Blog Center
Recently active
There will probably come a point in a Jamf Pro admin’s duties when they find themselves with the need to provide a mechanism for users to add or exclude their Mac to the scope of a Configuration Profile or Policy via Self Service. An example would be so users could add themselves to a group teasing macOS Beta releases. Using the Jamf Pro API to add a Mac to a Static Computer Group might seem like the obvious way to do this, but per recommendations made in the Jamf Pro certification courses calling the API from arbitrary endpoints is not recommended. This article will describe an alternative mechanism to allow user initiated scope changes without using the Jamf Pro API. The core part of this approach is what’s known as a flag file, and its existence on a Mac can be used to add the Mac to a Smart Computer Group which can be used a Scope Target or Exclusion. To create the flag file we’ll use a script to be called via a Script payload in a Self Service initiated Policy. To det
Whether you’re new to Jamf Nation or have been here a while, it’s easy to see the Jamf community is different. But its secret sauce isn’t the platform, or even the strategy that facilitates its direction. It’s the people who fuel its growth. Those passionate customers – the ones who push Jamf to continuously improve, who come to our events and present on our webinars – inspired a program. In 2018, Jamf launched Jamf Heroes – an opportunity that gave customers a unique way to engage with Jamf, and each other. Over the last seven years, the program grew. Jamf Heroes connected thousands of customers in meaningful ways that helped generate professional successes, grow genuine friendships and inspire more involvement in the Apple community. It thrived. Now we’re ready to take it to the next level and relaunch the Heroes program with a refreshed vision (and in a new home that’s coming soon)! The program will offer customers:  
This time, looking for a job was a bit different. In the past when you looked, there always seemed to be a few options out there you could choose from. At the very least, a list you could rank and go after a few based on priority. These days it seems you may still see what appear to be quite a few options out there, but unfortunately the times they are a changing as the saying goes. I don't want to sound dire, but between new factors that have chipped away at what you see and what you actually get. It's quite a bit more difficult out there right now. Because of that, I wanted to jot a few things down to see if I could help about my recent experience. So whether you're in the midst of your job search or about to embark on that journey, here are some observations that I think could help. Things aren’t totally what they appear to be. Between AI being tier zero to any job applicant, and the fact that companies are posting ghost jobs just to compile data, my first takeaway from that
As someone who’s been part of the Apple admin community for a few years now, I’ve had the privilege of helping out the amazing team with MacAD.UK, both as an attendee and behind the scenes. In my day-to-day role as a Technical Lead for Workplace Solutions, I spend my time working with all aspects of our business with everything Apple and development, collaborating with fellow admins, sharing knowledge and supporting customers adopt Apple technology whenever I can. MacAD.UK is a community-driven, session-led Apple-focused conference, has been a staple in Brighton for eight years. Bringing together world-class speakers, leading exhibitors, and top technical professionals from around the globe. Whether you're an experienced admin or just starting your journey, MacAD.UK is where the community comes together to learn, collaborate, and push the boundaries of what’s possible. Why Attend MacAD.UK? First and foremost, the ducks! (Ok, maybe not the ducks. More on
On March 20th, 2025, the NYC Jamf User Group (NYC JUG or “the JUG”) celebrated its 11th anniversary—a milestone that reflects the remarkable growth and resilience of the Apple Admin community. What began as a small gathering of 20 admins in Jamf’s old NYC office has flourished into a thriving network, now meeting at Apple’s 11 Penn Plaza location, with over 80 attendees regularly.A Look Back: From Humble Beginnings to a Thriving CommunityFounded in 2014, the NYC JUG was created to bring Apple admins together to share real-world Jamf experiences outside of official events. With early encouragement from Jamf supporters, including Henry Patel and Jonah Klevesahl (now at Apple), the group held its first meeting on February 18, 2014, after a few weeks of promotion on Jamf Nation.What started with 20 admins quickly grew through word of mouth. By the third meeting, the group had outgrown Jamf’s office, prompting Apple to offer their 100 Fifth
Content backfill required
A Read-only Friday post by William Smith You have no control over when you’ll get an idea.Yes, I do get my best ideas in the shower. Ready to go on a scavenger hunt? Getting through and beyond your own anxieties about presenting at a technical conference or meetup is the hardest part about presenting at a technical conference or meetup. Taking that first step to commit yourself to an uncomfortable (but worthwhile!) challenge begins your journey of a thousand miles. But I promise the rest will only feel like 500. 🫠 Now begins the execution: we need to first find ideas for a topic. What do I know that I can present? You may ask yourself, “What do I know that makes me an authority on anything?” Simply put, it’s your own experiences that your audience wants to hear. Notice the title of this post starts with “Finding”. Right now, it’s time to find your story. Don’t try to make something out of thin air. In the next blog post, I’ll talk about starting and developing your story. Every presen
