- Jamf Nation Community
- Products
- Jamf Pro
- Best practices for Jamf cloud implementation
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Best practices for Jamf cloud implementation
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 hours ago
Greetings all,
We have recently migrated our Jamf Pro instance from on-prem to the cloud product. We are now looking for best practices information and suggestions from others who have made this move and changed the way that they had implemented things locally. We made a fair sized jump (from late v10 to current v11, for various reasons) and some things definitely changed in that gap. For instance, the way that LAPS handles the password rotation and loses the cryptographic linked capabilities. One of the things we are particularly interested in is how to keep a secure environment (e.g. no "one account and password to rule them all" situation) but still have the token information needed for doing things like OS updates.
But, frankly, any suggestions are welcome. We have a bit of a grace period for organizational changes here during the migration project, and we want to take full advantage of it. We are working with consultants (Rocketman Tech) through this project, but we also wanted to hear from peer organizations that might have some valuable background to share.
Thank you very much!
Bruce Carter, University of Notre Dame
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
@thebrucecarter We're not using it currently but AFAIK nothing about being Cloud hosted should interfere with using the LAPS feature in recent versions Jamf Pro.
The escrow of the Bootstrap Token from the Mac does not depend on the use of LAPS so there's no issue doing MDM initiated macOS updates from a Cloud hosted environment. Other than the fact that Apple still hasn't implemented a 100% reliable managed macOS update mechanism that is.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
p.s. That administrator LAPS cryptographic issue is described as follows:
Note:
Jamf does not recommend using MDM LAPS for password rotation if the account needs to use FileVault or authorize software updates on computers with Apple silicon. Rotating a managed local administrator account password from the PreStage enrollment that has become cryptographically enabled with a secure token will result in the login password being changed. However, the new password will not work for cryptographic user authentication purposes.
in the documentation here: https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Automated_Device_Enrollment_...
about 3/4 or so of the way down the article.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
Thanks for clarifying. That's not abnormal, giving a LAPS account FV unlock capability would be extremely fragile. For my org we don't rely on a LAPS account for access if the user can't unlock FV, and use the escrowed FV key instead.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
9m ago
Generally speaking, Jamf Pro on Prem and Jamf Cloud would be configured and managed the same. Jamf Cloud adds a few extra features but just grow into them as a feature add and don’t plan to deploy them from the get-go.
As far as LAPS. We use a security tool for handling local account password rotations, it also has a secure token so it can rotate any accounts password and not just one created a very specific way during device enrollment. Jamf's LAPS is well and good, as is rocket mans, but if you want a truly secure environment you usually need to pay for a purpose-built tool.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
9m ago
If you’re setting up macOS with Jamf and Intune, here are a few best practices to streamline the process and ensure a smooth user experience:
Use DEPNotify for DEP Setup – Instead of relying on the custom Jamf Pro enrollment workflow, DEPNotify makes it much easier to configure and guide users through the setup. It provides a clear, structured UI and helps automate tasks, making the deployment process more efficient and user-friendly.
Avoid User Enrollment if Possible – User enrollment has significant limitations, especially in enforcing policies and deploying managed settings. Instead, go with Automated Device Enrollment (ADE) whenever possible to ensure better control and compliance.
Set Up Compliance in Intune – To ensure the Company Portal app works correctly, create a compliance policy in Intune. This will allow conditional access policies to function properly and keep devices compliant with security requirements. Without this, users may experience issues accessing corporate resources.
Use SCEP for Certificate Deployment – For a seamless certificate distribution process, leverage SCEP (Simple Certificate Enrollment Protocol) with Jamf Proxy. This ensures devices get the necessary certificates securely, reducing manual work and potential security risks.
Enable Firewall via Configuration Profile – It’s crucial to enable the macOS firewall via a configuration profile and restrict two-way communication to only the necessary apps. This improves security while allowing essential services to function correctly without exposing the device to unnecessary risks.
These steps will help create a more secure, automated, and user-friendly macOS deployment. Let me know if you need further details!
