy these IDs into the LaunchArguments of the Fileset. Example below shows 5 Profile IDs added for a Microsoft Defender Installer.
The script allows for the idea of either by way of an Environment Variable (all_or_one). Set the value appropriately:
all | All of the listed Profiles must be installed prior to the Fileset becoming active. |
one | At least one of the included Profiles must be installed prior to the Fileset becoming active |
The below, shows a Fileset set to require all Profiles are installed, before Fileset activation for the same Microsoft Defender example:
With this set, add any additional installers into the Fileset, that would need to be installed, once the provided Profiles are installed.
Create a Fileset Group and add this Fileset and all necessary Profiles to the same group (not necessary, but somewhat neater to manage)
For example:
Associate the Fileset Group, test and then rollout to more devices once happy.
This Fileset is particular useful with Apple TCC Privacy Settings Profiles. Privacy settings provide access permissions for software to function. However, typically these Profiles need to be installed before the process that they are allowing is started. This means, if the software is allowed to instal before the Profile is installed, the software process would need restarting after the Profile is installed. The above Fileset offers the solution around this, where the Fileset will only attempt download and installation once the Profile is in place.