Skip to main content
Skip table of contents

Jamf Pro: Policy

Overview

Policies in Jamf Pro offer the greatest deal of flexibility for deploying to a device as they can represent almost anything from disk encryption, printer installs, account creation and hardware inventory; basically anything that can be scripted can be run through Jamf Pro Policies. The most common use of policies from an AppsAnywhere point of view is likely to be triggering the deployment of a PKG package. Triggering Jamf Pro Policies from a launch button in AppsAnywhere is simple and this article will take you through everything you need to know.

Before You Start

The remainder of this article assumes that your Policy is already configured in your Jamf Pro environment. It will need to be set up to be available through the Self Service app before it can be delivered through AppsAnywhere and we strongly recommend that you test the deployment of the policy through Self Service before bringing it into AppsAnywhere to help rule out any problems with the policy itself before adding the additional deployment workflows that AppsAnywhere adds to the process, which can make it more difficult to resolve any issues that may exist. 

Pre-requisites

In summary, you must ensure that your Jamf Pro Policy meets the following requirements to import it into AppsAnywhere

  1. You have setup the policy and it can be found in Jamf Pro under Computers > Computer Management > Policies

  2. You have set the Scope for the policy such that it will be available to the devices you want to deploy it to through AppsAnywhere (see note on scope in the 'How It Works' section)

  3. The Policy options are set to allow on-demand deployment:

    1. The Policy is set to Enabled

    2. The Execution Frequency is set to Ongoing

    3. On the Self Service tab, the Make the policy available in Self Services option is Selected

Adding A Delivery Method

Start by adding a new Jamf Pro: Policy delivery method to your chosen application, as described in the Jamf Delivery Methods article. 

A lot of the fields you will need to configure are common to all delivery methods in AppsAnywhere, such as the Operating System Compatibility, Display Name, Launch Button Text and the Restrictions. For more information on configuring these values, see the Common Delivery Method Settings article. This section focuses on the settings specific to the Jamf Pro: Policy delivery method. 

The following table describes each field and setting available when creating this type of delivery method, it's intended value and an example for each.


Field Name

Description

Intended Value

Example

Jamf Pro Server Environment

The environment from which the policy will be delivered, as defined in the Manage Jamf Pro Environments section

The name of the Jamf Pro environment that the policy is hosted in, selected from the list of options

Jamf Pro Production

Select Policy 

The policy that you wish to deploy through AppsAnywhere

The name of the policy, as defined in Jamf Pro, selected from the list of options

Library Printer Install

Success Message 

A custom message to display to the user once the policy has been deployed to help them understand what has been done (if, for example, it's not just a simple app deployment).

A description of what the policy has just done and what it means for the user 

The library printer is now configured and ready for use


So, to configure your new Jamf Pro: Policy delivery method:

  1. Setup the basic details, operating system compatibility and restrictions as you would with any other delivery method

  2. Choose the Jamf Pro Server Environment from which the policy will be deployed

  3. Choose the policy you wish to deploy from the Select Policy dropdown box

  4. If you need to, enter a custom Success Message to display to the user once the policy has been deployed.

  5. Click Save

If the save was successful, you will see the form replaced with the following message and your new delivery method will be added to the bottom of the list on the left-hand side

If there were any errors with the data you entered, you will be prompted to correct these before you can continue. 

Only valid policies will be made available to the AppsAnywhere admin interface. If you were expecting to see a policy in the Select Policy list but it is not there, check the policy in Jamf Pro to ensure that it meets all of the pre-requisites defined in the 'Before You Start' section above.

How It Works

Delivery Method Availability

In order to determine whether or not a Jamf Pro: Policy delivery method is available to the user, the following conditions will be checked on validation:

  • Is the device running macOS 10.11 or higher?

  • Is the Jamf binary installed on the device?

  • Is the device enrolled with a Jamf Pro Server?

  • Can the device connect to the Jamf Pro Server?

  • Is the device classed as "managed" in Jamf Pro?

  • Is the device connected to the same Jamf Pro instance as is referenced in the delivery method?

  • Is the policy referenced by the delivery method in scope (according to Jamf Pro) for the current device and logged in user?

Only if all of these criteria are met will the delivery method be available to the user. Keep in mind that it still not be the preferred delivery method for that user environment if there are others defined with higher priorities for that app. 

Policy Deployment

When a user clicks Launch on a Jamf Pro: Policy delivery method (assuming it is available to them), a message is sent to the AppsAnywhere Client indicating that the policy needs to be deployed. The AppsAnywhere Client makes use of the Jamf binary on the user's device that is installed during enrollment and runs the equivalent of the following command:

CODE
sudo jamf policy -id [id] -username [username]

Where:

  • id is the ID of the policy in Jamf Pro, and

  • username is the username of the user logged into AppsAnywhere (not the device itself)

While the username parameter on the jamf policy command is optional, we always specify it as it triggers Jamf Pro to double check the scope of the policy in relation to that user to ensure that it is still available, just in case any variables have changed since we did this check during validation in AppsAnywhere. We use the username from the identity in AppsAnywhere and not that of the person logged into the device as this is the user that you, as the administrator, have specified through provisioning should have access to that policy and against which we have checked the scope for that policy in Jamf Pro.

If you have any issues with deploying a particular policy through AppsAnywhere, use the command above to test whether the issue is with the Jamf Pro Policy itself, or with AppsAnywhere.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.