iCloud, Spotlight & Login Window issues with JSS 9.9+ & the Security & Privacy profile payload

Standard
configProfile

Recently, myself & a few folks have been dealing with issues from profiles deployed via the JSS.

Kitzy has a workaround for the issues affecting 9.82 & screen savers asking for passwords, here.

This was seemingly fixed in 9.9, but other issues have since cropped up & I’ve detailed them below.

Derangeable

Well, as per the title there is actually 3 issues.

iCloud

With JSS 9.9, a new payload was made available which allowed restrictions to things such as iCloud drive.

Sadly, you might see this restriction being enforced as per this from the iCloud preference pane (without setting the key yourself):

Screenshot 2016-05-09 11.53.13

Spotlight

Screenshot 2016-05-06 14.19.26

A number of folks, have found Spotlight to be churning CPU once updated to JSS 9.9+ too.

This seems to be caused by the following key being set for com.apple.Spotlight.

Screen Shot 2016-05-09 at 11.37.14

You can see if you’re affected by going to /Library/Managed Preferences/ & seeing it the com.apple.Spotlight.plist exists either in the root of that directory or under any of the user directories.

Login Window

There has also been some reports of Macs not being response after wake from sleep, with some clicks working but not all & no keyboard interaction.

Find Where You Hide

In an attempt to track down these issues, I enrolled a VM into a JSS & started to slowly apply profiles.

As per the linked posts above, once I had applied a profile with a “Security & Privacy” payload I started to see issues (the Activity Monitor image above was taken after applying this profile & restarting).

Looking at the profile in the JSS showed that it should have just have had the “Security & Privacy” payload:

Screenshot 2016-05-09 11.38.39

But checking the profile in System Preferences revealed it was doing more:

Screen Shot 2016-05-09 at 11.37.29

Opening System Information & looking under “Managed Client” revealed the extra payloads that were being managed:

Screen Shot 2016-05-09 at 11.38.17

Downloading the “Security & Privacy” profile, then unsigning & converting to XML1 (using this awesome tool from Amsys) again verified above:

Screenshot 2016-05-09 11.40.25

This is really pretty awful, there are payloads being managed with no content & others being managed that are not in the UI for the payload at all.

Uncontrollable Desires

With the above in mind, you might think that a second set of profiles to set the keys as wanted may well be the solution.

Well, the below is from this from Apple.

If two payloads define different network settings for the same SSID, for example, the result is undefined.

And:

If payloads contradict each other, the more restrictive setting is normally used. In some cases, the result is undefined.

“Undefined”, helpful no?

Untangled Minds

Again, Apple have a document on some payload best practices . This includes which payloads can have multiple values & are denoted as such by (*).

Looking at that document for the Restrictions & Login Window payloads reveals that they only support a single profile, else you end with the “undefined” behaviour.

Screenshot 2016-05-09 11.54.10

Back To The Start

So, how do we get things back to a correct state?

Well, despite what may feel like bad practice.. You’ll need to combine Login Window, Restrictions & the Security & Privacy payloads as per:

Screenshot 2016-05-09 11.54.45

You’ll also need to add the “Restrictions” payload with the bottom 3 options below checked to set them as true (or uncheck the iCloud options if wanted).

Screenshot 2016-05-09 18.57.11

Once done, if you download the profile & unsign etc (again plug for this awesome tool from Amsys). You can then see that the profile now contains all the correct payloads & keys:

Screenshot 2016-05-09 11.47.48

Once deployed & clients have been restarted, Spotlight should no longer be hogging CPU:

Screenshot 2016-05-09 15.28.11

As well as iCloud drive being accessible again (unless blocking it intentionally).

Screen Shot 2016-05-09 at 11.52.42

I also believe that having a for com.apple.loginwindow with no data was not helping, so should hopefully resolve the issue mentioned here. (Which does remind me of this issue).

Acknowledgements

Thanks to owen.pragel & rderewianko on macadmins.org Slack, (& a number of other folks), for breaking this down.

Oh & thanks to Aliases for their awesome new album, Derangeable. Which was the inspiration for the various headings.

Derangeable

4 thoughts on “iCloud, Spotlight & Login Window issues with JSS 9.9+ & the Security & Privacy profile payload

  1. rik derris

    Great this was causing quite a headache with the unresponsiveness from sleep but putting the 3 payloads in the one configuration resolved that.

    I am running 99.3 so it’s not fixed there yet but i know 9.96 is out in the wild now so maybe it’s fixed now

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.