Outgrowing Jamf Now

wanijsena
New Contributor

Hi,

Curious for recommendations for our fleet of ~50 Mac devices.

We're currently using Jamf Now which is great for enforcing basic security policies, but we are staring to outgrow it. Specifically in terms of what we are looking for:

  • Support for Apple VPP. We are using that now via. Jamf, I noticed Fleetsmith surprisingly does not support this - this is probably a dealbreaker unless there are workarounds?

  • Better security features, including ability to automate/enforce OS and software updates, logging/alerting on security events (authentication etc.). We are already doing malware detection so that is not necessary.

  • Ability to deploy custom packages, scripts & resources (fonts come to mind here) as necessary.

  • Reporting/Alerting/Automation - we don't have an IT team, I'd love a simplified view of which machines are in compliance and which need follow-ups, in addition to anything else which makes administration easier. Any integration with email/slack for messaging users would be a positive.

  • Straightforward migration experience. Ideally our end-users would just need to install the application and thats it.

  • We are G Suite users so any integrations here would be interesting, but not essential. I like how Fleetsmith can import your user list. Mostyle's login window sounds interesting, but some of the feedback I've seen indicate it can be problematic? (MFA requirement, confusing to users etc.)

The other thought I had, and not sure how viable this is, would be to look for something which offers some of the security features I'm looking for and upgrade to Jamf Now Plus (?) - that would fill most of our short term needs, and would save migrating users/devices.

Thanks in advance for any recommendations!

1 ACCEPTED SOLUTION

AJPinto
Honored Contributor III

As you noticed JAMF Now is a basic product for basic needs. JAMF Now Plus is no different, it adds a few things but is still very basic. Coming to this forum I'm sure you realized JAMF Pro will be the main suggestion, through there are other solutions like Addigy, Kandji, and even Microsofts End Point Manager (Intune).

 

  • Supporting VPP: I am honestly surprised to see any MDM's don't support VPP (currently known as Apps and Books) for volume AppStore App assignments. JAMF Pro and JAMF Nows support of VPP is similar, JAMF Pro is much more robust in assignment as JAMF Pro does not deal with that blueprint nonsense.
  • Security features: MDM clients are not security tools, they are device management tools. I suggest looking in to actual security tools to close your security gaps. 
    • JAMF Pro does not have any SIEM functionality, though you can fake it a bit with Extension Attributes though I suggest not doing that.
    • OS updates are deployed with MDM Commands on all MDM Platforms (JAMF Now included). This requires devices to be enrolled in Automated Device Enrollment to function. JAMF Pro can push scripts for OS updates, but this only works on Intel Macs by Apples design.
    • Alerting would require a proper security tool, JAMF Protect can cover some of this but depending on your needs may not be robust enough.
    • Authentication event notifications would need a proper tool to handle that Job. Something in the IDP space like Cyberark EPM may be a good idea to look in to.
  • Deploying custom apps and scripts: JAMF Pro can deploy pretty much anything you can put in a DMG or PKG on macOS. Unlike JAMF Now Plus, JAMF Pro does not require packages to be signed. So there is no need for an Apple Developer account to be able to sign your custom packages. The JAMF Binary allows JAMF Pro to run scripts using whatever interpreters are installed on the Mac.
  • Reporting and dashboards: JAMF Pro is not a SIEM tool, but you can create dashboard to report on any information JAMF Pro is reading like OS version, and application version using patch management, or what devices have disk encryption enabled using smart groups and shove all that in your dashboard. This can turn in to a rabbit hold depending on what you want JAMF reporting on, and what you want to view.
  • Migration experience: This is outside of the control of any of the MDM Providers. Apple has made the experience of migrating from one MDM to the next very painful. The Mac and iOS devices need to be reprovisioned if you want full management (you cannot force OS updates without enrolling with Automated Device Enrollment for example). 
    • I would not be shocked to find out that JAMF has a way to "upgrade" you from JAMF Now to JAMF Pro. However take their sales pitch with a grain of salt. Macs and iOS devices MUST be reimaged to get full management over them. Ask the reps how you would push OS updates to devices once they migrate without needing to reinstall the OS for Automated Devices Enrollment to pick up again.
  • I do not use G-Suite myself. JAMF Pro does have various integrations. You can connect JAMF Pro to LDAP for on prem AD instances, or to Azure/Okta for online IDP's.
    • JAMF Pro can pull user and group information directly from LDAP.
    • Azure and Okta are configured in the SSO area of JAMF Pro, and what Azure can do is different than what Okta can do. Okta seems to be more feature parallel to LDAP ironically enough.
    • SSO on the client would be configured by MDM, but you would still need a tool to handle SSO. Tools like Apples SSO Extension, Okta Verify, JAMF Connect would enable SSO on macOS.

