Policy Payload Reference

Jamf Pro Documentation 11.16.0
Solution
Application
Content Type
Technical Documentation
Utilities & Services
version
11.16.0
ft:locale
en-US
vrm_version
11.16.0

When creating or editing a policy, you use a payload-based interface to configure settings for the policy and add tasks to it. This section provides an overview of each payload.

Payload

Description

General

This payload allows you to do the following:

  • Enable or disable the policy. (For example, if you need to take the policy out of production temporarily, you may want to disable it.)
  • Add the policy to a site.
  • Add the policy to a category.
  • Choose one or more triggers.
  • Choose the execution frequency.
  • Retry the policy if it fails. (This only works with the "Once per computer" execution frequency.)
  • Make the policy available offline. (This only works with the "Ongoing" execution frequency.)
  • Specify the drive on which to run the policy.
  • Specify server-side limitations for the policy. (For example, you can specify an expiration date/time for the policy.) This uses Coordinated Universal Time (UTC).
  • Specify client-side limitations for the policy. (For example, you can ensure the policy does not run on weekends.) This uses the time zone settings of each target computer.

Packages

This payload allows you to perform the following software distribution tasks:

  • Install packages
  • Cache packages
  • Install cached packages
    Note:

    To install all cached packages, use the Maintenance payload.

  • Uninstall packages

    Note:

    Jamf Pro's built-in uninstall functionality only works for applications that were indexed via the Jamf Admin application, which was removed in Jamf Pro 11.7. If a package was uploaded or modified after Jamf Pro was upgraded to that version, you must use an alternative uninstallation method, such as a dedicated uninstaller from the app vendor or a custom script.

This payload also allows you to do the following when installing packages:

  • Specify the distribution point computers should download the packages from.
  • Add the packages to the Autorun data of each computer in the scope.

For complete instructions on managing packages, see Package Deployment.

Software Updates

This payload allows you to run Apple’s Software Update and choose the software update server that you want computers to install updates from. For complete instructions on creating a policy to run Software Update, see Running Software Update Using a Policy in the Deploying macOS Upgrades and Updates with Jamf Pro 10.34.0 or Later technical paper.

Scripts

This payload allows you to run scripts and choose when they run in relation to other tasks in the policy. You can also enter values for script parameters. For complete instructions on running scripts using a policy, see Scripts.

Printers

This payload allows you to map and unmap printers. You can also make a printer the default. For complete instructions on administering printers using a policy, see Printers.

Disk Encryption

This payload allows you to enable FileVault on computers with macOS 10.8 or later by distributing disk encryption configurations.

This payload also allows you to issue a new FileVault recovery key for computers with macOS 10.9 or later.

For complete instructions on enabling FileVault with a policy, see Enabling FileVault Disk Encryption Using a Policy.

Dock Items

This payload allows you to add and remove Dock items. When you add Dock items, you can also choose to add them to the beginning or end of the Dock. For complete instructions on administering Dock items, see Dock Items.

Local Accounts

This payload allows you to create and delete local accounts, and reset local account passwords. When you create an account, you can do the following:

  • Specify a location for the home directory.
  • Configure the account picture.
  • Allow the user to administer the computer.

  • Allow the user to be granted the first secure token from macOS.

This payload also allows you to disable an existing local account for FileVault on computers with macOS 10.9 or later.

For complete instructions on administering local accounts, see Local Accounts.

Management Account

This payload allows you to rotate the management account password.

For complete instructions on administering the management account, see Managed Local Administrator Accounts

Directory Bindings

This payload allows you to bind computers to a directory service.

For complete instructions on binding to a directory service, see Directory Bindings.

EFI Password

This payload allows you to set or remove an Open Firmware or EFI password.

For complete instructions on administering Open Firmware and EFI passwords, see Setting or Removing an EFI Password.

Note:

Only computers with Intel processors have a configurable EFI password. On Mac computers with Apple silicon, enable FileVault to require users to enter a password on start up from macOS recovery or a different startup disk.

Restart Options

This payload allows you to restart computers after the policy runs and do the following:

  • Specify the disk to restart computers from.
  • Specify criteria for the restart depending on whether or not a user is logged in.
  • Configure a restart delay.
  • Restart computers using the RestartDevice MDM command, including the option to rebuild the kernel cache with specific kernel extension (kext) paths.
    Note:

    • Computers with Apple Silicon (i.e., M1 chip) must have a bootstrap token escrowed to Jamf Pro in order to leverage this command.

    • Computers running a version of macOS prior to 11.0 cannot leverage the the kernel cache rebuild functionality of the RestartDevice MDM command.

  • Perform an authenticated restart on computers with macOS 10.8.2–10.12.x, or macOS 10.14 or later that are FileVault 2 enabled.
    Note:

    For this to work on computers with FileVault 2 activated, the enabled FileVault 2 user must log in after the policy runs for the first time and the computer has restarted.

  • Configure the restart timer to start immediately without requiring the user to acknowledge the restart message.

You can also display a message to users before a policy restarts computers. For more information, see User Interaction with Policies.

Maintenance

This payload allows you to perform the following maintenance tasks:

  • Update inventory.
  • Reset computer names.
  • Install all cached packages.
  • Fix disk permissions (macOS 10.11 or earlier).
  • Fix ByHost files.
  • Flush caches.
  • Verify the startup disk.

For complete instructions on installing all cached packages, see Package Deployment.

Files and Processes

This payload allows you to search computers for specific files and processes, and use policy logs to log when they are found. You can kill processes that are found and delete files that are found when searching by path.

This payload also allows you to execute commands.

Microsoft Intune Integration

This payload allows you to register computers with Microsoft Entra ID using the Company Portal app for macOS from Microsoft. End users need to launch the Company Portal app through Jamf Self Service for macOS to register their devices with Entra ID as a computer managed by Jamf Pro. It is recommended that you notify end users to let them know they will be prompted to take action prior to deployment.

The payload also automatically triggers an inventory submission from the computer to Jamf Pro.

For complete instructions on using the Microsoft Entra integration payload, see the Device Compliance with Microsoft Entra and Jamf Pro technical paper.