I work for a University I am the main Jamf Admin. We have other IT organizations within the University that support other schools. We are looking to opening up Jamf to the rest of those IT Professionals. How can we achieve this so their Macs/ iOS devices are added to our Jamf instance but they do not have access to make changes to our devices?
My first thought is setup sites and give them access to their site only but how would a device get from Apple School Manager to that site?
Has anyone ever had to set something like this up?
Depends on what exactly your end goal is.
You can use JAMF Sites as @markdmatthews suggested to have isolated "instances" of JAMF for each area, and the techs only have access to the site you give them access to. The problem with sites is you need to have duplicate everything that you want to be available to multiple sites; for example if you have 3 sites you would need 3 policies for webex along with 3 groups to scope and so on. Sites can turn in to a mess very fast, especially if you want to do things centrally rather than letting each site do its own thing.
If you just need access control. You can skip using sites, and just give these techs access to what they need. for example if they dont need access to create policies, dont give them access to create policies and so on.
That is similar to what I do to limit access to areas of Jamf or features i.e. Advanced Searches, Read Only Access, Access to Computers vs Devices ... but it wouldn't give you access to only a specific "Schools" devices (what I feel like @ogansemoi) like is asking for.
That said... 100% agree that sites duplicates and triplicates everything, but I think is the only route in this case. Unless, all IT organizations within the University can have access based on "role" vs " location"
Sites don't always duplicate your policies and configuration profiles. We also use many sites, but we have defined some sort of basic kit in Site None so that it can reach every computer in JamfPro. The downside is that the few people who have full access to Jamf and all sites have to maintain the "global" policies and profiles. Adding the devices to the sites is done trough the PreStageEnrollments. This adds the step of assigning the devices to the corresponding enrollment prior to installation.