# Configuration Profile format
The project some sample files to get you started:
- [sample plist](Examples/sample-com.jamf.setupmanager.plist) for Jamf Pro
- [sample plist](Examples/sample-waitForUserEntry) for Jamf Pro with [two phase workflow](Docs/JamfPro-TwoPhase.md)
- [configuration profile](Example/sample-jamfschool.mobileconfig) for Jamf School
## Top-level keys
#### `DEBUG`
(Boolean, default: `false`)
When this is set to `true` any steps that actually change software on the disk will not be performed. This will also allow you to launch Setup Manager by double-clicking as the user. This can be useful to test a profile, or to take screen shots for documentation.
These behaviors change in debug mode:
- checks for the existence of the Jamf binary and keychain are skipped
- Jamf Setup manager will accept enrollmentActions from a non-managed preference file
- `policy`, `recon`, and `shell` actions that require root are replaced with a delay (and will always complete successfully)
- `watchPath` and `wait` actions timeout and fail after 10 seconds
When in debug mode, you can also set the `simulateMDM` preference key to `Jamf Pro` or `Jamf School`. This allows you to do test runs on un-enrolled Macs.
#### `title`
(String, default: `Welcome to Setup Manager`, localized, substitutions)
The main title over the window.
Example:
```xml
title
Welcome to your new Mac!
```
#### `icon`
(String, default: `name:AppIcon`, localized)
The icon shown at the top center of the window. There are many options to define icons, described in the [Icon Sources](#icon-sources) section later.
#### `message`
(String, default: `Setup Manager is configuring your Mac…`, localized, substitutions)
The message shown below the title.
Example:
```xml
message
Please wait a few moments while we install essential software…
```
The message can use [substitutions](#substitution):
Example:
```xml
message
Preparing your new %model%. Please be patient.
```
#### `background`
(String, optional, localized)
When this key is set, Setup Manager treats it as an image/[icon source](#icon-sources) and displays the image in a screen covering background.
#### `runAt`
(String, optional, default: `enrollment`)
**Beta:** We believe the run at login window feature may require more testing, especially in some edge cases. When, after thorough testing, you believe this works in your workflow, feel free to deploy it, and please let us know about success or any issues you might encounter.
This value determines when Setup Manager should launch. There are two values: `enrollment` (default) and `loginwindow`. When set to `enrollment` Setup Manager will launch immediately when the pkg is installed. This is the setting to use for automated device enrollment (without AutoAdvance) and user-initiated enrollment.
When the `runAt` value is set to `loginwindow` Setup Manager will launch only when the login window is shown. This is useful for fully automated enrollments using AutoAdvance.
A setting of `loginwindow` will only work with enrollment setups that eventually end on the login window (i.e. a user has to be created automatically, the device is bound to a directory, etc).
Example:
```xml
runAt
loginwindow
```
#### `enrollmentActions`
(Array of Dicts, required)
This array contains a list of `Dict`s which describe the individual actions to be performed in order. Actions are described in detail in the [Actions](#actions) section.
#### `userEntry`
(Dict of Dicts, optional)
When this key exists, Setup Manager will prompt for user data while the enrollment actions are running. The individual keys are described in [User Entry](#user-entry).
#### `help`
(Dict of Strings, optional)
When this key exists, Setup Manager will show a "Help" button (a circled question mark) in the lower right corner while it is running. You can add sub-keys with content for the help, which are described in [Help](#help). When Setup Manager has completed, the "Help" button will be replaced with the "Continue" and/or "Shutdown" button.
#### `accentColor`
(String, optional, default: system blue)
Sets the accent color for buttons, progress bar, SF Symbol icons, and other UI elements. You can use this to match branding. Color is encoded as a six digit hex code, e.g. `#FF0088`.
Example:
```xml
accentColor
#FF0088
```
#### `finalCountdown`
(Number/integer, optional, default: `60`)
This key changes the duration (in seconds) of the "final countdown" before the app automatically performs the `finalAction` (continue or shut down). Set to `-1` (or any negative number) to disable automated execution.
