With macOS and VMware Workspace ONE®, administrators have a lot of flexibility in precisely how native macOS applications are deployed and configured. Specific applications might use Privacy preference settings, require kernel extensions or system extensions, and require a custom settings profile for configuration. Administrators might choose to deploy certain apps automatically to assigned end-user devices or make them available on-demand in an end-user’s VMware Workspace ONE Intelligent Hub. With on-demand applications, the user decides whether they want to install the app on their device.
As such, when deploying a macOS app to devices, administrators use both the application itself and one or more configuration profile(s) to supply various app settings. For applications that install automatically, this isn’t a concern because you can also deploy the corresponding profile automatically. However, for apps that are published on-demand, how can you ensure that you only install the related profile if the user chooses to install the app? This post explains how to use the Workspace ONE hubcli to deploy an optional profile during the installation of an on-demand application.
Create a Workspace ONE Profile with the macOS Application Configuration
The first step is to create an optional profile in Workspace ONE that covers all the application settings that you want. Keep in mind that the specifics depend on a particular application and might include Privacy preferences, kernel extensions, system extensions, and various custom settings payloads. This example walks through deploying Mozilla Firefox with a profile that contains two custom settings payloads: the first to approve notifications for the end-user automatically, and the second to set the Firefox homepage to our corporate website automatically.
- Create a new macOS profile in your Workspace ONE UEM Console. Enter a profile name.
- In the General payload, make sure that the Assignment Type is set to Optional.
- Assign the profile to the same Smart Groups as the application.
Next, configure the rest of the profile payloads as you want. In this Firefox example, we add two custom settings payloads:
- In the Custom Settings payload, paste the following text to automatically enable the application notifications:
<dict> <key>NotificationSettings</key> <array> <dict> <key>AlertType</key> <integer>2</integer> <key>BadgesEnabled</key> <true/> <key>BundleIdentifier</key> <string>org.mozilla.firefox</string> <key>CriticalAlertEnabled</key> <true/> <key>GroupingType</key> <integer>0</integer> <key>NotificationsEnabled</key> <true/> <key>ShowInLockScreen</key> <true/> <key>ShowInNotificationCenter</key> <true/> <key>SoundsEnabled</key> <true/> </dict> </array> <key>PayloadDescription</key> <string>Configures notifications settings.</string> <key>PayloadDisplayName</key> <string>Notification Settings</string> <key>PayloadIdentifier</key> <string>com.apple.notificationsettings.ABE75EA9-C93C-4F5F-A66D-36B851CC2635</string> <key>PayloadType</key> <string>com.apple.notificationsettings</string> <key>PayloadUUID</key> <string>ABE75EA9-C93C-4F5F-A66D-36B851CC2635</string> <key>PayloadVersion</key> <integer>1</integer> </dict>
- Continuing in the Custom Settings payload, select the “+” icon in the bottom-right corner to create a new payload, then paste the following text to define the homepage:
<dict> <key>EnterprisePoliciesEnabled</key> <true/> <key>Homepage</key> <dict> <key>Locked</key> <true/> <key>StartPage</key> <string>homepage</string> <key>URL</key> <string>https://www.vmware.com</string> </dict> <key>PayloadDescription</key> <string>Configures Firefox settings</string> <key>PayloadDisplayName</key> <string>Firefox</string> <key>PayloadIdentifier</key> <string>2C284A01-E458-4BBC-B185-021CCC8CB070</string> <key>PayloadOrganization</key> <string></string> <key>PayloadType</key> <string>org.mozilla.firefox</string> <key>PayloadUUID</key> <string>2C284A01-E458-4BBC-B185-021CCC8CB070</string> <key>PayloadVersion</key> <integer>1</integer> </dict>
- Click Save and Publish and then Publish the profile.
Retrieve the Workspace ONE Profile ID
The profile ID is required for use with the hubcli command later on. To retrieve the profile ID, navigate to the Devices > Profiles & Resources > Profiles page in the Workspace ONE UEM Console. Right-click the profile you just created, and select Copy Link (or your browser equivalent). Paste the copied link, and it should look similar to the following example:
The profile ID is the numeric value that comes after /DeviceProfileEdit/, highlighted in red. In this example, 12345.
Use hubcli to Install the Profile with an App
Your application should be uploaded and deployed through the Software Distribution area of the Workspace ONE UEM Console (that is, under Apps & Books > Applications > Native > Internal).
For more information about deploying non-store macOS apps in Workspace ONE, check out this Tech Zone article: Deploying a Third-Party macOS App: VMware Workspace ONE Operational Tutorial.
Proceed to the Edit Application page, or if you have an existing application, choose to Edit it.
Navigate to the Scripts tab.
Under the Install Scripts section, take note of the two text fields:
- Pre-Install Script – Any script included here will run before the installation of the application.
- Post-Install Script – Any script included here will run after the installation of the application.
In most cases, you can use the hubcli to install the application profile in either of these fields with no difference in behavior. With specific advanced application packages, however, certain configurations might need to be set either before or after the application install.
For our Firefox example, we’ll use the Pre-Install Script field to install the Configuration Profile just before the application installation. In that field, paste the following script. Make sure that you replace the Profile ID with your value.
#!/bin/sh /usr/local/bin/hubcli profiles --install 12345
The field should look similar to the following image:
Finally, select Save & Assign and, if needed, Add Assignment to create the assignment for your app.
Within the assignment, set the App Delivery Method to On Demand, and enable Display in App Catalog.
Publish the app.
With this setup, you’ve created a configuration that applies settings used by an application. Additionally, you’ve configured that application to deploy through the Workspace ONE Intelligent Hub app catalog via on-demand deployment. By using hubcli in a pre-install (or post-install) script, you’ve configured the configuration profile to install only when the application installs.