Best practice on app deployment

Not really a best practices per-say. 
 

1. Always use the JAMF app catalog or VPP if possible. Updates are handled automatically if set that way. 
    
2. If the app isn’t available in the JAC or VPP, or requires a specialized configuration - then use a policy with a script to scrape the web for the package and install it… then configure it. 
    
3. Sometimes you can use both methods mixed with a configuration profile to configure said apps. Really depends on how the app postures for configurations. 
    

All that to say this - if updates are a big deal for your org, then stick with number 1. If deployment options are important, then stick with number 2. 

This is entirely up to your business needs.

• AppStore - I generally recommend to auto install AppStore Apps, as the delay with VPP processing once a user clicks install and how it behaves if a user clicks install a bunch of time is just bad optics.
• Custom Apps, I use I use Jamfs app catalog when available. I install automatically anything we want to be persistent across all devices in scope, and self service everything else.

Pretty much the same here as mentioned above, except we don’t generally automate finding the installers due to possibly “supply chain” type attacks.  That phase has a human element in it to download the package file.  We name them generically and note the version so that we can just send the newest directly to the distribution point.

We’re trying to get out of the business of packaging.  Vendors should be using the industry standard method of supplying package files.

thanks everyone

so installing the apps by adding them in either of the app stores and set them to “install automatically” is the way, because it then updates too.

there’s no benefit then to install those apps in the pre stage step by adding them from “enrollment packages, but maybe that those from enrollment packages will install even before first login.

i don’t see the difference in “enrollment packages” and the app store items maybe only that the latter updates automatically and the packages we (they) upload are to nurse manually?

our it department didn’t get rights for package upload… oh well.

Not exactly

• App Store Apps - These use VPP, and you can configure them to auto update. They can also be fairly slow and temperamental to install with very few options for troubleshooting. I generally avoid AppStore apps where possible on macOS.
• Jamf App catalog - These are custom app’s that Jamf maintains the packages and definitions for, and you can use this to auto update apps within scope. Fairly reliable, but a lot of smoke and mirrors due to using Apples MDM framework, but this is very much a set it and forget it option.
• Policies - You can deploy your own .pkg’s and .dmg’s among other payloads, and even mix payloads to deploy scripts with packages to do extra stuff when needed, and even perform inventory updates for situations when you need to know when something finished.
• PreStage - The packages you place in the Prestage will install before the enrollment process finishes, and macOS can even hold off loading the login screen for this to finish. The packages deployed with the Prestage must be signed, and do not need to be associated with any policy. These packages deployed far faster than VPP or Jamf’s App Catalog can deploy applications, and are not limited to deploying applications, if you can package it you can deploy it. If you need to ensure an application or asset needs to be on the device at the time a user logs in for the first time, this is how you do it.