Skip to main content
Solved

Jamf Best Practices

  • February 13, 2023
  • 8 replies
  • 65 views
T
Forum|alt.badge.img+1

Hello Everyone,

My company is slowly moving into the Apply ecosystem and I was put in charge of setting up MDM with Jamf. I do already have some good experience with Apple itself from previous days working at the Genius Bar. But, not at the enterprise level. I want to set this up right initially so that it makes the lives of everyone else that interacts with it easier.

I've gotten the bare minimum done(Setup Apple Business Manager, Jamf 100 cert). And we plan on using In-Tune for identity management. Which, at the moment will mainly be used for iOS devices.

As the title says above, what are some best practices that I can follow now? What Automation's feel like magic? What pitfalls should I expect to run into?

Any tips would be greatly appreciated.

Best answer by AJPinto

You are already off to a good start.

 

You pointed out your first challenge. Your Genius Bar experience will not help much in a administrative capacity. Apple teaches you the consumer side of their products, MDM is a totally different beast. Troubleshooting MDM workflows is totally different than troubleshooting consumer workflows. Look over Apples Deployment and Management training even if you dont plan on taking the exam.

https://it-training.apple.com/tutorials/apt-deployment

 

Use Automated Device Enrollment for organization owned devices. This will require you to reprovision your existing iOS and macOS devices because thanks Apple. Do not rely on user enrollments.

 

I cannot stress this enough. Manage Macs like Macs, not like Windows. If you expect the same workflows and results out of MacOS as you do Windows you will have a lot of problems and disappointments. Apple builds a lot of their functions off of Automated Device Enrollment. Apple also does not give too poops about centralized identity management, do not domain bind. If you need some kind of central identity management look in to something like JAMF Connect for the most Windows like Experience, if password syncing is all you need look in to Apples SSO Connector, NoMad, Okta Verify, etc.

 

As an admin, accept anyone who does not work daily with Macs and iOS will complain as your data and workflow is not the “Windows way”. Be ready for a lot of pushback because you cannot replicate a given GPO configuration, or collect the same kind of data in the same way.

 

You mention Intune, just to note as Intune is also a MDM. You cannot use multiple MDM’s on one device, its JAMF or Intune. On macOS there is JAMF+Intune integration for conditional access, its not worth the effort. Microsoft has no idea how to support it, and JAMF can do conditional access by itself.

Appvalley tutuapp

    8 replies

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • 2802 replies
    • Answer
    • February 13, 2023

    You are already off to a good start.

     

    You pointed out your first challenge. Your Genius Bar experience will not help much in a administrative capacity. Apple teaches you the consumer side of their products, MDM is a totally different beast. Troubleshooting MDM workflows is totally different than troubleshooting consumer workflows. Look over Apples Deployment and Management training even if you dont plan on taking the exam.

    https://it-training.apple.com/tutorials/apt-deployment

     

    Use Automated Device Enrollment for organization owned devices. This will require you to reprovision your existing iOS and macOS devices because thanks Apple. Do not rely on user enrollments.

     

    I cannot stress this enough. Manage Macs like Macs, not like Windows. If you expect the same workflows and results out of MacOS as you do Windows you will have a lot of problems and disappointments. Apple builds a lot of their functions off of Automated Device Enrollment. Apple also does not give too poops about centralized identity management, do not domain bind. If you need some kind of central identity management look in to something like JAMF Connect for the most Windows like Experience, if password syncing is all you need look in to Apples SSO Connector, NoMad, Okta Verify, etc.

     

    As an admin, accept anyone who does not work daily with Macs and iOS will complain as your data and workflow is not the “Windows way”. Be ready for a lot of pushback because you cannot replicate a given GPO configuration, or collect the same kind of data in the same way.

     

    You mention Intune, just to note as Intune is also a MDM. You cannot use multiple MDM’s on one device, its JAMF or Intune. On macOS there is JAMF+Intune integration for conditional access, its not worth the effort. Microsoft has no idea how to support it, and JAMF can do conditional access by itself.

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • 3567 replies
    • February 13, 2023

    @teach02 I agree 1000% with @AJPinto that you should adopt Automated Device Enrollment (ADE) from the start of your deployment. There are already some management capabilities only available to ADE enrolled devices, and I expect that list will expand in the future.

    If you're looking for a workflow for ADE the combination of DEPNotify and DEPNotify-Starter has been around for a while and is a good start. For an example of what can be done with DEPNotify see https://www.youtube.com/watch?v=HbKZ66F58qo

    Another option is the combination of swiftDialog and @dan-snelson 's Setup Your Mac script.

    I disagree with @AJPinto that the Jamf & Intune integration isn't worth the effort. For some organizations it may be a requirement. The older Conditional Access integration was definitely a PITA to set up and the compliance check options in Intune were very limited. As of Jamf Pro 10.43 the new Device Compliance integration is supported for Macs, and moves the compliance check process from Intune to Jamf Pro which offers much more flexibility.

    T
    Forum|alt.badge.img+19
    • Tribruin
    • Honored Contributor
    • 582 replies
    • February 13, 2023

    @AJPinto & @sdagley  both have given a lot of great advise. Just a few addtional comments. 

    Take advantage of the Jamf Training Catalog. https://trainingcatalog.jamf.com/ You get access with your Jamf subscription. There are some really good getting started video series. 

