Aloha! Best practices can always be a challenge as one school’s needs may differ drastically from another. But I think you are off to a very good start with the settings you have in place, but do see one minor change you can make:
Content Caching under Restrictions > Functionality. I'm going to assume (I know…dangerous) your users are Standard and not Admin, but even for Macs you may have in the field that do run as admin, I recommend disabling this (unchecking it). This will prevent users from enabling their device as a content caching server on your network. A content caching device caches Apple App Store and Software updates to be able to serve them to local devices also requesting that same content. And while I do recommend the use of a Content Caching device (at least one) on your network, your portable devices should not be one of those.
On your comment about Apple IDs (now referred to Apple Accounts), there are many compelling reasons to use Managed Apple accounts (Federation is the way to go here), but there currently is no way to enforce signing in with only a Managed Apple Account and therefore it’s either allow any Apple account, or no Apple Account.
I would ask a favor of you to provide that feedback to Apple, ideally through the Appleseed for IT program since that associates it to your organization and has the most impact.
There is a way, using some Smart Group logic, to lock a device into a signed-in Apple Account, so they can’t sign out later and then sign in a personal account. Many schools help students get logged in with their Managed Apple Account, then lock the setting by unchecking the restriction profile “Allow Modifying Account Settings based on a smart group criteria of “iTunes Account signed in”.
I'm sure others here can provide some more suggestions. One last thing, Jamf School supports Bash scripts (without variables), so if there is something that isn’t readily apparent via a restriction profile, I’d poke around JamfNation to see if others have been able to achieve the end goal. An example of this may be allowing standard users to add printers (like one at their home).
I forgot to add one more thing...if you really want to dive down the rabbit hole, check out Jamf Compliance Editor. This is a free tool you can use to achieve CIS level compliance on Macs (and iPad too). This is what large corporate and government organizations use to build custom profiles and scripts (many of which will work just fine in Jamf School) to bring their devices into compliance against a known set of industry recognized benchmarks.
Now I'm NOT saying just go forth and apply all of it, as your users may actually revolt! But it can help you to get a sense of what it means from an organizational perspective to be "compliant". and you may find a few nuggets that you can add to your deployment.
Aloha! Best practices can always be a challenge as one school’s needs may differ drastically from another. But I think you are off to a very good start with the settings you have in place, but do see one minor change you can make:
Content Caching under Restrictions > Functionality. I'm going to assume (I know…dangerous) your users are Standard and not Admin, but even for Macs you may have in the field that do run as admin, I recommend disabling this (unchecking it). This will prevent users from enabling their device as a content caching server on your network. A content caching device caches Apple App Store and Software updates to be able to serve them to local devices also requesting that same content. And while I do recommend the use of a Content Caching device (at least one) on your network, your portable devices should not be one of those.
On your comment about Apple IDs (now referred to Apple Accounts), there are many compelling reasons to use Managed Apple accounts (Federation is the way to go here), but there currently is no way to enforce signing in with only a Managed Apple Account and therefore it’s either allow any Apple account, or no Apple Account.
I would ask a favor of you to provide that feedback to Apple, ideally through the Appleseed for IT program since that associates it to your organization and has the most impact.
There is a way, using some Smart Group logic, to lock a device into a signed-in Apple Account, so they can’t sign out later and then sign in a personal account. Many schools help students get logged in with their Managed Apple Account, then lock the setting by unchecking the restriction profile “Allow Modifying Account Settings based on a smart group criteria of “iTunes Account signed in”.
I'm sure others here can provide some more suggestions. One last thing, Jamf School supports Bash scripts (without variables), so if there is something that isn’t readily apparent via a restriction profile, I’d poke around JamfNation to see if others have been able to achieve the end goal. An example of this may be allowing standard users to add printers (like one at their home).
Hi Curtis,
Thank you so much for the profile tips! Also, thanks for sharing the Compliance Editor link, we are very interested in exploring configurations based on compliances, so I appreciate you sharing this information with us.
We've learned (from past experiences) to have at least four to five test devices in our IT playground, so we will definitely exercise caution on applying all vs piloting.
I'll look into the Appleseed for IT and submit some feedback for the Managed Apple Accounts. We're not opposed to having them at our school, but would love for there to be an easy option (managed accounts only) we can "check" off before device distribution. I love the workaround you and others have suggested - that may be the best approach for next school year.