Policy Payload Reference

When creating or editing a policy, you use a payload-based interface to configure settings for the policy and add tasks to it. This section provides an overview of each payload.

General Payload

This payload allows you to do the following:

  • Enable or disable the policy. (For example, if you need to take the policy out of production temporarily, you may want to disable it.)

  • Add the policy to a site. For more information, see Sites.

  • Add the policy to a category. For more information, see Categories.

  • Choose one or more events to use to initiate the policy (called "trigger").

  • Choose how often the policy should run (called "execution frequency").

  • Make the policy available offline. (This only works with the "Ongoing" execution frequency.)

  • Specify the drive on which to run the policy.

  • Specify server-side and client-side limitations for the policy. (For example, you can specify an expiration date/time for the policy, or ensure that the policy does not run on weekends.)

Packages Payload

This payload allows you to perform the following software distribution tasks:

  • Install packages.

  • Cache packages.

  • Install cached packages.
    Note: To install all cached packages, use the Maintenance payload. For more information, see Maintenance Payload.

  • Uninstall packages.

This payload also allows you to do the following when installing packages:

  • Specify the distribution point computers should download the packages from.

  • Add the packages to the Autorun data of each computer in the scope.

For complete instructions on creating a policy to perform software distribution tasks, see one of the following sections in this guide:

Software Updates Payload

This payload allows you to run Apple’s Software Update and choose the software update server that you want computers to install updates from.

For complete instructions on creating a policy to run Software Update, see Running Software Update.

Scripts Payload

This payload allows you to run scripts and choose when they run in relation to other tasks in the policy. You can also enter values for script parameters.

For complete instructions on running scripts using a policy, see Running Scripts.

Printers Payload

This payload allows you to map and unmap printers. You can also make a printer the default.

For complete instructions on administering printers using a policy, see Administering Printers.

Disk Encryption Payload

This payload allows you to enable FileVault 2 on computers with macOS 10.8 or later by distributing disk encryption configurations.

For complete instructions on enabling FileVault 2, see Deploying Disk Encryption Configurations.

This payload also allows you to issue a new FileVault 2 recovery key for computers with macOS 10.9 or later.

For complete instructions on issuing a new recovery key, see Issuing a New FileVault 2 Recovery Key.

Dock Items Payload

This payload allows you to add and remove Dock items. When you add Dock items, you can also choose to add them to the beginning or end of the Dock.

For complete instructions on administering Dock items, see Administering Dock Items.

Local Accounts Payload

This payload allows you to create and delete local accounts, and reset local account passwords. When you create an account, you can do the following:

  • Specify a location for the home directory.

  • Configure the account picture.

  • Allow the user to administer the computer.

  • Enable the account for FileVault 2 on computers with macOS 10.9 or later.

This payload also allows you to disable an existing local account for FileVault 2 on computers with macOS 10.9 or later.

For complete instructions on administering local accounts, see Administering Local Accounts.

Management Account Payload

This payload allows you to reset the management account password. You can choose to specify the new password or randomly generate it.

This payload also allows you to enable or disable the management account for FileVault 2 on computers with macOS 10.9 or later.

For complete instructions on administering the management account, see Administering the Management Account.

Directory Bindings Payload

This payload allows you to bind computers to a directory service.

For complete instructions on binding to a directory service, see Binding to Directory Services.

EFI Password Payload

This payload allows you to set or remove an Open Firmware or EFI password.

For complete instructions on administering Open Firmware and EFI passwords, see Administering Open Firmware/EFI Passwords.

Restart Options Payload

This payload allows you to restart computers after the policy runs. It also allows you to do the following:

  • Specify the disk to restart computers from, such as a NetBoot image.

  • Specify criteria for the restart depending on whether or not a user is logged in.

  • Configure a restart delay.

  • Perform an authenticated restart on computers with macOS 10.8.2–10.12.x that are FileVault 2 enabled.
    Note: For this to work on computers with FileVault 2 activated, the enabled FileVault 2 user must log in after the policy runs for the first time and the computer has restarted.

You can also display a message to users before a policy restarts computers. For more information, see User Interaction.

For complete instructions on booting computers to a NetBoot image, see Booting Computers to NetBoot Images.

Maintenance Payload

This payload allows you to perform the following maintenance tasks:

  • Update inventory.

  • Reset computer names.

  • Install all cached packages.

  • Fix disk permissions (macOS 10.11 or earlier).

  • Fix ByHost files.

  • Flush caches.

  • Verify the startup disk.

For complete instructions on installing all cached packages, see Installing Cached Packages.

Files and Processes Payload

This payload allows you to search computers for specific files and processes, and use policy logs to log when they are found. You can kill processes that are found and delete files that are found when searching by path.

This payload also allows you to execute commands.

Microsoft Intune Integration Payload

This payload allows you to register computers with Azure Active Directory (Azure AD) using the Company Portal app for macOS from Microsoft. End users need to launch the Company Portal app through Jamf Self Service for macOS to register their devices with Azure AD as a computer managed by Jamf Pro. It is recommended that you notify end users to let them know they will be prompted to take action prior to deployment.

The payload also automatically triggers an inventory submission from the computer to Jamf Pro.

For complete instructions on using the Microsoft Intune Integration payload, see the Integrating with Microsoft Intune to Enforce Compliance on Macs Managed by Jamf Pro technical paper.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2018 Jamf. All rights reserved.