Posted on 04-15-2022 04:15 AM
Hi, so I have about 10 macs in a small office. All with JAMF Now Plus profiles. The users are a local user without iCloud allowed. The local user is an admin user. This means they can just go to system preferences and click the minus sign on JAMF profiles to remove them. Is that correct? Is there a way to lock the profiles in? Do the users need to be standard users? But that means the users need to reach out to me to install anything? Also, what's the simplest way to make the local user sync to a cloud directory? The 365 and Google plans are "low level" business plans which I do not think support this approach. Is there a better way to manage these apple laptops & user accounts? All "KISS" options are welcome! The monthly cost is not that big of an issue if it's $5, $10, $15/user/month to get this done. I'm reading up on all the available ways to try and get this done and it's a doozy. Any KISS options are appreciated!! Thank you! :)
Posted on 04-15-2022 06:07 AM
When doing your enrollment, make sure you have the option for users to remove MDM not checked. Then even if they are admin they can not remove the MDM. We have all our users as admin but we lock things down with configuration profiles.
For syncing we do use JAMF Connect. It works great for us, but we have 500 macs in remote locations around the country. Your setup since it's in one office would be simpler.
Posted on 04-15-2022 11:48 AM
Just be aware that "non-removable" mdm profile is only an option for Automated Enrollment. A computer enrolled with User Initiated enrollment can ALWAYS be unenrolled by removing the profile.
Posted on 04-16-2022 06:07 PM
Expanding on this, while profiles for Open Enrolled devices can always be removed, since you have JAMF Now plus you can utilize a custom profile to lock down your system preferences menus. Check out iMazing Profile editor, it’s free and has a payload that lets you edit which menus users can access in System Preferences (you can even block admin users too).
Now profiles can still be removed via terminal commands, but at least your end users can’t just go in via System Preferences GUI and remove them easily.
As some said earlier though, only Auto Enrolled machines can prevent users from removing the MDM profiles. (Requires the computers to be in Apple Business Manager)