Skip to main content

We're currently looking at purchasing Casper Suite as a better way to manage our Macs than what we have at the moment.

Before the purchase of a solution can be approved, our organisation needs us to perform "due diligence", in order to establish that the product in question will do at least 80% (and ideally 100%) of what we want to do.

We'll be asking JAMF about these items too, but our due diligence procedure requires us to seek opinions from other users of the product as well as the vendor themselves.

The things we want to be able to do with Casper Suite fall into three main categories:

  1. Things we need to do that we can already do with Apple's Profile Manager
  2. Things we need to do that we can't do with Profile Manager (either because Profile Manager is broken, or because we couldn't get the functionality to work, or because it lacks the functionality altogether)
  3. Things which we don't currently do but which Casper looks like it could offer us and that are really cool.

I won't go into detail on the first category as the functionality that Profile Manager provides is fairly basic and I would not expect any issues with Casper Suite providing those same functions - though if you're from an organisation that has also transitioned from Profile Manager to Casper I'd be interested in hearing about that, as that's the situation we're in.

There are a number of things in the second category. In no particular order:
- Connecting Macs to our 802.1X wireless network. We have a Windows based RADIUS and Certificate Authority. It's supposed to be possible to configure Profile Manager to have the Mac request a certificate from the Windows CA and use this to authenticate the machine (not the user - the connection needs to already be up before the user logs in) to 802.1X, but I have never been able to get this to work, so currently all our Macs that need to use wireless are languishing on a PSK SSID.
- Adding printers (ideally, different ones for different groups of Macs, so that Macs in rooms on C corridor get the C corridor printer, while ones on the first floor of G block get the printer in that corridor, for example). Profile Manager doesn't have that level of granularity (other than by splitting the Macs up into Device Groups) but our expectation was that we could just put all the Mac-compatible printers on there and users would be able to choose which one they wanted to print to. The actual reality was that any Mac which had this profile applied to it got all its printers deleted. Also the printers had to be added on the Profile Manager server before they were selectable in Profile Manager.
- Configuring icons on the Dock. Seems like a trivial thing, but we think it's useful to be able to preconfigure our students' Dock with the applications they are most likely to need. Profile Manager requires us to have all the applications we want to put on the Dock, installed on the Profile Manager server. The actual reality of a Profile Manager Dock profile was that the icons were put onto the Dock in a completely scrambled up order which did not resemble the order we had set them up in.
- Managing local accounts. Due to the size of the video files they work with, students in the Media Department currently use local accounts on Macs so that their work is saved on the local hard drive (which we use Retrospect to back up). Profile Manager doesn't offer us a way to manage these at all, so we're unable to apply restrictions such as preventing users from accessing certain System Preferences panes. Parental Controls on the local Mac does not offer enough functionality - you can use it to deny access to System Preferences entirely, but students need to be able to access some things, such as Accessibility settings or Wacom tablet settings.
- Centrally managed login items. We currently have an AppleScript login script (some of the things it does are to work around brokenness in Profile Manager, but one of the things it does is not Profile Manager's fault at all) but it's on the local hard drive of each Mac, so if we needed to change it for any reason, we would have to update every Mac with a fresh copy. The Login Items functionality in Profile Manager didn't work at all, so I had to use a LaunchAgent (again on the local Mac) to get it to run at login in the proper context (the one thing it does that is not Profile Manager's fault is mounting ~/Documents to an Active Directory user's home folder)

