Policy Payload Reference

When creating or editing a policy, you use a payload-based interface to configure settings for the policy and add tasks to it. This section provides an overview of each payload.

Payload

Description

General

This payload allows you to do the following:

  • Enable or disable the policy. (For example, if you need to take the policy out of production temporarily, you may want to disable it.)

  • Add the policy to a site. For more information, see Sites.

  • Add the policy to a category. For more information, see Categories.

  • Choose one or more triggers.

  • Choose the execution frequency.

  • Retry the policy if it fails. (This only works with the "Once per computer" execution frequency.)

  • Make the policy available offline. (This only works with the "Ongoing" execution frequency.)

  • Specify the drive on which to run the policy.

  • Specify server-side and client-side limitations for the policy. (For example, you can specify an expiration date/time for the policy, or ensure that the policy does not run on weekends.)

Packages

This payload allows you to perform the following software distribution tasks:

Note: To install all cached packages, use the Maintenance payload.

This payload also allows you to do the following when installing packages:

  • Specify the distribution point computers should download the packages from.

  • Add the packages to the Autorun data of each computer in the scope.

Software Updates

This payload allows you to run Apple’s Software Update and choose the software update server that you want computers to install updates from. For complete instructions on creating a policy to run Software Update, see Running Software Update.

Scripts

This payload allows you to run scripts and choose when they run in relation to other tasks in the policy. You can also enter values for script parameters. For complete instructions on running scripts using a policy, see Scripts.

Printers

This payload allows you to map and unmap printers. You can also make a printer the default. For complete instructions on administering printers using a policy, see Printers.

 

Disk Encryption

This payload allows you to enable FileVault on computers with macOS 10.8 or later by distributing disk encryption configurations.

This payload also allows you to issue a new FileVault recovery key for computers with macOS 10.9 or later. For complete instructions on issuing a new recovery key.

For complete instructions on enabling FileVault, see Disk Encryption Configurations.

Dock Items

This payload allows you to add and remove Dock items. When you add Dock items, you can also choose to add them to the beginning or end of the Dock. For complete instructions on administering Dock items, see Dock Items.

Local Accounts

This payload allows you to create and delete local accounts, and reset local account passwords. When you create an account, you can do the following:

  • Specify a location for the home directory.

  • Configure the account picture.

  • Allow the user to administer the computer.

  • Enable the account for FileVault 2 on computers with macOS 10.9 or later.

This payload also allows you to disable an existing local account for FileVault on computers with macOS 10.9 or later.

For complete instructions on administering local accounts, see Local Accounts.

Management Account

This payload allows you to reset the management account password. You can choose to specify the new password or randomly generate it.

This payload also allows you to enable or disable the management account for FileVault on computers with macOS 10.9 or later.

Important: When configuring the management account password settings, it is recommended that you select the "Randomly generate new password" option for maximum security.

For complete instructions on administering the management account, see Management Accounts

Directory Bindings

This payload allows you to bind computers to a directory service.

For complete instructions on binding to a directory service, see Directory Bindings.

EFI Password

This payload allows you to set or remove an Open Firmware or EFI password.

For complete instructions on administering Open Firmware and EFI passwords, see Setting or Removing an EFI Password.

Restart Options

This payload allows you to restart computers after the policy runs and do the following:

  • Specify the disk to restart computers from, such as a NetBoot image.

  • Specify criteria for the restart depending on whether or not a user is logged in.

  • Configure a restart delay.

  • Perform an authenticated restart on computers with macOS 10.8.2–10.12.x, or macOS 10.14 or later that are FileVault 2 enabled.

Note: For this to work on computers with FileVault 2 activated, the enabled FileVault 2 user must log in after the policy runs for the first time and the computer has restarted.

  • Configure the restart timer to start immediately without requiring the user to acknowledge the restart message.

You can also display a message to users before a policy restarts computers. For more information, see User Interaction with Policies.

Maintenance

This payload allows you to perform the following maintenance tasks:

  • Update inventory.

  • Reset computer names.

  • Install all cached packages.

  • Fix disk permissions (macOS 10.11 or earlier).

  • Fix ByHost files.

  • Flush caches.

  • Verify the startup disk.

For complete instructions on installing all cached packages, see Package Deployment.

Files and Processes

This payload allows you to search computers for specific files and processes, and use policy logs to log when they are found. You can kill processes that are found and delete files that are found when searching by path.

This payload also allows you to execute commands.

Microsoft Intune Integration

This payload allows you to register computers with Azure Active Directory (Azure AD) using the Company Portal app for macOS from Microsoft. End users need to launch the Company Portal app through Jamf Self Service for macOS to register their devices with Azure AD as a computer managed by Jamf Pro. It is recommended that you notify end users to let them know they will be prompted to take action prior to deployment.

The payload also automatically triggers an inventory submission from the computer to Jamf Pro.

For complete instructions on using the Microsoft Intune Integration payload, see the Integrating with Microsoft Intune to Enforce Compliance on Macs Managed by Jamf Pro technical paper.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.