Jamf Pro: Policy
Policies in Jamf Pro offer the greatest deal of flexibility for deploying to a device as they can represent almost anything from disk encryption, printer installs, account creation and hardware inventory; basically anything that can be scripted can be run through Jamf Pro Policies. The most common use of policies from an AppsAnywhere point of view is likely to be triggering the deployment of a PKG package. Triggering Jamf Pro Policies from a launch button in AppsAnywhere is simple and this article will take you through everything you need to know.
Before You Start
The remainder of this article assumes that your Policy is already configured in your Jamf Pro environment. It will need to be set up to be available through the Self Service app before it can be delivered through AppsAnywhere and we strongly recommend that you test the deployment of the policy through Self Service before bringing it into AppsAnywhere to help rule out any problems with the policy itself before adding the additional deployment workflows that AppsAnywhere adds to the process, which can make it more difficult to resolve any issues that may exist.
In summary, you must ensure that your Jamf Pro Policy meets the following requirements to import it into AppsAnywhere
You have setup the policy and it can be found in Jamf Pro under Computers > Computer Management > Policies
You have set the Scope for the policy such that it will be available to the devices you want to deploy it to through AppsAnywhere (see note on scope in the 'How It Works' section)
The Policy options are set to allow on-demand deployment:
The Policy is set to Enabled
The Execution Frequency is set to Ongoing
On the Self Service tab, the Make the policy available in Self Services option is Selected
Adding A Delivery Method
Start by adding a new Jamf Pro: Policy delivery method to your chosen application, as described in the Jamf Delivery Methods article.
A lot of the fields you will need to configure are common to all delivery methods in AppsAnywhere, such as the Operating System Compatibility, Display Name, Launch Button Text and the Restrictions. For more information on configuring these values, see the Common Delivery Method Settings article. This section focuses on the settings specific to the Jamf Pro: Policy delivery method.
The following table describes each field and setting available when creating this type of delivery method, it's intended value and an example for each.
So, to configure your new Jamf Pro: Policy delivery method:
Setup the basic details, operating system compatibility and restrictions as you would with any other delivery method
Choose the Jamf Pro Server Environment from which the policy will be deployed
Choose the policy you wish to deploy from the Select Policy dropdown box
If you need to, enter a custom Success Message to display to the user once the policy has been deployed.
If the save was successful, you will see the form replaced with the following message and your new delivery method will be added to the bottom of the list on the left-hand side
If there were any errors with the data you entered, you will be prompted to correct these before you can continue.
Only valid policies will be made available to the AppsAnywhere admin interface. If you were expecting to see a policy in the Select Policy list but it is not there, check the policy in Jamf Pro to ensure that it meets all of the pre-requisites defined in the 'Before You Start' section above.
How It Works
Delivery Method Availability
In order to determine whether or not a Jamf Pro: Policy delivery method is available to the user, the following conditions will be checked on validation:
Is the device running macOS 10.11 or higher?
Is the Jamf binary installed on the device?
Is the device enrolled with a Jamf Pro Server?
Can the device connect to the Jamf Pro Server?
Is the device classed as "managed" in Jamf Pro?
Is the device connected to the same Jamf Pro instance as is referenced in the delivery method?
Is the policy referenced by the delivery method in scope (according to Jamf Pro) for the current device and logged in user?
Only if all of these criteria are met will the delivery method be available to the user. Keep in mind that it still not be the preferred delivery method for that user environment if there are others defined with higher priorities for that app.
When a user clicks Launch on a Jamf Pro: Policy delivery method (assuming it is available to them), a message is sent to the AppsAnywhere Client indicating that the policy needs to be deployed. The AppsAnywhere Client makes use of the Jamf binary on the user's device that is installed during enrollment and runs the equivalent of the following command:
sudo jamf policy -id [id] -username [username]
id is the ID of the policy in Jamf Pro, and
username is the username of the user logged into AppsAnywhere (not the device itself)
While the username parameter on the jamf policy command is optional, we always specify it as it triggers Jamf Pro to double check the scope of the policy in relation to that user to ensure that it is still available, just in case any variables have changed since we did this check during validation in AppsAnywhere. We use the username from the identity in AppsAnywhere and not that of the person logged into the device as this is the user that you, as the administrator, have specified through provisioning should have access to that policy and against which we have checked the scope for that policy in Jamf Pro.
If you have any issues with deploying a particular policy through AppsAnywhere, use the command above to test whether the issue is with the Jamf Pro Policy itself, or with AppsAnywhere.