The third category includes (but is not limited to) things such as:
- Email. On our PCs, we have Autodiscover enabled in Outlook, so that when a user logs on they can just open Outlook straight away and it will automatically configure their mailbox settings and get them into their email. I gather that Outlook for Mac doesn't have the same sort of capability (though I may be wrong - I haven't had an opportunity to explore the new 2016 version yet). Profile Manager has an Exchange ActiveSync section, but I couldn't see a way to specify "actually, for the username just use the logged on user, and have them enter their password if you need it". I also suspect this would have set up their email in the native Mac Mail.app client, which is perhaps not what we want. Being able to deliver the same Outlook email experience on the Mac as we do on the PC would be really useful.
- Faster imaging. Currently for Mac imaging we have a Mac Mini server with a copy of Server.app and the NetInstall service enabled. This kind of works okay but is really basic and is not much cop if you want to image a lot of Macs at once (as a Mac Mini only has a single, 1 Gigabit Ethernet port on it). Casper Suite's backend seems like it can be installed on a Windows server; does it do the NetInstall stuff as well? Specifically, can we put it on a Windows server with a 10 Gigabit fibre adapter connected to our backbone and get faster imaging? Or do we still need a Mac server with NetInstall to be able to do imaging at all?
- More intelligent imaging. Currently there is a bunch of stuff that we have to do to Macs after imaging them to make them ready for use, including assigning them their proper name. I gather with Casper there is this "thin imaging" concept, where your base image is just a basic OS X installation, and you just select what software goes on top of that. Does Casper keep track of things like "the Mac with this serial number should have this name"? So for example, our ideal situation would be if we could just boot a Mac off the network and it is automatically imaged, installed with appropriate software and configured the way we want it, based on us already having input its serial number into Casper somewhere and telling it "this Mac is called this, it's for use in such and such a department, so install and configure it appropriately" according to configurations we've already defined.
- Default programs. For the aforementioned local accounts it's kind of okay, because we could just set these up while creating our big monolithic image, but currently we don't have a way to specify, for example, that Chrome should be the default browser for Active Directory users, or that VLC should be the default program for opening .mpg and .mp4 files. Is this something that Casper could help us do?
- Deployment of complex software. In theory Apple Remote Desktop is capable of installing packages on Mac clients. In practice it's pretty rubbish at that, partly because it tries to do all the target Macs at once and thus slows everything to a crawl, eventually ending in failure. And for big suites like Office or Adobe products, it's out of the question. I gather that this sort of thing should be possible with Casper, but how well does it work in practice? For example, our big monolithic image currently contains Office for Mac 2011, but as you may be aware, this doesn't look a great deal like its PC counterpart, and we are planning to move to Office 2013 on the PC side anyway within the next year or two (or Office 2016 for PC if it's out by then) so it would be useful to be able to say "remove Office 2011 and install Office 2016" and have Casper intelligently do this, staggering installs so that not all the Macs are trying to install it all at the same time (ensuring that on the majority of Macs at any given time during the whole deployment, there will still be a working version of Office). We're also looking to move from CS6 to Adobe Creative Cloud next year, so deploying packages created by the Creative Cloud Packager is also something we'll need to be able to do.

If you've successfully done any of the things I've mentioned using Casper, it would be great to hear from you.

Thanks,
Dan Jackson (Lead ITServices Technician)
Long Road SIxth Form College
Cambridge, UK.

Hi,

Here's my opinion on each of the points. We're a JAMF integrator so have worked with all of the topics you've raised over the past few years.

This is just my opinion though!

Point 1.

For the first point you're right, Casper has an MDM built-in that provides the same service as Profile Manager. Its worth noting that depending on the issues you are seeing with Profile Manager, Casper may not solve them. The underlying MDM system and config profile delivery mechanism isn't 100% reliable. It does work but requires a bit of hand holding sometimes.

Point 2.

  • Connecting Macs to our 802.1X wireless network - Yes Casper can do this, we've implemented it at quite a few places. there are other challenges depending on the networking kit you're using but it can be done.
  • Adding printers intelligently - This is one of Casper's big strengths, specifically around network organisation and smart groups. You can group computers by department, room, building and, with smart groups, you can create groups based on any data stored in the computers inventory.
  • Configuring icons on the Dock - This is a bit of a minefield so although you can do it with Casper using a number of methods, you may need to include additional tools like dockutil to get the end result you're looking for. FWIW we don't use the "Dock Icons" feature in Casper Admin but instead either use custom config profiles for lab computers or dockutil scripts for more flexible setups.
  • Managing local accounts - Casper can do this out of the box.
  • Centrally managed login items - Casper can run policies at login that would perform this task for you.

Point 3.

  • Email - We've acheived this in the past with a first run apple script that is around on the Internet. In our opinion, if autodiscover is set up ok, the user only needs to input their email address and password on first launch so our preference is to not add anything to the process. I haven't tested config profiles on Mac OS X (I have always assumed they wouldn't work). They work well with iOS but I doubt they would with OS X.
  • Faster imaging - I wouldn't say that Casper is faster, although it is much much more capable. We have some sites that have 70+ different combinations of software. the tech just has to select the right room and it builds the Mac as they need it. The actual imaging process will be determined by how quickly the distribution points can serve the data (a 10Gb link would help), and how quickly the client Mac can recieve it. For larger images I would still expect 1-2 hours of imaging time though. Our alternative approach has been with Thunderbolt SSD external drives that can drop it from 1-2 hours to under 15 mins. Netboot is a separate service but in most cases we either use the Casper NetSUS appliance (a linux VM) or BSDPy that can also be installed on a virtualised linux system. In my testing I haven't found Netboot to have much of an impact on the overall deployment speed though. The distribution point is very important.
  • More intelligent imaging - Casper has a pre-stage imaging system that lets you decide what happens to new devices you are deploying. We often use it to just add to the system that the Mac ships with.
  • Default programs - Sort of. It will depend on the app. Browsers are a bit tricky as the OS wants user interaction to confirm the change. Casper can do this but with a fair bit of additional effort and scripting.
  • Deployment of complex software - This was one of the original and primary purposes for Casper and it is very good at it.

Hope this helps.

We're in the UK (Amsys) BTW if you want to talk more about it ;)

On point 3, while the Casper JSS server can run on Windows, Casper Imaging which orchestrates the imaging process needs to be run from a Mac.