Examples:
```xml
finalCountdown
30
```
Disable the
```xml
finalCountdown
-1
```
#### `finalAction`
(String, optional, default: `continue`)
This key sets the action and label for the button shown when Setup Manger has completed. When this key is set to `shutdown` (no space!) it will shut down the computer, other wise it will just quit Setup Manager ("continue"). This is also the action that is performed when the `finalCountdown` timer runs out.
When the `DEBUG` preference is set, shutdown will merely quit/continue.
Example:
```xml
finalAction
shutdown
```
#### `showBothButtons`
(Bool, optional default: `false`)
This key determines whether both the 'Shutdown' and 'Continue' are shown or just the button set in the `finalAction` key.
**Warning:** this key is deprecated and will be removed in a future version of Setup Manager
Example:
```xml
showBothButtons
```
#### `totalDownloadBytes`
(Integer, opitonal, default: 1000000000 or 1GB, v0.8)
Use this value to provide an estimate for the total size of all items that will be downloaded. Setup Manager will display and estimated download time for this sum in the "About this Mac..." popup window.
Example:
```xml
totalDownloadBytes
4500000000
```
#### `jssID`
(String, Jamf Pro only)
Set this to `$JSSID` in the configuration profile and Setup Manager will be aware of its computer's id in Jamf Pro. It will be displayed in the 'About this Mac…' popup.
Example:
```xml
jssID
$JSSID
```
#### `userID`
(String, Jamf Pro only)
Set this to `$EMAIL` in the configuration profile. This communicates the user who logged in to customized enrollment to Setup Manager. This can be used together with the `userEntry.showForUserIDs` key to control which users see the user entry UI.
Example:
```xml
userID
$EMAIL
```
#### `computerNameTemplate`
(String, Jamf Pro only, substitutions)
When this key is set, Setup Manager will generate the computer name from this template and set it automatically. When this key is present, a `computerName` dict or string in `userEntry` will be ignored.
The template uses substitution tokens, which begin and end with `%` character which will be substituted with data at run time. See [Substitutions](#substitution) for details.
Example:
```xml
computerNameTemplate
Mac-%serial:=6%
```
This will set the computer name to `Mac-DEF456` where `DEF456` are the center six characters of the serial number
#### `overrideSerialNumber`
(String, optional)
When set, the "About this Mac" info window will show this value instead of the real serial number. This is useful when making screen shots or recordings for documentation or presentations where you do not want to expose real serial numbers.
Note: This is for display only. [Substitutions](#substitution) will still use the real serial number.
Example:
```xml
overrideSerialNumber
ABC1DEFABC
```
#### `hideActionLabels`
(Bool, optional, default: `false`)
Hides the individual labels under each action's icon.
Example:
```xml
hideActionLabels
```
#### `hideDebugLabel`
(Bool, optional, default: `false`)
When set, suppresses display of the red 'DEBUG' label in debug mode. Useful for screenshots and recordings.
Example:
```
hideDebugLabel
```
#### `simulateMDM`
(String, optional)
When debug mode is enabled, you can set the `simulateMDM` preference key to `Jamf Pro` or `Jamf School`. This allows you to do test runs on un-enrolled Macs.
## Actions
All actions should have these keys:
#### `label`
(String, required, localized, substitutions)
The label is used as the name of the action in display.
#### `icon`
(String, optional, localized)
The icon source string used for the display of the label. Different types of actions will have different default icons, which is used when no `icon` key is present.
There are several different types of actions, and these are defined by additional keys. These keys will be on the same level as the keys above.
### Shell Command
#### `shell`
(String)
The path to the command or script that should be run for this action. You need to provide the absolute full path to the command, e.g. `/usr/bin/say`.
#### `arguments`
(Array of Strings, optional)
When the command given in `shell` requires arguments they are listed here, one item per argument. Do _not_ escape or quote spaces or other special characters.
#### `requiresRoot`
(Bool, default: `false`, optional)
When this key is set to `true` Setup Manager will only run this when itself is running as root. Otherwise it will fail the action. When `DEBUG` is enabled, it will replace the action with a delay instead.
