Jamf Nation Community

kadams · ‎08-30-2018

Hey good morning guys. Hope you all are doing well today. I have a question about apple DEP and Jamf capabilities. We want to have software issued to separate departments here. For example, engineering has homebrew,docker,virtual box etc. This software will only be issued/visible to the engineering department. Does anyone have any information or advice on how to create this environment. I know in Jamf, I can create multiple prestage enrollments. We currently have just one prestage enrollment

jmahlman · ‎08-30-2018

You have some options here. The first option is what I've used in the past and is not the best method; make multiple pre-stage enrollment profiles and assign machines to their respective groups then make a Smart group for each one and assign software/policies to those groups. This works if you have a small amount of machines but can get out of hand and unmanageable when you have hundreds.

The better method is to have one pre-stage and allow your users (or whomever deploys the systems) to select their department. We're moving to this method using DEPNotify. I have a script that launches DEPNotify after enrollment and it will ask the user for information about the machine/themselves. I based my workflow on @neil.martin83's wonderful script/presentation. Basically after the user selects their department and adds their info the script will take care of the rest. It's simple and elegant..and expandable!

andrew_nicholas · ‎08-30-2018

If you have directories services/AD tie-in in place with Jamf, you can just set an apps scope to all devices and limit them to specific AD groups. You can then either direct them to sign in or enforce sign-in to Self Service. This involves a manual method from the end users but its fairly straight forward and also gets users used to Self Service if that is something you're hoping to leverage. Bonus points, if you're on Jamf 10 you can just email them the URL link to the self service app for fewer steps.

kadams · ‎08-30-2018

I started testing with creating a smart group and a static computer group. The smart group has a test software like firefox listed. The smart group also has my static computer group scoped. So the smart group checks the computer group for all computers that dont have firefox. I have followed the DEPNotify script to push out notification and fetch push out policies with custom triggers to the smart groups. I believe that this way I can make multiple policies and title them for each department. Then I could scope add all computers that I need to each computer group.

kadams · ‎09-25-2018

@jmahlman I set everything up accordingly and I'm still having some issues. I have policies that all run based on a policy that has a script.That script calls every other policy in the order that I choose. The policy runs right after enrollment is complete. I have a policy that has DEP notify in it along with the script that works with smart groups. For some reason when I change the computer name the smart groups and policies aren't running. I gave all the policies a custom trigger called Deploy. This seems to only work when I already assign a computer a name that works with the condition I set in a smart group. For example If I name a computer engineering 1. My smart group condition is computer name is engineering 1. If i run the policy with DEP notify and the script it doesn't work. It prompts me to give a computer name and a role. I give the computer a name and it doesn't fetch the policies that I set in the smart group. The policies are only fetched if the computer name is already changes before I run the DEP notify and script.

Jamf Nation Community

Apple DEP & Software For Separate Departments