You'll discover that a lot of what you're doing isn't bound by what Casper Suite allows but what the operating system or the software vendor's PKG allows.

Be sure to sign up for their free trial, before the clock starts ticking on the trial work out what you want to test: enrollment of current Macs, deploying new Macs, deploying software, etc so you can get to work quickly. However it sounds like you have a lot of this figured out already.

You've got a very solid list of wants/needs, and I'm quite happy to say that most everything should be doable:

  • Connecting Macs to our 802.1X wireless network: We're doing this now via a script that is requesting the appropriate certificate from the CA and installing a profile to configure the wireless for each machine.
  • Adding printers: Depending how your network is configured, you could scope Casper to auto-install printers based-upon defined network segments, or at least limit the options. We've been refining our setup here, but due to the number of floors in the buildings and use of wireless, this is a bit more tricky, os we're mostly limiting by building since each location has its own subnet or IP range.
  • Configuring icons on the Dock: cake. You could provide a pre-populated dock during imaging, or use Casper to add/remove icons. Apps can be added/removed by entering the path to the app alone.
  • Managing local accounts: Local accounts can be a bit more tricky to manage, but yes, using profiles or other tools to restrict access to individual system preferences or applications can be done.
  • Centrally managed login items: Many here use login scripts triggered by a launch agent. Yes, it triggers a locally installed script, but changing the script wouldn't be difficult at all. You can also leverage login hooks via Casper, but we have only had these trigger consistently when wired to the LAN.
  • Email: For Office 2011 on the Mac, we are using a one-time run AppleScript that auto configures users accounts on first launch (without any user interaction). Office 2016 hasn't been tested in our environment...yet. The ActiveSync/Exchange option in profiles will setup the Apple Mail/iCal apps, but not Office.
  • Faster imaging - currently, we image everything off of a Mac Mini. We have a few of them scattered, but there are often 50+ users attached to a single machine during large upgrades. Typical imaging time has been between 20-45 minutes per machine, with only those few Mac Minis with traditional hard drives taking longer. We're looking to utilize a linux-based solution to replace our current NetBoot infrastructure (using PyBoot/Docker) on server-class hardware.
  • More intelligent imaging: There's a few different kinds of imaging processes. Thin imaging generally keeps the factory install of OS X, installing only the needed customization and additional applications to the stock image, keeping the process very short and sweet. Modular imaging, which replaces the base OS, but separates all applications, settings, etc. as individual packages. This is one of the most common practices and what we do for all machines. Monolithic imaging is the process of building the "perfect" configured machine, and saving the result as a single, compiled image file. Biggest downside is adapting to required changes/updates. Casper can help assist with all three methods. Part of Casper's imaging is defining the computer naming scheme (serial number, MAC address, etc), as well as the ability to create different configurations for different purposes. We have a standard build for machines running Yosemite, a "test" build, a server build, and a special build for video/motion graphics.
  • Default programs: this is another thing that could be configured to run as a script during imaging. Many here utilize a "first-run" or setup script to set these default settings when machines are first imaged, including setting the preference in the User Template folder so new/additional accounts on the same machine will also have this defined.
  • Deployment of complex software: Yes, Casper handles this well. Adobe applications can be packaged using the "Creative Cloud Packager" tool from Adobe. The resulting files can be included at imaging, or made available by the Self Service software catalog tool. Office can be deployed in the same way. Casper can also perform software removals, so that when upgrades are needed, (e.g. Office 2011 to 2016), one can be removed when the other is installed.

I think that hits most of your points. Please feel free to ask follow-up questions or any other kind of request!

I'll give you a short answer re-enforcing Adam's .....

"You'll discover that a lot of what you're doing isn't bound by what Casper Suite allows but what the operating system or the software vendor's PKG allows." 100% True!!!! The other big thing is the internal policies you have to follow.

There are other options beside Casper, but usually given all the tradeoffs Casper usually comes out on top. The one thing that is usually missed in the tool comparisons is the support. My support experience has been outstanding, in fact I would say Jamf is more Apple than Apple when it comes to support. When I have questions or issues the support team has always went above and beyond.

I would also point out that none of the other options has the track record of delivering updates when Apple does.. Jamf has been ready day of releases for every Mac OS upgrade when Apple since X.6 and maybe before that ( I can't remember).. I have talked to vendors that said they would guarantee compatibly with in six months. (no thank you)... Many vendors think the world revolves around themselves, Jamf knows their world revolves around their customers and Apple.

Hope this helps!!!

C

PS Dan, if you you have any other question, I am more than will to chat about Jamf anytime : )

+1 More Apple then Apple !

For the MS Office Deployments, caching is your friend

2016 is currently out for 365 customers and Sep 22 for all

Terms & ConditionsCookie settingsAccessibility statement