AirWatch: Deploy custom MCX profiles

In order to deploy custom MCX profiles, I will use the excellent mcxToProfile tool by Tim Sutton. Get it here -> https://github.com/timsutton/mcxToProfile

My goal here is to change the delay to ask password to "Immediately". 

0. Install mcxToProfile. I use git as I find it easier to update, but you can also download it directory from the github page. You might need to make the python script executable (see below)

$ git clone https://github.com/timsutton/mcxToProfile.git
$ chmod +x ./mcxToProfile/mcxToProfile.py
  1. Make the changes to your Mac (Here, I go to System Preferences > Security & Confidentiality > General and I change the setting to "Immediately".
  2. Now, find the defaults domain. This is almost an art, I won't cover this here. In this case, it is com.apple.screensaver
  3. Launch mcxToProfile to create the .mobileconfig
$ ./mcxToProfile/mcxToProfile.py --defaults com.apple.screensaver --identifier org.maclovin.screensaver
$ cat org.maclovin.screensaver.mobileconfig
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadContent</key>
            <dict>
                <key>com.apple.screensaver</key>
                <dict>
                    <key>Forced</key>
                    <array>
                        <dict>
                            <key>mcx_preference_settings</key>
                            <dict>
                                <key>askForPassword</key>
                                <integer>1</integer>
                                <key>askForPasswordDelay</key>
                                <real>60</real>
                                <key>tokenRemovalAction</key>
                                <integer>0</integer>
                            </dict>
                        </dict>
                    </array>
                </dict>
            </dict>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadIdentifier</key>
            <string>MCXToProfile.f4859170-42b5-467f-a249-220c689103ec.alacarte.customsettings.3fad436d-d335-4d08-849e-3feda8397631</string>
            <key>PayloadType</key>
            <string>com.apple.ManagedClient.preferences</string>
            <key>PayloadUUID</key>
            <string>3fad436d-d335-4d08-849e-3feda8397631</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Included custom settings:
com.apple.screensaver

Git revision: a14a19d7f0</string>
    <key>PayloadDisplayName</key>
    <string>MCXToProfile: com.apple.screensaver</string>
    <key>PayloadIdentifier</key>
    <string>org.maclovin.screensaver</string>
    <key>PayloadOrganization</key>
    <string></string>
    <key>PayloadRemovalDisallowed</key>
    <true/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>f4859170-42b5-467f-a249-220c689103ec</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

You can double click on this file to install it manually (or use $ open org.maclovin.screensaver.mobileconfig). Restart System Preferences to see this setting in the GUI (Security & Confidentiality > General). Then remove this profile, we'll move on to AirWatch.

Now you need to import this to AirWatch:

  1. Go to console
  2. Go to Devices > Profiles > List view
  3. Add > Add Profile
  4. Apple Mac OS X > Device Profile
  5. Fill General infos 

Go to Custom settings and paste only the relevant portion:

        <dict>
            <key>PayloadContent</key>
            <dict>
                <key>com.apple.screensaver</key>
                <dict>
                    <key>Forced</key>
                    <array>
                        <dict>
                            <key>mcx_preference_settings</key>
                            <dict>
                                <key>askForPassword</key>
                                <integer>1</integer>
                                <key>askForPasswordDelay</key>
                                <real>60</real>
                                <key>tokenRemovalAction</key>
                                <integer>0</integer>
                            </dict>
                        </dict>
                    </array>
                </dict>
            </dict>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadIdentifier</key>
            <string>MCXToProfile.f4859170-42b5-467f-a249-220c689103ec.alacarte.customsettings.3fad436d-d335-4d08-849e-3feda8397631</string>
            <key>PayloadType</key>
            <string>com.apple.ManagedClient.preferences</string>
            <key>PayloadUUID</key>
            <string>3fad436d-d335-4d08-849e-3feda8397631</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>

Now it should be working fine