When I was asked to write my thoughts down for a blog to celebrate International Women’s Day, my first reaction was, What the heck?! Advice, from me? More specifically, advice on professional development. Ha! I don’t even RTFM! Then, I had a flashback to 2019 when Jamf asked me to be on their first Women in Tech panel at JNUC. I’ll admit—I needed some encouragement from other admins, my leadership, and my team. I may or may not have gone into hiding when first asked to be on a panel. In the end, I wound up co-presenting with a fellow woman Mac admin on leadership, and it turned out to be a positive experience. After this quick montage in my head, I cast my doubts aside and realized, Okay, maybe I do have something to share. I can talk about a few key things in my career that I think could be helpful to other women out there. The 2025 UN International Women’s Day (IWD) theme is “For ALL Women and Girls: Rights. Equality. Empowerment.” This theme focuses on empowering the next gener
@AJPinto also know as Anthony James Pinto, is Jamf Nation’s number one community contributor. With some all-star stats like providing 289 accepted solutions, 2,607 posts and 1,145 kudos, it's likely that you’ve seen his name splashed around the community. Jamf Nation, the world’s largest Apple Admins community, relies on the smarts and dedication of members to help advance and maintain this space as a valuable asset of learning and connection. People like Anthony make communities like Jamf Nation function in their highest level. Let's take a peak inside Anthony’s brain and learn more about the man behind the avatar, shall we? Tell us about yourself, Anthony I am from LA and have lived all over the US. I settled down in central Alabama for reasons beyond me, met my wife and just sorta stayed here. My wonder lust never went away, and I love to travel and experience new places and new things. My preferred travel locations are places far a
I was asked last week to think of some practices as a Jamf Admin that I’ve adopted into my environments that have really helped me out. One of the first things that came to mind was organization practices. Organization is key to keeping a clean environment and can help you quickly identify what is being configured and where. I’ve made some notes on how I like to keep my environments organized with naming conventions and will share them below. Naming conventions will help to keep objects organized, reduce confusion, and help optimize our Jamf Pro platform. As additional policies, configuration profiles, packages, groups, etc. get added to the platform, a consistent naming scheme will provide clarity. The name of any object in Jamf Pro should quickly describe what it does or what it’s for. Each object within Jamf Pro should also be tied to an appropriate category. Keep it simple. Static/Smart Computer Groups &
"Security is not a product, but a process." – Bruce Schneier In today’s endpoints landscape, organizations managing macOS / Windows endpoints face an increasing need to enforce stringent security standards to protect sensitive data. The CIS (Center for Internet Security) Benchmarks serve as a globally recognized framework for safeguarding endpoints against security threats. When combined with the powerful capabilities of Mobile Device Management (MDM) such as Jamf Pro, Intune, Endpoint Central, etc., , IT administrators can seamlessly implement these benchmarks to enhance security without compromising user experience. CIS Benchmarks are consensus-based, best-practice security configuration guides. They provide detailed recommendations on configuring IT systems to mitigate vulnerabilities. For macOS, the CIS Apple macOS Benchmark offers actionable steps to harden systems against cyberattacks while ensuring compliance with organizational security policies. Using CIS
As enterprises grow increasingly and rely on technology, finding efficient ways to provide employees with access to digital tools is important. While iPads are often the device of choice for many organization, a one-to-one deployment may not always be feasible. Apple’s Shared iPad functionality, combined with Jamf Pro, offers a powerful solution for enterprises looking to provide secure and personalized access on shared devices without compromising user experience or data security. What is Shared iPad in Enterprise? Shared iPad is a feature designed to enable multiple users to share a single iPad while maintaining a secure, personalized experience for each individual. Each user logs into the device with their Managed Apple Account or a temporary session, accessing their unique apps, settings, and data. When users log out, their data is stored securely and becomes inaccessible to others.&nbs
Effectively managing devices is essential for IT administrators in today's rapidly changing digital environments. While tools like Jamf offer powerful capabilities for managing Apple devices, a truly optimized IT strategy involves more than just top-down policy creation. Incorporating user feedback loops into your Jamf-managed environment can transform device management from a purely administrative task into a dynamic, user-centric process. By conducting surveys, analyzing self-service usage metrics, and adjusting policies based on user behavior, IT teams can ensure their strategies align with the needs of employees or students. This approach enhances device utilization and promotes greater satisfaction and productivity. Why User Feedback Matters in Device Management Device management policies often stem from IT goals such as ensuring security, minimizing downtime, and maintaining compliance. However, the end users—employees, educators, or students—interact with t
