Deploying Custom Configuration Profiles Using Jamf Pro

This article explains how to deploy custom configuration profiles to computers using Jamf Pro.

Custom computer configuration profiles can be used to set preferences for specific application or preference domains that are not native to Jamf Pro. You can use the following methods in Jamf Pro to deploy custom configuration profiles:

  • Method 1: Use the Application & Custom Settings payload in Jamf Pro

  • Method 2: Upload a configuration profile to Jamf Pro

Method 1: Use the Application & Custom Settings Payload in Jamf Pro

The following options are available whe you use the Applications & Custom Settings payload in Jamf Pro:

  • Configure settings in Jamf Pro—You can use the Jamf Pro interface to configure the application properties of an app.

  • Upload a PLIST file—You can manually create a PLIST file that defines the properties for the preference domain you specify in Jamf Pro, and then upload the PLIST file directly to Jamf Pro.

Note:

Before uploading the PLIST file to Jamf Pro, you must create a PLIST file using a text editor and enter the key-value pairs that define the application preferences you want to manage.

  1. Log in to Jamf Pro.
  2. Click Computers at the top of the page.
  3. Click Configuration Profiles.
  4. Click New.
  5. Use the General payload to configure basic settings, including the level at which to apply the profile and the distribution method.
  6. Click the Applications & Custom Settings payload, and then click Configure.
  7. Do one of the following:
    • To configure settings for a specific app:

      1. Choose Configure Settings.

      2. Choose a source from the Source pop-up menu.

        (Jamf Pro 10.19.0 or later) "Custom Schema" allows you to enter a JSON Schema manifest directly in Jamf Pro. Jamf Pro then dynamically generates the configurable settings. For more information about managing an app using a JSON Schema manifest and Jamf Pro, see the Managing Settings for Computer Applications using JSON Schema and Jamf Pro Technical Paper.

        (Jamf Pro 10.18.0 or later) "Jamf Repository" allows you to select the preference domain of an app from a list.

      3. Use the rest of the settings on the pane to customize the app.

    • To upload a custom PLIST file:

      1. Choose Upload File.

      2. Enter the preference domain for which you want to set properties. The preference domain should look similar to the following: com.vendor.application.

      3. Click Upload PLIST File, and then choose the PLIST file previously created.
        Note:

        If the PLIST file contains formatting errors, follow the on-screen instructions to remediate the issue, and then execute the following command before re-uploading the file:

        /usr/bin/plutil -convert xml1 /path/to/file.plist

  8. Click the Scope tab, and then configure the scope of the configuration profile. For more information, see the Scope section of the Jamf Pro Administrator's Guide.
  9. Click Save.

Method 2: Upload a Configuration Profile to Jamf Pro

You can upload a complete configuration profile (.mobileconfig) directly to Jamf Pro. If the <UUID> (universally unique identifier) field of a configuration profile matches an existing configuration profile in Jamf Pro, the profile cannot be uploaded. You can upload signed or unsigned profiles. The following table explains the considerations for each type of profile:
Type of ProfileConsiderations
Signed Profile

Signed configuration profiles are not modified during the import or deployment processes. If the <PayloadType> or specific <key> values in the profile are unknown to Jamf Pro, those values will not display in the Jamf Pro interface but should install correctly.

After uploading a signed configuration profile, Jamf Pro will alert administrators that the profile is read-only and cannot be edited unless the signature is removed. If you click Remove Signature, Jamf Pro will attempt to import the contents of the profile and allow administrators to edit it.
Note:

Signed configuration profiles cannot use configuration profile variables available in Jamf Pro.

You can create a signing certificate using Jamf Pro's Built-in Certificate Authority (CA). This enables you to sign profiles using Jamf Pro. Configuration profiles can be signed using the certificate of your choice, but creating a signing certificate generated by the Jamf Pro CA provides the following benefits:
  • Marks the custom configuration profiles as trusted since managed devices have established trust with the Jamf Pro built-in CA

  • Ensures the custom configuration profile displays the same organization name as other configuration profiles created in Jamf Pro

For step-by-step instructions, see the Creating a Signing Certificate Using Jamf Pro's Built-in CA to Use for Signing Configuration Profiles and Packages article.

Unsigned ProfileJamf Pro attempts to import all file's values to associate with known settings within the Jamf Pro console and allow further editing. If the <PayloadType> or specific <key> values in the profile are unknown to Jamf Pro, the deployed configuration profile may not contain those values or install correctly.
Note:

Unsigned profiles with payload types and key-value pairs known to Jamf Pro should deploy as intended.

For more information, see the section of the Computer Configuration Profiles section Jamf Pro Administrator's Guide.