Hello Everyone,
We’re expanding our student loaner program to include Mac laptops. Each semester, students will check out these laptops for their coursework, and at the end of the term, the devices are returned to be reset and reissued.
Here are the key issues we’re facing:
Active Directory Binding: All devices must be bound to AD, and there’s no workaround at the moment. We’re looking into Jamf Connect or an alternative, but those options won’t be ready in the near future.
Data Removal: We need a reliable way to remove user data at the end of each loan period.
External Resetting: The entity handling the checkout process (not internal IT) will need to complete the reset. This means the "Wipe" command isn't viable since we can't ensure consistent internet access or the ability to follow a complex process.
We currently have a Self Service item that successfully removes user profiles. It works great for us. However, the biggest challenge is managing applications. We need to find a way to remove all "non-standard" applications.
- We will deploy a specific set of default apps to all loaners.
- Any apps outside of this list, or not native to macOS, should be removed.
- Currently, we’re considering redistributing devices with leftover applications from previous users, but we’re not keen on this approach.
Our users have access to a "Make Me An Admin" item in Self Service, allowing them to install apps. This feature is non-negotiable and has been approved by InfoSec. We already use this setup for our Windows loaners and have a strong security framework in place.
Has anyone here managed a similar loaner program or encountered challenges with removing non-standard apps from loaner devices?
Any advice or best practices would be appreciated