Deploying custom app settings for on-demand macOS apps

This post was originally published on this site

With macOS and Workspace ONE, administrators have a lot of flexibility in precisely how native macOS applications are deployed and configured.  Certain applications may utilize Privacy Preference settings, require Kernel Extensions or System Extensions, and/or be configured through the use of a Custom Settings profile.  Additionally, administrators may choose to deploy certain apps automatically to assigned end user devices, or they may choose to make them available in an end user’s WS1 Intelligent Hub, where the user themselves can decide whether they choose to install the app on their device.

 

As such, when deploying a macOS app to devices, in many cases administrators will deploy both the application itself, as well as one (or more) configuration profile that will supply various app settings.  For applications that deploy automatically, this isn’t a concern because you can simply deploy the corresponding profile automatically as well.  However, for apps that are made available on demand, what’s the best way to ensure that the corresponding profile is only installed if the user chooses to install the app through the Intelligent Hub?  This document will walk through how the WS1 hubcli can be used to deploy an optional profile during the installation process of an on-demand application.

 

Setting up a Workspace ONE profile with the macOS application configuration

 

The first step is to create an optional profile in Workspace ONE that covers all the desired application settings.  Keep in mind that the specifics will depend on a particular application and may include Privacy Preferences, Kernel Extensions, System Extensions, and/or various Custom Settings payloads.  This example will walk through deploying Mozilla Firefox, along with a profile that contains two Custom Settings payloads: the first to automatically approve notifications for the end user, and the second to automatically set the Firefox homepage to our corporate website.

 

1. Create a new macOS profile in your Workspace ONE UEM Console.  Give it your desired profile name

2. In the General payload, make sure the Assignment Type is set to Optional.

3. Assign the profile to the same Smart Groups that the application will be assigned to.

 

From here, configure the rest of the profile payloads as desired.  In this Firefox example, two Custom Settings payloads will be added:

 

4. In the Custom Settings payload, paste the following text to automatically enable the application notifications:

<dict>

     <key>NotificationSettings</key>

     <array>

          <dict>

               <key>AlertType</key>

               <integer>2</integer>

               <key>BadgesEnabled</key>

               <true/>

               <key>BundleIdentifier</key>

               <string>org.mozilla.firefox</string>

               <key>CriticalAlertEnabled</key>

               <true/>

               <key>GroupingType</key>

               <integer>0</integer>

               <key>NotificationsEnabled</key>

               <true/>

               <key>ShowInLockScreen</key>

               <true/>

               <key>ShowInNotificationCenter</key>

               <true/>

               <key>SoundsEnabled</key>

               <true/>

          </dict>

     </array>

     <key>PayloadDescription</key>

     <string>Configures notifications settings.</string>

     <key>PayloadDisplayName</key>

     <string>Notification Settings</string>

     <key>PayloadIdentifier</key>

     <string>com.apple.notificationsettings.ABE75EA9-C93C-4F5F-A66D-36B851CC2635</string>

     <key>PayloadType</key>

     <string>com.apple.notificationsettings</string>

     <key>PayloadUUID</key>

     <string>ABE75EA9-C93C-4F5F-A66D-36B851CC2635</string>

     <key>PayloadVersion</key>

     <integer>1</integer>

</dict>

 

5. Still in the Custom Settings payload, select the “+” icon in the bottom-right corner to create a new payload, then paste the following text to define the homepage:

<dict>

     <key>EnterprisePoliciesEnabled</key>

     <true/>

     <key>Homepage</key>

     <dict>

          <key>Locked</key>

          <true/>

          <key>StartPage</key>

          <string>homepage</string>

          <key>URL</key>

          <string>https://www.vmware.com</string>

     </dict>

     <key>PayloadDescription</key>

     <string>Configures Firefox settings</string>

     <key>PayloadDisplayName</key>

     <string>Firefox</string>

     <key>PayloadIdentifier</key>

     <string>2C284A01-E458-4BBC-B185-021CCC8CB070</string>

     <key>PayloadOrganization</key>

     <string></string>

     <key>PayloadType</key>

     <string>org.mozilla.firefox</string>

     <key>PayloadUUID</key>

     <string>2C284A01-E458-4BBC-B185-021CCC8CB070</string>

     <key>PayloadVersion</key>

     <integer>1</integer>

</dict>

 

6. Select Save and Publish and then Publish the profile.

 

Get the Workspace ONE Profile ID

 

You’ll need the Profile ID for use with the hubcli command later on.  To get this, open the Devices > Profiles & Resources > Profiles page in the Workspace ONE UEM Console. Right-click the profile you just created, and select Copy Link (or your browser equivalent).  Paste the copied link, and you should see something in a form similar to:

 

https://<WS1_UEM_URL>/AirWatch/Profiles/DeviceProfileEdit/12345?isReadOnlyProfileView=False&addVersion=False

 

The Profile ID is the numeric value that comes after /DeviceProfileEdit/, highlighted in red above.

 

Using hubcli to install the profile as an app is installed

 

Your application should be uploaded and deployed through the Software Distribution area of the Workspace ONE UEM Console (that is, under Apps & Books > Applications > Native > Internal).  For more information on deploying non-Store macOS apps in Workspace ONE, check out this Techzone article: Deploying a Third-Party macOS App: VMware Workspace ONE Operational Tutorial.

 

Proceed to the Edit Application page, or if you have an existing application already, choose to Edit it.  From here, navigate to the Scripts tab.  Under the Install Scripts section, take note of the two text fields:

  • Pre-Install Script – Any script included here will execute prior to the installation of the application.
  • Post Install Script – Any script included here will execute after the installation of the application.

 

In most cases, you’ll be able to use the hubcli to install the application profile in either of these fields with no difference in behavior.  With certain advanced application packages, however, it’s possible that certain configurations may need to be set either before or after the application install.

 

In the case of our Firefox example, we’ll use the Pre-Install Script field, to install the Configuration Profile just before the application installation.  In that field, paste the following script.  Make sure to replace the Profile ID with the value you found above!

 

#!/bin/sh

/usr/local/bin/hubcli profiles –install 12345

 

The field should look similar to the image below:

Firefoxhubcli.png

 

 

From here, select Save & Assign and, if needed, Add Assignment to create the assignment for your app.  Within the assignment, make sure the App Delivery Method is set to On Demand, and that Display in App Catalog is enabled.  Publish the app.

 

With this setup, you’ve created a configuration that applies settings used by a particular application. Additionally, you’ve set up that application to be deployed through the Workspace ONE Intelligent Hub app catalog with an on-demand deployment methodology.  Through the use of the hubcli as a pre-install (or post-install) script, you’ve configured the configuration profile to install only when the application is installed as well.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.