Hey folks!
I am looking for some real-world architecture advice from people managing more segmented Jamf environments.
In previous companies, my Jamf setup was relatively straightforward:
- one main device type,
- mostly shared configurations,
- common app stack,
- unified policies and profiles.
Now I’m building a more segmented environment and trying to design it the “right” way before things scale too much.
We’ll likely have multiple categories of macOS devices with different requirements, for example:
- standard daily-use employee Macs,
- security/guard team devices,
- travel/restricted devices,
- possibly more specialized fleets later.
Each category may require:
- different app sets,
- different restrictions,
- different onboarding flows,
- different compliance/security baselines,
- different Self Service experiences.
I’m currently building around:
- PreStage Enrollment,
- Jamf Setup Manager,
- smart groups,
- scoped policies/profiles,
The thing I’m trying to figure out is the long-term architecture strategy.
How do you structure environments like this in a scalable and maintainable way?
For example:
- Do you keep one shared “global baseline” scoped to All Managed Clients and only split specialized configs/apps into dedicated smart groups?
- Or do you build almost completely separate “worlds” per device category?
- Do you prefer multiple PreStages mapped to different workflows?
- How much duplication in policies/profiles is acceptable vs trying to centralize everything?
- Any lessons learned after environments became more segmented over time?
I’m especially interested in:
- scaling cleanly,
- avoiding scope chaos,
- keeping troubleshooting manageable,
- minimizing policy/profile sprawl,
- onboarding architecture,
- and long-term maintainability.
Would love to hear how more mature Jamf environments are structured in practice.
My current idea would probably be to build this around multiple PreStages and then create Smart Groups based on which PreStage was used during enrollment.
Then I would scope everything to those Smart Groups depending on the device role/type.
For example:
- if I want 100 apps available only for regular employee Macs - scope them to the “regular devices” group,
- if I want another 20 apps only for security/guard devices - scope them there,
- if I need additional restrictions/compliance baselines - same approach.
So essentially:
- different PreStages,
- different Smart Groups,
- and everything scoped based on device purpose/workflow.
The only thing I’m wondering about is whether this approach eventually means I should almost completely stop using “All Managed Clients/Devices” scopes except for truly universal baseline items.
This is my first instinct, but I’d really like to hear how people with larger/more mature Jamf environments approach this in practice.