Example:
```xml
label
Set Time Zone
icon
symbol:clock
shell
/usr/sbin/systemsetup
arguments
-setTimeZone
Europe/Amsterdam
requiresRoot
```
### Jamf Policy Trigger
#### `policy`
(String, Jamf Pro only)
This will run the jamf policy or polices with the given trigger name. This is the equivalent of running `jamf policy -event `
Example:
```xml
label
BBEdit
icon
https://ics.services.jamfcloud.com/icon/hash_abcdefghj
policy
install_bbedit
```
### Watch Path
#### `watchPath`
(String)
This action will wait until a file at the given path exists (`wait` is `untilExists`, default) or is removed (`wait` is `whileExists`).
#### `wait`
(String, default: `untilExists`)
Determines if the action waits until the file exists (`untilExists`) or until the file is removed (`whileExists`).
#### `timeout`
(Number/integer, in seconds, default: `600`)
The action will fail after this timeout.
Example:
```xml
label
Jamf Protect
icon
symbol:app.badge
watchPath
/Applications/JamfProtect.app
timeout
300
```
Note: This is intended to check if app are installed from the Mac App Store or Jamf App Installers. In my experience, these installation methods are quite unreliable, hence the timeout. Since you cannot anticipate the order in which these apps may be installed, it is best to put the `watchPath` actions at the end. For large installations (Xcode) you want to set a large timeout.
### Wait
#### `wait`
(Number/integer, in seconds)
Wait for a given time. Use this to let the system catch up with previous installations.
Example:
```xml
label
Waiting…
wait
20
```
### Wait for User Entry
#### `waitForUserEntry`
(String, value is ignored, Jamf Pro only)
If Setup Manager reaches this action before the user entry has been completed, it will wait until the user entry is completed and the user has clicked 'Save.'
When the user entry is saved and this action is reached, it will set the computer name, according to the `computerNameTemplate` or what was entered by the user and run a recon/Update Inventory which submits the user data. It will also save the data from the user entry to the [user data file](Docs/Extras.md#user-data-file)
This action allows for "two phase" installation workflows where the policies in the second phase are scoped to data from the user entry. After this action, smart groups in Jamf Pro should reflect the data entered and you can use scoping in subsequent policies to choose which policies should or should not run on this device.
Regardless of whether there is a `waitForUserEntry` action or not, Setup Manager will submit the user data and run a recon/Update Inventory after all actions are finished.
```xml
label
Submit User Entry
waitForUserEntry
```
### Jamf Inventory Update (recon)
#### `recon`
(String, value is ignored, Jamf Pro only)
This will run a Jamf Inventory update.
You should usually not need to add a recon step. By default Setup Manager will automatically run an inventory update before and after running the enrollment actions.
Example:
```xml
recon
```
### Installomator
This will run [Installomator](https://github.com/Installomator/Installomator) to install a given label.
Note: by default, Setup manager will add `NOTIFY=silent` to the arguments to suppress notfications. You can override this in the `arguments`.
#### `installomator`
(String)
The installomator label to run.
#### `arguments`
(Array of Strings, optional)
List of additional arguments passed into Installomator.
Example:
```xml
label
Google Chrome
icon
symbol:gearshape.2
installomator
googlechromepkg
```
## Icon Sources
Icons (which include the top-level `icon`, the `background` and the `icon`s in individual actions) can be defined in several ways in Setup Manager.
### From the web
When the icon source string starts with `http` or `https`, Setup Manager will attempt to download a file from that URL and interpret it as an image file. It will show a spinning progress view while downloading.
```xml
icon
https://example.com/path/to/icon.png
```
### Local file
When the icon source is an absolute file path, Setup Manager will attempt to read that file as an image file and display it.
```xml
icon
/Library/Organization/image.png
```
You will need to install custom local image files _before_ Setup Manager runs.
With Jamf Pro, you can achieve that by adding another pkg to the Prestage. Since the Prestage installs pkgs in alphabetical order, this branding pkg should be named to be alphabetically _before_ "Setup Manager."
