Jamf Nation Community

We made the switch to config profiles this past summer, and it's an ongoing pain point for us. We can't upgrade to the latest JSS to support Yosemite because of an open defect with pushing config profiles. I reported the issue in early December and am still stuck. I don't think many have the issue, but it's not just me either.

https://jamfnation.jamfsoftware.com/discussion.html?id=11579

Do test upgrades in a test environment before upgrading production to make sure profiles come down as you expect since they are the basics of securing the workstation.

I miss the old days of MCX where certs/APNs, etc, didn't play into things. I think it's inevitable to have to make the move at some point though.

We started with 8.73 and just recently made the jump to 9.65 (which does add a lot of new things-half of it I wouldn't even know where to start). But we have been using the config profiles from the start and only a few times I have had to redo a profile and re-focus it on certain computer groups.

The OSX was a discussion for us a few days ago but convinced them to stay with Mavericks because of the issues and crashes we have seen with Yosemite and I do not want my office flooded with kids next year "trying to fix" an issue and cause more bad things to happen.

I would just like for next year to be able to lock down the laptops a little bit better then where they have and make it that we are not going to change policy for one person (which has happened not my choice though). Our students need to understand that these are for school use and not a personal device like many think they have. So once again to everyone out there I would really like to hear what things you have placed and what has worked/not worked regarding policies, config profiles, etc....

I would also be interested in what others do. We have recently only started using Casper to manage our iOS devices and are interested in managing our laptops as well. I'm not sure where we would even start but it would be good to have an idea of what to do and the best practices before we jump right into it.

Is there a way on Mavericks/Casper that you can disable the ability for the student to log in with their own Apple ID? I have figured out how only allow the App store for software updates but it seems that if the student logs in then they are able to grab any of their downloads and they will go on the laptop. This is one of those things that I would like to stop on day 1 of next year.

This is going to largely depend on the philosophy of the school district. We have about 11,000 MacBooks and 16,0000 iPads. We're in our first year of partial 1:1. Another 23 schools come on next year.

rohrt85 - Our leadership wanted the devices mostly open. We allow students to sign in with their district created Apple ID's if they are under 13 or their own if they are over 13. They can use the app store too. They are not admins though. We have limited only what could cause the JSS not to be able to communicate with them. The idea of the 1:1 was discoverability, creativity, and cooperation. So, locking it down would have hurt that. We're as close to Out of Box as you can get. We chose Apple for it's wonderful user experience and we didn't want to turn them into Windows style, you get nothing and will like it, machines. That would have defeated the point.

We're all config profiles and light scripting for configuration on the Mac side and DEP on the iPads. I don't know how wordy/specific to be here.

One thing i would be weary of is using the "Install Automatically" method to push wireless Configuration profiles to devices. I have had issues with this in the past when you make any changes to the profile it asks if you would like to apply to all devices or Newly Assigned Devices, in my past experiences to tries to push to all every time ( haven't had a chance to test in later versions of the JSS ) unfortunately the process on the client goes like this;

1. Removes old configuration profile
2. Wireless connectivity drops due to profile removal
3. Client can't get the new profile unless they manually join a network or "plug in"

To get around this I'm deploying the .mobileconfig file and running the following command via a Policy;

/usr/bin/profiles -I -F "/path/to/profile/802.1x.mobileconfig"

I feel I have to chime in here, as I've done in other threads, and suggest that you take a look at the philosophy my school has been using successfully for more than five years in our 1:1 laptop program. Similar to @JDP , we want our students to feel that the laptop is a tool for discovery, creation, exploration, and learning. Locking it down heavily does not mesh well with this philosophy. Why shouldn't a student be allowed to install a game? Why shouldn't you encourage them to experiment with different softwares?

