High Sierra User-level Config Profiles Installed as Computer-level

[toneburst]

It looks like config profiles that Outset used to correctly install at login as User-level profiles in Sierra are now being installed as Computer-level profiles, in High Sierra.

The profiles themselves are User-level profiles.

[erikng]

Probably need to update the profile commands and conditionally run them per OS. You also need target the specific user.

[toneburst]

Wow, super-quick reply!

I assumed the profiles would be installed for the user that was logging in. That seemed to be what happened in Sierra.

In High Sierra, though, all the profiles seem to get System scope, even though the profile is scoped to User, according to the value set for the 'PayloadScope' key.

[toneburst]

It could be a bug in/change to the way the profiles command runs in High Sierra.

[toneburst]

This is causing me problems because I'm applying profiles that lock down prefs for non-admin users, but don't apply to local admin accounts (that are in the Outset exclude list).

I could probably work around it by using a login script to install the profiles, but I don't want to go down this route if I don't have to, since Outset has builtin support for profile installation.

[groob]

Is this affecting all your profile payloads or a specific one?

[gregneagle]

Outset can install a lot of things in many different contexts. Could you provide more detail on how one might reproduce your issue? I'm having a hard time understanding how a user-level profile, installed at login via a LaunchAgent, (and therefore in the logging-in user's security context) could get installed as a device-level profile, which normally requires calling profiles -IF as root. But if you are installing the profile at a different time/via a different trigger, this might start to make more sense.

[toneburst]

@gregneagle I know, it doesn't make sense to me, either.

What seems to be happening, on closer inspection, is that profiles that should be installed per-user at login, are being installed for that user, but Also being installed at System level.

Unfortunately, I can't get to the machines in question right now, to continue testing.

The setup is very simple, though. I created packages that installed User-level configuration profiles to /usr/local/outset/login-every/ (I use login-every because user homedirs are deleted at logout).

Under Sierra, the profiles would be installed by Outset at login, at User-level, as expected.

What now seems to happen, is that they also get installed at System-level.

[toneburst]

@groob it seems to be all the profiles that are supposed to be installed at User-level at login by Outset.

[chilcote]

~Is this still a thing? Can you give an example config profile I can try out in a login-once to see the behavior. I'm skeptical, but Apple ceases to amaze these days.~

Never mind, I think the answer lies here:

I created packages that installed User-level configuration profiles to /usr/local/outset/login-every/

You can't install packages in login-every. Try placing the .mobileconfig files directly in the folder and let outset process those.