    Don't try and do everything at once. Take small steps. Learn how configuration profiles work and deploy a few (I always suggest starting with a FileVault profile. Fairly simple to understand and deploy.) From their create a policy to install a package. Try setting up the policy to install automatically, then another policy in Self Service. 

    Jamf Pro is a very powerful tool, but it is only as good as the Administrator. There can be a tendency to overmanage the computers, start slow and learn what you need. 

    Finally, asks lots of questions. One thing I really appreciate about the Mac Admin community is that we are very open and want to help. I think Jamf tag line of "helping organizations  succeed with Apple" applies to the Mac Admin community. It is very likely that any issue or question you have will already been asked. 

    Join the MacAdmin Slack community and ask questions. (Start with #jamfnation). https://www.macadmins.org/

     

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • 2802 replies
    • February 13, 2023

    @AJPinto & @sdagley  both have given a lot of great advise. Just a few addtional comments. 

    Take advantage of the Jamf Training Catalog. https://trainingcatalog.jamf.com/ You get access with your Jamf subscription. There are some really good getting started video series. 

    Don't try and do everything at once. Take small steps. Learn how configuration profiles work and deploy a few (I always suggest starting with a FileVault profile. Fairly simple to understand and deploy.) From their create a policy to install a package. Try setting up the policy to install automatically, then another policy in Self Service. 

    Jamf Pro is a very powerful tool, but it is only as good as the Administrator. There can be a tendency to overmanage the computers, start slow and learn what you need. 

    Finally, asks lots of questions. One thing I really appreciate about the Mac Admin community is that we are very open and want to help. I think Jamf tag line of "helping organizations  succeed with Apple" applies to the Mac Admin community. It is very likely that any issue or question you have will already been asked. 

    Join the MacAdmin Slack community and ask questions. (Start with #jamfnation). https://www.macadmins.org/

     


    There can be a tendency to overmanage the computers, start slow and learn what you need. 

    @Tribruin This, very well put. Asking "why are we doing this" has become my first question whenever anyone asks to implement some new managed configurations.

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • 2802 replies
    • February 13, 2023

    @teach02 I agree 1000% with @AJPinto that you should adopt Automated Device Enrollment (ADE) from the start of your deployment. There are already some management capabilities only available to ADE enrolled devices, and I expect that list will expand in the future.

    If you're looking for a workflow for ADE the combination of DEPNotify and DEPNotify-Starter has been around for a while and is a good start. For an example of what can be done with DEPNotify see https://www.youtube.com/watch?v=HbKZ66F58qo

    Another option is the combination of swiftDialog and @dan-snelson 's Setup Your Mac script.

    I disagree with @AJPinto that the Jamf & Intune integration isn't worth the effort. For some organizations it may be a requirement. The older Conditional Access integration was definitely a PITA to set up and the compliance check options in Intune were very limited. As of Jamf Pro 10.43 the new Device Compliance integration is supported for Macs, and moves the compliance check process from Intune to Jamf Pro which offers much more flexibility.


    To be fair the last time I tested Conditional Access was with 10.41. Though what left the bad taste in my mouth was Azure not JAMF. Though we have a very heavily configured Azure environment which added to the complications and could be skewing my opinion.

     

    10.43 just came out and I have not had my teeth in to it yet. I just upgraded our on prem instance to 10.42.1 two weeks ago. I really should give intune integration another look.

    piotrr
    Forum|alt.badge.img+8
    • piotrr
    • Contributor
    • 132 replies
    • February 14, 2023

    I'm glad you came in now, when we have conditional access rules in Jamf rather than the old Intune integration. I'm on the old integration and there is no plan from Jamf on how to migrate for us yet. 

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • 3567 replies
    • February 14, 2023

    I'm glad you came in now, when we have conditional access rules in Jamf rather than the old Intune integration. I'm on the old integration and there is no plan from Jamf on how to migrate for us yet. 


    @piotrr My suspicion is that there will be no simple direct migration mechanism as that would entail having some way to create a Smart Group in Jamf Pro for the Device Compliance evaluation by extracting the existing Conditional Access configuration from Intune and I don't believe there's any API to get that info from Intune (or if there's a direct match in criteria). I expect anyone who had invested significant time into setting up the old Conditional Access integration with Intune isn't going to be happy having to migrate to Device Compliance, but they will be much happier with the configuration process because it's much cleaner (with the caveat that we've just started testing the process of setting up DC here, but IMO it looks much better than CA)

    piotrr
    Forum|alt.badge.img+8
    • piotrr
    • Contributor
    • 132 replies
    • February 14, 2023

    @piotrr My suspicion is that there will be no simple direct migration mechanism as that would entail having some way to create a Smart Group in Jamf Pro for the Device Compliance evaluation by extracting the existing Conditional Access configuration from Intune and I don't believe there's any API to get that info from Intune (or if there's a direct match in criteria). I expect anyone who had invested significant time into setting up the old Conditional Access integration with Intune isn't going to be happy having to migrate to Device Compliance, but they will be much happier with the configuration process because it's much cleaner (with the caveat that we've just started testing the process of setting up DC here, but IMO it looks much better than CA)


    My compliance rules aren't that complicated and if all I have to do is create smart groups for evaluation and compliance in JAMF that correspond to our old Intune rules, I could have that done this afternoon. 

    I'm more worried about how to properly remove the old connections between Jamf and Intune, the old registrations on all these Macs without breaking anything....which is why I'm glad teach02 won't have to go through that. :) 


    Terms & ConditionsCookie settingsAccessibility statement