In our program, every student is an administrator of their laptop, but we also ask them to be good stewards of the laptop. We teach them to run updates and to think critically and carefully about which software to install. We feel that this helps to prepare them for the real world. When a student leaves our school, they can walk into an Apple Store and buy a new computer, and the user they invariably create on that new machine is an Admin user. But if no one has ever shown them or taught them the importance of software updates and how to keep a machine clean and functional, then how can they be expected to know this? By magic? Apple's policy about first-user-created-is-admin is not going to change anytime soon. Unless everything becomes locked behind a walled garden like iOS (unlikely), then the conventional wisdom is that our schools will continue to churn out legions of supposedly technologically-advanced 1:1 program students who really have no clue how to be a good technology stewards, digital citizens, and system administrators.

Now, perhaps you don't need to take it quite as far as we have. You could build a program where students get their updates via Self Service. The onus of responsibility is still on them, but they do not have to administrators. Or perhaps you can have their user accounts be modified administrator accounts managed by Configuration Profiles. We like our program because it mirrors the real world and reinforces life lessons that are actually very important. Every time I help a student clear Adware off their computer, I have a discussion with them about being more careful. Now, ask yourself, what's better in the long-run: a standard user who is never able to install Adware, or an Apprentice admin user who learns a difficult lesson about how to determine whether software is trustworthy or not?

I understand this is a "sea-change" idea, a paradigm shift from the way thing have always been. We spent a great deal of time with our different constituencies explaining why we were going this route and helping them to understand the long-range goal of the program. Having graduated five classes of Seniors out into the world, we're already hearing back from them that these technology stewardship skills have proven to be invaluable in college and beyond.

I also understand that this idea is completely unworkable in some environments, but many schools have borrowed pieces of our 1:1 philosophy and program with great success. I've posted about this topic many times on these boards with links to our Technology Driver's Manual, Technology Driver's Test, and our 1:1 philosophy on our website.

As @JDP and @damienbarrett have already touched on, we try to take a trust-first, restrict second approach.

We haven't tried the students as admin's approach yet, but we manage very little beyond setting them up as standard users. When we do manage settings, I try to opt for the set-once rather than always (where possible) to guide them in a preferred direction.

I still don't fully trust (or want to fight) config profiles via the MDM protocol on laptops but as new requirements come forth, I go through installing them using the profiles command that @d4mo1337 mentioned rather than trying to rely on MCX. (It also gives me a better log of what is/has happened)

I would take a minute to step back and look at the things that you want to actually be actionable about. If they are that important, think about how you can have Casper do your work for you. Example: Student's aren't allowed to be admins? Setup a smart group/extension attribute combo that alerts you (heck, and even the student!) of this change. Give them a chance to turn themselves in rather than you have to chase them down.

I've setup a firmware password self service policy that allows the technicians to lock down (and unlock) a computer on those problematic students machines without having to get me involved.

Doesn't mean we won't help you @rohrt85 . In our shared labs we disable the iCloud sign in and remove the App Store altogether. Doing so means no more GUI software updates but the command line tools work so we do updates with policy. I'm pretty sure @rtrouton has a blog post covering disabling iCloud sign in. We add a rm one liner to remove the App Store from the machine. We also lock the preference panes for iCloud and Internet Accounts.
One downside to removing the App Store is that you'll now have to control the updating of all software from the App Store and deploying it to all your machines. We use VPP with managed distribution to supply our students with Apps from the App Store that the district is paying for and the default free Apple Apps. That means I don't have to update their software as non-admins can apply software updates to Apps from the App Store.

If you want to start some separate threads here we could talk specifics. The one thing I'll tell you for sure is that you don't have to reinvent the wheel. Lots of really incredible and smart people have done it all before and they shared all of their work. I'm just 2 kids in an oversized trench coat working at the business factory. Those other pioneers helped me through all of it whether they knew it or not. Just about anything is possible to do on the Mac and all made easier by Casper.

We are in our third year and in year one wrote a custom application that has been extremely helpful in allowing a good balance between personal and educational use of the device since we wanted both. The app does a few things based on location and date/time.

