Can Google's MDM and Jamf Pro Coexist?

nvandam
Contributor II

I've recently started as an Apple Admin and we use the Google Suite as much as we can. Gmail, Docs, Sheets, Drive, etc. We also manage our iOS devices with JAMF Pro, but we use Google's MDM for BYOD devices (access to Drive and Gmail on personal devices). The problem with this is that if someone wanted to access any of those things on a company owned device (one managed by JAMF Pro) they couldn't, because 2 MDMs can't control the same device.

I'm wondering if anyone else out there has this same setup and what they are doing to get the best of both worlds; security for BYOD devices if someone "goes rogue" and we need to remove access to everything as well as all the great features JAMF Pro can offer for our company owned devices.

Thanks!

17 REPLIES 17

PAC
Contributor

@nvandam This might not be an option for you but i was discussing this with another admin the other day.
We were discussing maybe using JAMF just for OSX and then use an MDM like Airwatch for all mobile devices.
We are primarily an Apple devices school and only have JAMF Pro so we don't manage non Apple devices ( we only allow WIndows / OSX laptops for higher year levels)
I know Airwatch can do some stuff with Google devices but i cannot remember exactly how much.

swapple
Contributor III

We are looking into using Jamf and Google MDM for our GSuite install. Jamf to manage our corp owned iPads and google MDM for the byod. One challenge we face is the GMDM works off of a user, so put GMDM in basic mode for Billy, then his iPad connects thru Jamf and Billy can then map his iPhone to GMDM directly. We would rather that the iPhone be in Advanced management on the GMDM while their iPad is also being managed by Jamf.

bentoms
Release Candidate Programs Tester

@swhps No. MDM has the "highlander rule". As in, there can be only one.

kowsar_ahmed
Contributor

If your company devices are all on GMDM and you want to now get them managed using JAMF is there a way to migrate or do I need to manually remove all current profiles?

JustDeWon
Contributor III

lol @bentoms "highlander rule"

joeyk
New Contributor II

If you have access to the G Suite Feature Idea submission forum, please upvote this post so we can see Management (basic vs. advanced) determined based on ownership (Company vs. user): https://www.cloudconnectcommunity.com/ccc/ls/community/g-suite-chrome-feature-ideas/post/5839401249800192

omarluna
New Contributor III

Hey @nvandam ,
When we implemented Jamf, we had the exact same issue. The answer is no, 2 MDM can't coexist in the same device. However, you can create OU inside Gsuite and enable and disable services as you need.

For BYOD, we enabled google MDM but disabled for corporate-owned devices. We have a script that organizes users daily on Gsuite

We have our users sign into Google thru the Safari App in their IPAD and not use Google Chrome on their IPAD.

We have Jamf and Google MDM active

rafaelnr
New Contributor II

@omarluna I'm in the same boat; would you mind outlining your solution? thanks!

Heavy_D
Contributor III

We are currently in a migration from O365 to GSuite and we use JAMF as our main MDM. We currently now have an issue where the company that acquired us uses GMDM for Mobile device has anyone come up with a solution where we would be able to run Googles Policy and it Coexist with JAMF's?

joeyk
New Contributor II

@omarluna That doesn't fix the issue of a user who is issued a Company-Owned Device also having a personally-owned device with full G Suite data on it, since their OU doesn't require Advanced Management.

Again, the division should really be made on G Suite's side, they should allow us to choose whether the mobile device receives Basic or Advanced Management, not the User/OU.

For computers for example, we already feed G Suite data of which computers are company-owned, so all of the underlying information is already there. We use this for Context-Aware Access, so that G Suite apps can only be accessed from company-owned machines.

For mobile devices, ours currently all have a value of "User Owned" in the G Suite Admin Devices page, but there is not an option to import company-owned iOS devices. Even if we somehow marked them as company-owned, there is not an option to discriminate by this value when determining if the device is to receive Basic or Advanced Management.

Please upvote the feature request on Google's Cloud Connect Community so Google can fix this. https://www.cloudconnectcommunity.com/ccc/ls/community/g-suite-chrome-feature-ideas/post/5839401249800192

@JarvisUno In your situation, it would probably be best for them to set "Basic Management" for your subsidiary's OU in G Suite - this would allow you to keep using Jamf for that company.

