How to deploy System Configuration Profile with compliance evaluation?
To deploy System Configuration Profile with compliance evaluation Mac OS X Configuration item with discovery and remediation scripts should be used. This article covers the procedure of creating these scripts and deploying profile.
- To create Discovery and Remediation scripts, download this script on Mac along with .mobileconfig you want to deply.
Open Terminal and change directory to the one script is located in, e.g.
Give script executable permissions:
sudo chmod u+x profile_installation_scripts_generator.sh
enter admin password when prompted.
Execute script pointing .mobileconfig location as an argument, e.g.:
Script will generate two files: discovery.sh and remediation.sh.
Copy scripts to SCCM Console server/workstation.
Create Configuration Profile:
Open SCCM Console, navigate to Assets and Compliance > Overview > Compliance Settings.
Right-click on Configuration Items > Create Configuration Item:
In General tab of Create Configuration Item Wizard pane specify Name and Description (optional). Set configuration item type to Mac OS:
Note in SCCM versions prior to 1511 this dialog is different.
- In Settings tab click on New button.
In opened General tab of Create Setting dialog:
- specify Name.
- change Setting type to Script.
- set Data type to String.
In Discovery script pane click on Add Script button. In the opened Edit Discovery Script dialog click on Open button, locate generated discovery.sh script and hit OK:
In Remediation script pane click on Add Script button. In the opened Edit Discovery Script dialog click on Open button, locate generated remediation.sh script and hit OK:
Note: if you know click on Edit Script button to check the script it will be shown in a good format.
switch to Compiance Rules tab:
- click on New button.
- in the opened Create Rule dialog specify rule Name, Description (optional).
- Set value returned by the specified script Equal to Profile Installed.
- Check Run the specified remediation script when this setting is noncompliant.
Set rest of the options according your convenience:
- Click Next in the rest panes of Create Configuration Item Wizard to complete.
- Create a Configuration Baseline and add Configuration Item.
- Deploy Configuration Baseline to required SCCM collection.