• Acts similar to the JSS Restricted Software in that it will block any applications that are launched from within the user folder unless an exception is made. When we aren't in school this restriction is lifted, so any games, etc. that students download they can play at home, but not at school. The only applications that are allowed to run on campus are those that they get from Self Service or from us.
• Disable the ability for students to change wifi networks while on campus. It basically sets the permissions to change wifi networks to requiring admin privileges if on campus and then removes that restriction when off campus. What this does is prevent them from jumping on a hotspot, etc. and not being watched via Apple Remote Desktop if we choose.

The above would not be possible if it wasn't for the students not being admins on the computers. Every school has a different take on it, but for us we can't promise things like filtering, etc. We have firmware passwords on the machines to insure we keep control of our school owned machines. If students were admins we can't guarantee that. It also would be much more of a headache on our Tech Center support staff that support students and staff everyday if they didn't really know what was on the machines at a low level.

Ultimately it is about teaching and learning and we feel that our responsibility is to create an environment that allows that to foster.

@ewettach That sounds like a fair balance and we try to do something similar here with the whole you keep your permissions until you do something to lose them. We have a separate lockdown group for kids that are doing things that are not deemed appropriate. We also have a day user program for broken computers users or students that need to have their full time laptops taken away for misconduct.

I would be interested in how you guys implemented the running only certain apps during the school day. Our boss doesn't like to lock the kids down more than we have to but I think that sounds like a fair balance that he would go for.

I want to thank everyone on the responses here! With going into our third year of 1:1 there has been lots of ups and downs (especially when you are a one man band with over 1000+ devices) in one building. I don't think we will give the students access to an admin account because I have done that with a few of my own tech students and still regret it because of issues that have came up-then trying to explain to them how to fix the situation or show them the correct way is like it goes in one ear and out the other with no processing.

We want to be able to give our students the ability to make the laptop/iPad like their own but many have taken advantage of that and some have gone to extremes with what they put on there. I have seen some things this past year....

I know locking down more things and uniformity doesn't seem like a logical answer to many but for here it seems like a legit reason just because of issues this year. I just know that there is a lot to do with Casper/JSS when it comes to managing but I am trying to look at a new game plan because being the 'nice tech guy' is just not working anymore.

@JDP We are looking at the Apple ID situation here and I would like to talk more about this! Our 7th and 8th grade students have iPads. With a lot of them being between 12-14 we have been trying to figure what we would need to do with the IDs for next year.

When you said you created district IDs for under 13 how did the district handle this? We have talked about doing that here but our tech director doesn't think this can be done because with parent's consent. We know we can have the over 13 create their own IDs but it is the under where we are having questions.

@rohrt85 We use Apple's U13 program through the deploy.apple.com site. We bulk upload our students but it does require parental consent. The schools work with the parents to get them to approve their child's Apple ID. If the parent doesn't have an email address the school will help them create one and take them through the process. Some of our schools are over 90% with Apple ID's but nobody is 100%.

I have read that there will be some changes to the U13 program that will eliminate the need for the parental consent piece but that probably won't be here in time to help with next school year.

@brushj In the simplest form we start by running the command below that will return the process id of any apps that are running as the user. We then kill these processes and display a message.

ps -axo pid,ruser,comm | awk '//[U]sers// || //[V]olumes// { print }'

@rohrt85 @JDP Unfortunately I think that you are right. We are waiting to for Apple to launch the way that won't require Apple IDs. This will significantly help situations like ours where we have K3-4th grade iPads on carts at school. The link below is a reference to this.

http://www.macrumors.com/2015/03/06/ipad-education-deployment-changes/

If Apple could get this done before the end of this year I think we would be off so much better! This is something that I will be looking at more and paying attention to. Thanks for the heads up @ewettach

@rohrt85 @JDP based off of a few discussions we aren't going to see anything until the usual cycle release dates. I have no hard dates or anything so this is all speculation on my part. Whenever they GM iOS9 you can start, based off of history that isn't going to be until school has started, at least here in FL.

Education isn't a massive part of Apple's global business, it's a nice chunk, but not enough to change the release dates of the world wide market. I get that, but it is also annoying at the same time because it screws up our schedule for start of year.

I think it will be a better process than last year and will alleviate a bunch of pain points, the bad thing is that it's recreating all of policies.