Skip to main content

Looking after iOS devices for a large IT company.

We have a 'default' set of restrictions; every newly setup device gets this. There are other profiles as well that look after things for all devices (passcodes are a good example). Restrictions, though, are the main concern.

So, there are manually created restriction profiles for managers. Another set for those in comms. Another set for interns, another set for something else, and so on. Things are now a little arbitrary.

TLDR managers can use WhatsApp and USB (for Carplay) connections. Comms are allowed to use WhatsApp, and interns are allowed to use only critical apps (for example, only Outlook, Teams, and MS Authenticator). Everybody else just gets the Default (automatically) and can play with the Calander and other not-so-important stuff. But not WhatsApp! GDPR laws in Europe.

A static group based on serial is used to 'map'  each device to each set of restrictions.

What is starting to get on my nerves is the 'configuration creep'. In essence, I have to create more and more static groups and then add these static groups as the scope' of each profile, and then add all the others to the exclusion list. A kind of mutual arrangement. Almost exponential growth!

So, let's say for management, I must exclude communications and interns. For communication, I must exclude management and interns. For interns, I must exclude management and communication. AND for the "default" profile, I must exclude all the groups listed already.

On top of this I can sometimes get a warning that configuration is already installed on a device when I try to put it in a special config profile group. So, some removing and re-adding must be done to get things right.

Is this normal (or is there an easier way of doing things)?

There's an easier way.


Is your Jamf set up with LDAP? You could create Smart Groups of departments and cluster devices into groups dynamically. As your users fall into these groups, you could assign specific profiles to them automatically.


This will allow you to abandon Static Groups and let Jamf do the work for you. I tend to use Static Groups for my specific test devices and users.


 


 

Thanks for the tip!

Sounds like a way forward. Is there still a way that a user (and therefore their device) could fall into two smart groups and I find myself back at the battle of wits that is mutual restrictions? JAMF is almost 'too' customisable! Conflicts and ambiguities can then emerge.

Sorry, I meant mutual exclusions (in the context of restrictions).

Reply


Terms & ConditionsCookie settings