We have our users sign into Google thru the Safari App in their IPAD and not use Google Chrome on their IPAD.

We have Jamf and Google MDM active

russell_garriso
New Contributor III

Can anyone confirm that it is possible to buy iPhones under DEP and then leave them unassigned so the behave just like any customer purchased iPhone? My company is looking to purchase a bunch of company owned iPhones in the near future. We are running into similar coexistence and feature gap issues with G Suite Advanced MDM and would like to consider Jamf. A key decision point is the device approvals and the lack of per-device instead of per account management with Google. The idea would be to go ahead and get the phones under DEP, but then manually enroll them in G Suite (just like our current BYOD) while we transition to either Jamf or G Suite Enterprise via DEP.

joeyk
New Contributor II
Can anyone confirm that it is possible to buy iPhones under DEP and then leave them unassigned so the behave just like any customer purchased iPhone? My company is looking to purchase a bunch of company owned iPhones in the near future. We are running into similar coexistence and feature gap issues with G Suite Advanced MDM and would like to consider Jamf. A key decision point is the device approvals and the lack of per-device instead of per account management with Google. The idea would be to go ahead and get the phones under DEP, but then manually enroll them in G Suite (just like our current BYOD) while we transition to either Jamf or G Suite Enterprise via DEP.

I have actually been looking at this for the last hour or so. It appears possible! Actually, even better, in the last few weeks Google has rolled out full Apple Business Manager-integratable MDM features assuming you have G Suite Enterprise. You wouldn't need to manually enroll them in G Suite. I just added our G Suite environment as an "MDM Server" in Apple Business Manager. This means you can assign devices to it for management. There are definitely loads of missing key features in the G Suite MDM, but they do now have some of the features only available to Supervised devices. You can set default MDM assignment based on device type. i.e. Macs go to Jamf and iPhones go to G Suite (still Supervised). That's a nice option to have. Within Apple Business manager you can also feed it an order number or list of serials and reassign those devices to a different server (like from Jamf to G Suite), or unassign the device from any server, or release the device from ABM entirely.

Again, lots of missing features...force app deployments, for example, with Advanced Mobile management we can always do it at the OU...but....I only want to force apps on company-owned devices, not user-owned...

Basically, the line of thinking I'm exploring is to have mirrored settings from Jamf to G Suite, which sucks royally, since G Suite is missing management features, but at least we could leave Advanced Mobile Management on, for approvals, since most users are BYOD, and assign some company-owned devices to have G Suite as their MDM.

A key decision point is the device approvals and the lack of per-device instead of per account management with Google.

With G Suite you can do the approvals when you have Advanced Mobile Management turned on, but yes, that latter part is the pain point here.

...Ok, I just re-read your post and realize you already see the MDM functionality of G Suite Enterprise, but I'm going to leave everything on this post as it may be helpful to others. Long story short, yes it appears you can unassign. I assume the device will experience normal OOBE.

Screenshot of how you can control the assignment of devices from ABM: 8d64bbff07034c08b4a71d5d43d70f63

russell_garriso
New Contributor III

Thanks for taking a look @joeyk as it has helped sketch out the decision for us. We are currently G Suite Business customers, so we get the Advanced Management but with reduced features which means we can't have company-owned iOS devices. The company phone decision has to precede budget discussion on doubling our G Suite bill with Enterprise or ditching approvals and going with Jamf for less money. It is good for anyone else discovering this issue to know that they can decide to buy the phones today and have them unassigned in business manager then save the discussion of how to automatically enroll them for a later date. I don't know of any way to add the iPhones to ABM for DEP after purchase, so I wanted to make sure we had this right. There are several macs we bought the "wrong" way that will never be in ABM. Thanks again for all your help.

timbyler1890
New Contributor III

One thing to remember in this discussion is that to assign a device to a different MDM in ABM will require an "Erase All Content and Settings" on each device. DEP settings are only pulled into a device on a full wipe and restart.

Also unlike OSX devices, iOS devices can be added to ABM through Apple Configurator 2. Simple MDM has a fairly good how-to on this

Heavy_D
Contributor III

I am Curious with Jamf and Google announce conditional access partnership preview if it has fixed or improved upon this issue? 

Does anyone have any developments on the matter?