Using System Information.app to troubleshoot configuration profile conflicts
It is generally considered good practice to separate each configuration profile payload into its own profile, treating configuration management deployment like a buffet.
Mac A can have a piece of Wifi profile, a dollop of finance restrictions profile, and a sprinkling of VPN profile.
Mac B can also have a piece of the same Wifi and VPN profiles, but this time served with the engineering restrictions profile instead of the Finance one.
As handy as this can be, you run the risk of deploying two profiles managing the same settings differently, to the same device. In most cases the result is ‘undefined’ (Apple-speak for ‘you should not do this – here be dragons’). In reality, the managed setting can flick back and forth between the two options, or apply only one of the two settings. The result is an unpredictable and possibly unusable device. How do you go about troubleshooting this issue?
The built-in System Information.app can be a great tool to aid general troubleshooting on client devices. This application can be found in the Utilities folder, or via the ‘About this Mac’ > ‘System Report’ button.
Once launched, you will see a wealth of information regarding the Mac, including a tonne of hardware and software information.
Under the software section, you will see two core areas that can be helpful in specifically troubleshooting profile conflicts, ‘Managed Client’ and ‘Profiles’.
The Managed Client section contains details of the areas and items managed, arranged by preference domain or area:
The ‘Profiles’ section contains the same information but instead is arranged by the profile it is configured by.
How can I use this information?
Good question. As an example, imagine you have a device that is not always skipping the iCloud setup screen when a user first logs in.
First, you will need to find the preference key or value that affects the setting you are having issues with. In this example, I know the key is ‘SkipCloudSetup’ in the Setup Assistant domain.
Now find and open the System Information.app and navigate to the ‘Managed Client’ section. Select all the domains listed in the upper section (you can optionally use the left arrow key to collapse them) and press command and F (⌘+F) to bring up the Find window. Paste your key value in there, then search through to find where the key is present and how often.
Occasionally you will see more than one key present in your list – this seems to be expected for some settings. However this could also be a sign of your issue. It is important to check whether the key is set more than once but with a different value. In our example, the ‘SkipCloudSetup’ key is only set once and has a value of ‘1’ (or true/enabled).
If you have found a possible issue with the setting, you need to then identify which profile/s it is being managed by. Move over to the ‘Profiles’ section and press command and F (⌘+F) to bring up the Find window again. Search for your key a second time to see where it is set and how many times.
Once you have found the key, scroll up until you find the name of the profile managing the key. Repeat this for each entry of the conflicting key to identify all the profiles managing the value.
For our example, the profile ‘Managed Security and Privacy, Encryption, Login Window and Restrictions’ is setting the value for ‘SkipCloudSetup’ and is the only profile doing so.
This should hopefully give you enough information to find the profile that should not be scoped to the device – and to fix the scoping in your MDM solution.
In this post, we explored using the System Information application to troubleshoot possible profile conflicts. I know this really helped me when I first came across it and hopefully it will be of use to you too.