Note: A newer version of this article is available on the Jamf Blog. Jamf added support for LAPS in April’s Jamf Pro 10.46.0 release. What is LAPS? LAPS is short for Local Administrator Password Solution. It was coined by Microsoft in May 2015 as a solution for automatically rotating passwords of shared IT administrator accounts on end users’ computers. Since then, it’s become a standard industry term used across platforms. Desktop administrators have added shared IT admin accounts to their end users’ computers for decades for those times when they need to sit in front of a computer or remotely control it and log in. But this practice introduces a few major security problems: Typically, these accounts share the same username and password across computers. If the credentials are ever exposed to unauthorized persons, the entire fleet is vulnerable to attack. Multiple people know these shared IT admin credentials and they’re easy to reshare to anyone without any mea
From a small email distribution list to a formalized community forum, Jamf Nation has served as the premier online resource for Apple management enthusiasts for more than a decade. And recently, in case you missed the news, it hit a milestone - 300,000 posts. Jamf’s founder, and former CEO, Zach Halmstad, not only recognized the desire for customers to share ideas as a way to problem solve, but he also saw their need to connect as humans. So in 2012, he pitched an idea - Jamf Nation. “Early on we witnessed the huge benefits our customers saw when they could ask each other questions and share their solutions,” Halmstad recalled. “Jamf Nation was the next step for us to ensure customers were successful.”In a 16-slide Keynote, Halmstad pitched his idea to his colleagues at Jamf. He shared the reasons to shift the company’s rapidly growing email distribution list to an online forum, citing communication as a main goal. (Slide from original deck shown below). Fast forward 12 years, a
We have added a new reward to Jamf Nation Rewards: the ability to donate using points to Los Angeles County, by supporting organizations providing emergency relief. Dangerous wildfires, including the destructive Palisades fire, have ravaged Los Angeles County. The wildfires have burned more than 60 square miles and destroyed over 12,000 buildings. More than twenty people have died, dozens more are missing and more than 90,000 people are under evacuation orders. It is the most destructive fire in LA history. If you’re interested in a way to help through sending a donation, we have set up a new way you can redeem your Byte reward points to help with the LA wildfire relief. It only takes 50 points to donate $25! To find out where the donations are heading, check out this page -https://jamf.benevity.org/community/fundraiser/24332 Donations can be made under the reward '$25 Donation to Emergency Relief LA County'. Please reach out to jamfnation@jamf.com s
As you’ve probably heard, Declarative Device Management (or, for less of a mouthful, DDM) is making significant changes to the way in which managed devices go about their business in some key ways - most notably how managed software updates work. We’re going to take a look at this in detail, as it’s been a particularly hot topic in the Apple Admin community over the last couple of years. What is DDM, anyway? Firstly, it’s not a typo of ‘MDM’! In a nutshell, gone is the notion that the MDM server needs to constantly check-up on how a device is getting on with a certain command it’s been asked to do; instead, the device has much more independence and tells the MDM server when something has been done. This majorly cuts down on the stream of commands issued to devices (particularly when performing remote software updates, which we’ll loop back to shortly) and means that a growing number of attributes, such as OS version, can be updated on the MDM without an inventory update command
Instead of using the Okta Authentication API, Jamf Connect can also use the Custom identity provider type with an application set up for OIDC/ROPG in the Okta tenant. This allows for granular application of Authentication Policies in the new Okta Identity Engine tenants. Create App Integration in Okta Navigate to the organization Okta administration page. Select Applications → Applications and pick the Create App Integration option. Select the options for OIDC - OpenID Connect and Native Application. Select Next to continue. Select a name for the App integration name. In Grant type, select the options for: Resource Owner Password (this enables ROPG for ongoing password checks) Implicit (hybrid) Scrolling down for more options, remove the default entries with the X option for Sign-in redirect URIs and Sign-out redirect URIs. Enter a new sign-in redirect URI with the value https://127.0.0.1/jamfconnect Optionally, assign users to the Jamf Co
