Jamf Pro Deployment

Deploying super via Jamf Pro requires only a single Policy, but in most cases you will also need to deploy a Configuration Profile.

Jamf Pro Configuration Profile payloads

While many of the super options can be deployed via a Configuration Profile, several features of super actually require a Configuration Profile. Note that all of the Configuration Profile payloads listed here can be deployed via a single super Configuration Profile.

Configuration Profile payload for super options

If there are specific super options you plan to set permanently then you should consider deploying these settings via a MDM configuration profile. Detailed documentation regarding the deployment of super settings can be found here.

Configuration Profile payload to allow the creation of a super service account

If you want super to automatically create a local service account via Jamf Pro you must also deploy a Privacy Preferences Policy Control (PPPC) MDM Configuration Profile. Specifically, you must allow the "SystemPolicySysAdminFiles" privilege for the /usr/local/jamf/bin/jamf and com.jamf.management.Jamf application identifiers.

The super repository contains a complete example MDM Configuration Profile to allow Jamf Pro to automatically create the super service account. After the creation of the local super service account on the system, you can remove this Configuration Profile payload.

Configuration Profile payload for API service account

If you want to avoid the "Computers Read" privilege for the Jamf Pro API account you must also deploy a Configuration Profile that contains the computer's Jamf Pro ID.

The super repository contains a complete example MDM Configuration Profile to deploy the Jamf Pro computer ID for the super update workflow via MDM push command. Note that this Configuration Profile payload uses the same preference domain of com.macjutsu.super as you would use to deploy other super options.

Jamf Pro Policy

The Jamf Pro Policy to deploy super only needs the script as-is, but you should also consider populating the Script Parameters. Specifically, any update credentials should be passed in via the Policy Script Parameters. However, you can only pass in one super option per Policy Script Parameter. Thus, if you want to deploy more than eight super options you will have to use a Configuration Profile as documented previously on this page.

Jamf Pro Policy

Jamf Pro Deployment Tips and Tricks

Here are a few tips to get the most of super when deploying via Jamf Pro:

• When deployed via Jamf Pro Policy, super will always (re)install itself. So to update super simply make your Policy run again with an updated version of the super script.

• You can have a Jamf Pro Policy run super on a regular schedule or you can use the --recheck-defer option in super, or you can use a combination of both methods.

• To only install super locally (and not start any updates) via Jamf Pro Policy, use the --skip-updates option in the Policy Script Parameters. Then when you are ready to start the super update workflow change the option to
  --no-skip-updates and have the Policy run again.

• If you deploy most of your super settings via Config Profile, consider also using the --reset-super option in the Script Parameters to clear any locally cached super options.