### Application:
When the icon source is an absolute file path that ends in `.app`, Setup Manager will get the icon from that app.
```xml
icon
/System/Applications/App Store.app
```
### Name:
When the icon source starts with `name:`, Setup Manager will get the icon with that name. Two names are useful: `AppIcon` gets Setup Manager's app icon and `NSComputer` will get an icon representing the current hardware.
```xml
icon
name:AppIcon
```
### SF Symbols:
When the icon source starts with `symbol:`, Setup Manager will create the icon using that symbols name. You can look up symbol names using the [SF Symbols](https://developer.apple.com/sf-symbols/) app.
Note that the availability and appearance of SF Symbols may vary with the OS version and language/region.
```xml
icon
symbol:clock
```
## User Entry
You can enable user entry for the following keys:
- `userID`
- `department`
- `building`
- `room`
- `assetTag`
- `computerName`
Any of the fields will only be shown when its key exists. If you were to create an empty `userEntry` dict, you get an empty user input screen with a 'Save' button - not a good user experience.
### User Data file
Data from user entry is written, together with some other data to a file when Setup Manager reaches a `waitForUserEntry` action and again when it finishes. The file is stored at `/private/var/db/SetupManagerUserData.txt`. [More details.](Docs/Extras.md#user-data-file)
#### `default`
(String, localized)
Provide a default value in two ways:
Example:
```xml
computerName
Mac-12345
```
Use this simple `string` form, when all you need is the field with a default value filled in. Leave the `string` value empty if you don't even want a default value.
When you want to configure other options of the field, you need to use the `dict` form:
Example:
```xml
computerName
default
ABC12345
validation
[A-Z]{3}\d{5}
```
#### `placeholder`
(String, localized)
This will show the string value given as a greyed out placeholder in the empty text field.
```xml
assetTag
placeholder
ABC12345
```
Note: a `default` value will prevent the placeholder from appearing, unless the user actively deletes the contents of a field.
#### `options`
(Array of Strings, optional)
This will show a popup list of preset options:
```xml
department
options
IT
Sales
R&D
```
The first option is the default selection.
Note: since we want to avoid having to provide Jamf Pro API credentials to Setup Manager, JSM does _not_ read the list of buildings or departments from Jamf and you will have to transcribe them into the profile. Annoying, but the lesser of two evils, here.
#### `validation`
(String, optional)
The value of this key is a regular expression string. When the expression matches the entire string entered, it validates. For example, a `validation` of `[A-Z]{3}\d{5}` will match three uppercase letters (`[A-Z]{3}`) and then five numbers (`\d{5}`).
Some useful regular expressions:
- `.+`: at least one character (i.e. not empty)
- `[a-z]{7}`: exactly seven lowercase letters
- `\d{3,5}`: three to five digits (numbers)
- `\S+\@(example\.com|example.org)`: email ending with `example.com` or `example.org`
Detailed description of the regular expression syntax: [NSRegularExpression](https://developer.apple.com/documentation/foundation/nsregularexpression)
Example:
```xml
userID
placeholder
first.last@example.com
validation
\S+\.\S+\@example\.com
```
#### `validationMessage`
(String, optional, localized)
The default validation message will show the regular expression the value is not matching. This is suitable for debugging but not at all user friendly. You really should provide a localized message explaining how the entry should conform.
```xml
assetTag
placeholder
ABC12345
validation
[A-Z]{3}\d{5}
validationMessage
en
Asset Tag needs to be of format 'ABC12345'
de
Etikett Nummer muss im Format 'ABC12345' sein
fr
L'étiquette d'actif doit être au format 'ABC12345'
nl
Asset Tag moet het formaat 'ABC12345' hebben
```
### Conditionally show the user entry for certain users
You can configure Setup Manager to only show the user entry section when specified users have authentication in enrollment customization. This enables workflows, where certain users (techs and admins) gets the option to re-assign the device to another user, but other users don't see the option.
