Recently, myself & a few folks have been dealing with issues from profiles deployed via the JSS.
Kitzy has a workaround for the issues affecting 9.82 & screen savers asking for passwords, here.
This was seemingly fixed in 9.9, but other issues have since cropped up & I’ve detailed them below.
Well, as per the title there is actually 3 issues.
With JSS 9.9, a new payload was made available which allowed restrictions to things such as iCloud drive.
Sadly, you might see this restriction being enforced as per this from the iCloud preference pane (without setting the key yourself):
A number of folks, have found Spotlight to be churning CPU once updated to JSS 9.9+ too.
This seems to be caused by the following key being set for com.apple.Spotlight.
You can see if you’re affected by going to /Library/Managed Preferences/ & seeing it the com.apple.Spotlight.plist exists either in the root of that directory or under any of the user directories.
There has also been some reports of Macs not being response after wake from sleep, with some clicks working but not all & no keyboard interaction.
Find Where You Hide
In an attempt to track down these issues, I enrolled a VM into a JSS & started to slowly apply profiles.
As per the linked posts above, once I had applied a profile with a “Security & Privacy” payload I started to see issues (the Activity Monitor image above was taken after applying this profile & restarting).
Looking at the profile in the JSS showed that it should have just have had the “Security & Privacy” payload:
But checking the profile in System Preferences revealed it was doing more:
Opening System Information & looking under “Managed Client” revealed the extra payloads that were being managed:
Downloading the “Security & Privacy” profile, then unsigning & converting to XML1 (using this awesome tool from Amsys) again verified above:
This is really pretty awful, there are payloads being managed with no content & others being managed that are not in the UI for the payload at all.
With the above in mind, you might think that a second set of profiles to set the keys as wanted may well be the solution.
Well, the below is from this from Apple.
If two payloads define different network settings for the same SSID, for example, the result is undefined.
If payloads contradict each other, the more restrictive setting is normally used. In some cases, the result is undefined.
“Undefined”, helpful no?
Again, Apple have a document on some payload best practices . This includes which payloads can have multiple values & are denoted as such by (*).
Looking at that document for the Restrictions & Login Window payloads reveals that they only support a single profile, else you end with the “undefined” behaviour.
Back To The Start
So, how do we get things back to a correct state?
Well, despite what may feel like bad practice.. You’ll need to combine Login Window, Restrictions & the Security & Privacy payloads as per:
You’ll also need to add the “Restrictions” payload with the bottom 3 options below checked to set them as true (or uncheck the iCloud options if wanted).
Once done, if you download the profile & unsign etc (again plug for this awesome tool from Amsys). You can then see that the profile now contains all the correct payloads & keys:
Once deployed & clients have been restarted, Spotlight should no longer be hogging CPU:
As well as iCloud drive being accessible again (unless blocking it intentionally).
Thanks to owen.pragel & rderewianko on macadmins.org Slack, (& a number of other folks), for breaking this down.