Co-Authored By Simone Martorelli and Jonathan Krauer At the Jamf Nation User Conference this year, the Mac@IBM team presented a new solution that’s set to transform Mac device migrations in the enterprise: IBM Data Shift. Developed in response to the unique challenges of managing large-scale Mac deployments, it provides a user-friendly, secure, and efficient method to migrate data on managed devices—bridging gaps left by traditional migration tools. Why Traditional Migration Solutions Don’t Fit Enterprise Needs When it comes to Mac migrations, enterprises encounter complexities that personal device users typically don’t face. Managed Device Environments, for instance, have high security standards and stringent configuration needs that general migration tools aren’t designed to meet. While Apple’s Migration Assistant is well-suited for a personal environment, it may lead to headaches in a managed setting. Some of the main challenges include: Post-Setup Migratio
People ask me all the time what the most significant difference is between supporting an MDM for Macs and supporting Windows. I’ve thought about the answer a lot, and it comes down to the collaborative nature of the Apple support community. One underrated community aspect is the sheer number of open-source tools available. The sheer number of tools freely available by the community for the community is amazing! As admins, we strive to make endpoints more secure and streamlined. This often requires acquiring new products and services. Still, it often comes down to Finance signing off on the expense and information Security, ensuring it doesn’t do anything improper with the data. Management approving the implementation of a new tool, not to mention your time making a Proof of Concept (in non-production of course!). This often comes alongside dealing with account representatives, solution engineers, and a slew of other hurdles they are concerned with. Enter open source! I used
This week of the Mac Admins Podcast, we spoke with Jamf's VP of Product & Solutions Engineering Matt Vlasach to talk about Network Relays, and how they can be used to secure network traffic. Relays are different from -- and newer than -- a VPN in a lot of ways, and they're not as well understood. Matt joins hosts Marcus (Jamf SE) and Tom (JumpCloud Product Director) to talk about what makes Relays new and special for Mac Admins. Relays are a complicated technology behind the scenes, but Matt breaks it down into some key components for Mac Admins to understand. The [MASQUE protocol](https://datatracker.ietf.org/wg/masque/about/) that drives Relays is highly secure and private, and the client is built directly into the operating system, all you need to turn it on is an MDM Profile, and if necessary, a per-app VPN. Matt talks at length about Relays are a "yes, and" technology that can go hand in hand with your regular VPN client, allowing you to ensure that key comp
Background Like most organizations, we want the best — most secure — experience for our users. So, naturally, we’ve investigated leveraging Managed Apple IDs. While Managed Apple IDs come with some significant limitations, my personal favorite has to be: Allows browsing but not purchasing, paid or free in: App Store However, the promise of a Shared iPad is quite alluring. The Rub I also suspect “the rub” for most organizations who wish to federate their domain is Apple’s unwillingness to inform the enterprise which of the enterprise’s users will be impacted before federation is enabled: … but you can’t see their actual personal Apple ID. Get notified about federated authentication user name conflicts, Item No. 7 Script The following Domain Apple IDs Jamf Pro Computer Extension Attribute will inspect the current (or previous) logged-in user’s MobileMeAccounts.plist for Apple IDs associated with domains included in the domainsT
If you're like me, you wear many hats at your organization, and if your organization is like mine (higher education) your staffing is lean. You may think, as I once did, that you don't have time to start enforcing macOS security compliance, or even see why you should. But in today's climate of evolving threats, increasing regulation, and high-profile settlements, it's likely that you'll need to get started sooner than you think. First of all, if you're new to security compliance, you might want to check out my presentation from PSU MacAdmins 2024, where I went into detail about how the macOS Security Compliance Project (mSCP) works together with Jamf Compliance Editor (JCE) to help you build a framework you can use to: set a compliance baseline, check your fleet to see what's compliant and what's not, report on those findings, and fix non-compliant devices. There are plenty of great resources on how to use mSCP and JCE, so what I'll concentrate on is the planning and staging.&nbs
Recently, my organization's Compliance and Security Operations teams requested visibility into how macOS apps are patched. They needed a report showing deployed apps via Jamf and their version status. After two manual reports, I knew there had to be a better way and developed a Python script for automation. Initially, I didn't plan to share the code publicly, thinking it might not be helpful to others. However, a friend, Chris Ball, encouraged me to release it—leading to the creation of Patcher. Manual reporting takes time away from critical tasks like CVE remediation and policy setup. Automating these processes allows MacAdmins to focus on more pressing matters. The time saved with Patcher has been invaluable for myself, and I hope others will benefit from it too. What does Patcher do? Patcher leverages the Jamf Pro API to automate patch management reporting, transforming data into actionable insights. Designed as a Command Line Interface (CLI), it integrates easily with LaunchAgents
Earn a cool badge and Jamf Nation Reward Bytes for your published articles. We’re looking forward to your submissions!