If you were an organization that deployed remote Macs using a MDM profile and a local admin account for the first technician setting it up. And then a second local admin account for the user it is assigned to. How would you change this to be more secure and modern? Jamf Connect? Any other apps, policies, or settings you would recommend?
Question
Managing Remote Macs at Scale
+3
+23First, use Apple Business Manager so that Macs will auto enroll in Jamf Pro. Jamf Pro can install an admin account just before the Setup Assistant launches. This can be a LAPS account with a password that can be set to automatically rotate regularly on what ever schedule you decide to use. Next, create the intended user's account first. This will ensure that this user gets the secure token that allows them to perform software updates. You should use some kind of zero touch provisioning process to allow users to boot up new Macs for the first time and do their own setups. They won't need to do much except get it connected to the internet, and create their user account. After the Mac reaches the desktop, your ZTP process can launch and get all the apps installed. The solution I use is called Setup Your Mac. https://github.com/setup-your-mac/Setup-Your-Mac/blob/main/Setup-Your-Mac-via-Dialog.bash I recommend that you enforce using FileVault. What apps do you want your users to have when they get their Macs? There are a lot of smart Apple admins here who have created some really great solutions. We're all happy to help!
+26Depends on your budget. For me 0 touch deployment is a non-negotiation point.
- Automated Device Enrollment (or go home).
- the 501 admin account will be created on the device by Jamf during enrollment.
- Configure the device as desired automatically with policies and Configuration Profiles.
- User Enrolls the Device, and skip account creation during setup assistant.
- Use Jamf Connect, XCreds, or PSSO to create the user account on demand from the login screen.
- There is no step 4, the user is off to the races.
Your tech should never log in to the device, and should never really touch the device. I also very strongly recommend not giving the end users admin access. You can add users to local groups like _developers, or change permissions on preferences like WIFI or printers to allow standard users to add/remove networks and printers. For advanced workflows look in to EPM tools, but don’t give admin access out.
+20I'll add Jamf Setup Manager into the ring. We are using this with success along with Installomater and DockUtil.
We are a Smart Card organization, so we use Microsoft Platform SSO (PSSO).
+11I'll add
Automated device enrolment with Apple school manger.
Pre stage.
Jamf connect.
Enable file vault via config profile.
MacOS onboarding runs through self services to deliver policies
https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/macOS_Onboarding.html
https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/macOS_Onboarding.html
Jamf app catalog if you have common apps you need to delivery to your devices.
If you already have an azure environment you can setup admin groups there to be used with Jamf connect. If you can avoid given out admin rights at all do it.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.