Adding Apple-supported options not yet present in Jamf to MDM configuration profiles

Setting user-unmodifiable options is one of the main purposes of an MDM solution such as Jamf. On Apple Devices, this is mostly done through configuration profiles.

Apple has a frequently updated document describing all the different options for macOS and their other operating systems: the Configuration Profile Reference. If you are new to the subject, take a look at Armin Briegel’s book explaining how they work.

Jamf lets you create and distribute configuration profiles to clients easily through GUI settings. Many of the settings available from Apple are not included in Jamf’s user interface, however. Perhaps because there are so many of them it makes sense to only include the most relevant, widely supported or useful options.

Sometimes, you might need an option that isn’t available in your MDM solution. You could then either create a custom profile by hand or by using the excellent tool ProfileCreator from Erik Berglund, and simply upload the profile to Jamf.

Another way of doing it, is by adding an option to a profile already in production. With some profiles, this might even be a necessary or preferred way of doing it, as they may contain settings specific to how your MDM provider has set up their systems.

Example: Prevent FileVault from displaying recovery keys to users when enabled

If you are enabling FileVault through a configuration profile, even though you use key escrow to send the recovery key to IT, it will be displayed to the user on activation. In addition to being an unnecessary and not well explained extra thing to worry about for the user, on some versions of Mojave, this dialog box has tended to freeze on reboot.

According to Apple’s Configuration Profile reference, the ShowRecoveryKey preference can be “Set to false to not display the personal recovery key to the user after FileVault is enabled. Defaults to true” (p. 41 in the current Configuration Profile Reference).

To add this option to a FileVault profile you are already using in Jamf:

Download the existing profile from Jamf.

Convert the profile to an editable format by removing its’ signature and formatting it using xmllint:

soundsnw@MacBook ~ % openssl smime -inform DER -verify -in [downloaded_profile].mobileconfig -noverify -out [de-signed_profile].mobileconfig

soundsnw@MacBook ~ % xmllint –format [de-signed_profile].mobileconfig > [formatted].mobileconfig

Edit the profile using your favorite editor.

Find the string UseRecoveryKey.

Below it, add the key discussed earlier, by adding the following lines:


Save the file and upload it to Jamf.

You can then create a smart group to distribute the modified profile instead of the old one to new machines from a set date, or simply delete the old profile and scope the new one to the same computers. Deleting the profile and deploying the new one to the same computers is safe and works, but please test it well before mass deployment in case the profile has any issues. It also makes sense to contact Jamf before deploying such modifications, to make sure the modification in question will not pose problems.

Disabling diagnostics submission for increased privacy: As a side note, it is worth mentioning that the allowDiagnosticSubmission key (p. 68 in Apple’s Configuration Profile Reference) that can be used to disable sending app diagnostic data to Apple and third party developers resides in the same Jamf configuration profile as FileVault. For it to work correctly in Mojave it needs to be manually changed to false using an editor, similarly to what we did above.

One thought on “Adding Apple-supported options not yet present in Jamf to MDM configuration profiles

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s