For this, you need to setup the top-level `userID` to receive the `$EMAIL` variable. This will communicate the user who logged in with customized enrollment back into Setup Manager. Then you add key `showForUserIDs` with an array of user emails to the `userEntry` dict. When both `userID` and `userEntry.showForUserIDs` are set, the user entry UI will only show for the listed users.
#### `showForUserIDs`
(Array of Strings, optional)
Example:
```xml
userEntry
showForUserIDs
a.b@example.com
m.b@example.com
r.p@example.com
userID
placeholder
first.last@example.com
validation
\S+\.\S+@example.com
userID
$EMAIL
```
## Help
When you provide a top-level `help` key with a dictionary a help button (with a circled question mark) will be shown in the lower right corner (for left-to-right localizations). When you click on the help button a window with information will be shown. You can set the information with the following keys in the `help` dictionary.
#### `title`
(String, optional, localized)
#### `message`
(String, optional, localized)
#### `url`:
(String, optional, localized)
The contents of the `url` key will be translated into a QR code and displayed next to the help message. This allows for end users to follow a link to more information on another device while the Mac is performing installations.
Example:
```xml
help
message
This is some help message content.
title
Help Content
url
https://jamf.com
```
## Localization
The app will pick up the user choice of the UI language for the interface elements. (Table of currently available languages below) The app will fall back to English for other language choices.
You can provide localizations for the custom texts given in the configuration profile.
**Deprecation notice:** the method for providing localized texts in the configuration profile changed in version 1.1. The previous method (by appending the two letter language code to the key) is considered deprecated. It will continue to work for the time being but will be removed in a future release. It is _strongly_ recommended to change to the new dictionary-based solution.
To provide a set of localizations for a value in the profile, change its type from `string` to `dict`. Inside the `dict`, provide a value for each localization for each localization with the language code as key.
For example, this unlocalized key-value pair
```xml
title
Welcome!
```
can be localized like this:
```xml
title
en
Welcome!
de
Willkommen!
fr
Bienvenu!
nl
Welkom!
```
When there is no value for the localization, the app will fall back to the value of the `en` key.
The following keys can be localized:
### Top-level keys
- `title`
- `message`
- `icon`
- `background`
### Actions
- `label`
- `icon`
### User Entry
- `default`
- `placeholder`
- `validationMessage`
### Help
- `title`
- `message`
- `url`
Use these two-letter codes for these languages:
| Language | two-letter code |
|--------------------|-----------------|
| English | en (default) |
| Dutch (Nederlands) | nl |
| French | fr |
| German | de |
| Italian | it |
| Hebrew | he |
| Norwegian | nb |
| Spanish | es |
| Swedish | sv |
The [plist and profile example files](Examples) contain localizations for many of the custom text elements.
## Substitution
Certain keys, such as `computerNameTemplate` can use tokens, which begin and end with `%` character. The tokens will be substituted with data from the device or user entry.
For example, in the template `Mac-%serial%` the `%serial%` token will be replaced with the computer's serial number.
A double `%%` will be substituted with a single `%`, in case you need to represent this symbol.
The following tokens are available:
- `serial`: the computer's serial number
- `udid`: the computer's provisioning universal device identifier
- `model`: the computer's model name, e.g. `MacBook Air` or `Mac mini`
- `model-short`: the first word of `model` (no spaces), i.e. `MacBook`, `Mac` or `iMac`
- these values from user entry, _after_ user entry has completed (see [`waitForUserEntry`](#waitForUserEntry))
- `email`
- `assetTag`
- `building`
- `department`
- `room`
If the value for a token cannot be retrieved or is empty, it will be substituted with `%%%` (three percentage signs).
You can add a `:n` (where `n` is an integer number) to a token. This will substitute only the first `n` characters of the string. For example `%serial:5%` will be substituted with the first 5 characters of the serial number. When `n` is negative, it will substitute the _last_ `n` characters. For example, `%udid:-8%` will substitute the last eight characters of the udid. When you use `:=n` the _center_ `n` characters will be picked.
These keys can use substitutions:
- `title`
- `message`
- `computerNameTemplate`
- actions: `label`