Policy Management

When you create a policy, you use a payload-based interface to configure settings for the policy and add tasks to it. For more information on the settings you can configure, see Policy Payload Reference.

After you create a policy, you can view the plan, status, and logs for the policy. You can also flush policy logs.

Note:

To run a policy on a computer, the Allow Jamf Pro to perform management tasks checkbox must be selected in the computer inventory information to enable the management account. For more information about the management account, see Computer Enrollment Methods.

Creating a Policy

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Policies in the sidebar.
  3. Click New .
  4. Use the General payload to configure basic settings for the policy, including the trigger and execution frequency.
  5. Use the rest of the payloads to configure the tasks you want to perform.
  6. Click the Scope tab and configure the scope of the policy.
  7. (Optional) Click the Self Service tab and make the policy available in Self Service.
    Note:

    On computers with macOS 10.15 or later, if Jamf Pro is not safelisted in the Privacy Preferences Policy Control payload, users are prompted when policies that access data on a network volume are run through Self Service. By default, Jamf Pro is automatically safelisted in the Privacy Preferences Policy Control payload.

  8. (Optional) Click the User Interaction tab and enter messages to display to users or allow users to defer the policy.
  9. Click Save .

The policy runs on computers in the scope the next time they check in with Jamf Pro and meet the criteria in the General payload.

Running a Policy

There are two ways to run a policy with a pre-defined trigger. You can run a policy using the following methods:

  • Wait until the configured trigger event occurs.

  • Manually trigger the policy using the jamf binary.

To manually trigger the policy using the jamf binary, execute the following command on managed computers:

sudo jamf policy -event <triggerName> -verbose

If the policy has a pre-defined trigger, replace <triggerName> with the appropriate value. The following is a list of pre-defined triggers:

  • Startup—startup

  • Login—login

  • Logout—logout

  • Network State Change—networkStateChange

  • Enrollment Complete—enrollmentComplete

  • Recurring Check-in—None (execute sudo jamf policy -verbose)

If the policy has a custom trigger, replace <triggerName> with the custom trigger name specified in the policy.

Note:

A policy with a custom trigger must be run manually using the jamf binary.

Viewing the Plan for a Policy

The plan for a policy includes the following information:

  • An indicator that shows whether the policy is enabled

  • The execution frequency

  • The triggers

  • The scope

  • The site that the policy belongs to

  • A list of actions for the policy

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Policies in the sidebar.
  3. In the list of policies and their plans, click Expand for a policy to view its actions.

Viewing the Status of a Policy

For each policy, you can view a pie chart that shows the number of computers for which the policy has completed, failed, and is still remaining.

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Policies in the sidebar.
  3. Click Grid View at the top of the list.

Viewing and Flushing Logs for a Policy

The logs for a policy include a list of computers that have run the policy and the following information for each computer:

  • The date/time that the policy ran on the computer

  • The status

  • The actions logged

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Policies in the sidebar.
  3. Click the policy you want to view logs for.
  4. Click Logs.
  5. To view the actions logged for a computer, click Details for the computer.

    To hide the information when you are done viewing it, click Hide.

  6. To flush a policy log for a single computer, click Flush for the computer.
  7. To flush all logs for the policy, click Flush All at the bottom of the pane.

Adding a Policy to the Jamf Pro Dashboard

Adding a policy to the Jamf Pro Dashboard helps you monitor its status and progress. For example, you can determine which computers have received software, which have pending installations, and if any policies have failed to deploy and require troubleshooting.

If you configure a policy to assist with the deployment of a security stack (e.g., an antivirus suite or Jamf Protect) to computers, you can track its deployment progress by adding the policy to the Jamf Pro Dashboard. This allows you to view all completed, pending, retrying, and failed deployment attempts for the policy.

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Policies in the sidebar.
  3. Click the policy you want to add to the Jamf Pro Dashboard.
  4. Select the Show in Jamf Pro Dashboard checkbox.
  5. Click the Jamf Pro logo to view the Jamf Pro Dashboard.
  6. Navigate to the Policy Statuses area of the Jamf Pro Dashboard and find the widget for the policy you added.
    Click any item in the widget to view more details for analysis or troubleshooting.

Monitor the progress of computers that have been scoped to the policy in both the circular percentage graph and the status categories. Then, use this information to troubleshoot any computers that have Failed, Pending, or Retrying statuses by clicking the status links and reviewing the computers presented.