Sorry for the novella of an answer, you had a lot of very good questions. 

View solution in original post

1 REPLY 1

AJPinto
Honored Contributor III

As you noticed JAMF Now is a basic product for basic needs. JAMF Now Plus is no different, it adds a few things but is still very basic. Coming to this forum I'm sure you realized JAMF Pro will be the main suggestion, through there are other solutions like Addigy, Kandji, and even Microsofts End Point Manager (Intune).

 

  • Supporting VPP: I am honestly surprised to see any MDM's don't support VPP (currently known as Apps and Books) for volume AppStore App assignments. JAMF Pro and JAMF Nows support of VPP is similar, JAMF Pro is much more robust in assignment as JAMF Pro does not deal with that blueprint nonsense.
  • Security features: MDM clients are not security tools, they are device management tools. I suggest looking in to actual security tools to close your security gaps. 
    • JAMF Pro does not have any SIEM functionality, though you can fake it a bit with Extension Attributes though I suggest not doing that.
    • OS updates are deployed with MDM Commands on all MDM Platforms (JAMF Now included). This requires devices to be enrolled in Automated Device Enrollment to function. JAMF Pro can push scripts for OS updates, but this only works on Intel Macs by Apples design.
    • Alerting would require a proper security tool, JAMF Protect can cover some of this but depending on your needs may not be robust enough.
    • Authentication event notifications would need a proper tool to handle that Job. Something in the IDP space like Cyberark EPM may be a good idea to look in to.
  • Deploying custom apps and scripts: JAMF Pro can deploy pretty much anything you can put in a DMG or PKG on macOS. Unlike JAMF Now Plus, JAMF Pro does not require packages to be signed. So there is no need for an Apple Developer account to be able to sign your custom packages. The JAMF Binary allows JAMF Pro to run scripts using whatever interpreters are installed on the Mac.
  • Reporting and dashboards: JAMF Pro is not a SIEM tool, but you can create dashboard to report on any information JAMF Pro is reading like OS version, and application version using patch management, or what devices have disk encryption enabled using smart groups and shove all that in your dashboard. This can turn in to a rabbit hold depending on what you want JAMF reporting on, and what you want to view.
  • Migration experience: This is outside of the control of any of the MDM Providers. Apple has made the experience of migrating from one MDM to the next very painful. The Mac and iOS devices need to be reprovisioned if you want full management (you cannot force OS updates without enrolling with Automated Device Enrollment for example). 
    • I would not be shocked to find out that JAMF has a way to "upgrade" you from JAMF Now to JAMF Pro. However take their sales pitch with a grain of salt. Macs and iOS devices MUST be reimaged to get full management over them. Ask the reps how you would push OS updates to devices once they migrate without needing to reinstall the OS for Automated Devices Enrollment to pick up again.
  • I do not use G-Suite myself. JAMF Pro does have various integrations. You can connect JAMF Pro to LDAP for on prem AD instances, or to Azure/Okta for online IDP's.
    • JAMF Pro can pull user and group information directly from LDAP.
    • Azure and Okta are configured in the SSO area of JAMF Pro, and what Azure can do is different than what Okta can do. Okta seems to be more feature parallel to LDAP ironically enough.
    • SSO on the client would be configured by MDM, but you would still need a tool to handle SSO. Tools like Apples SSO Extension, Okta Verify, JAMF Connect would enable SSO on macOS.

Sorry for the novella of an answer, you had a lot of very good questions.