Posted on 04-01-2022 06:13 AM
Hi y'all,
So at the moment, every user at our organisation can enroll their Mac and gets managed. Even BYOD Macs.
Can we make a selection which user may enroll their privately owned Macs (BYOD)?
Can we also make a selection only corporately owned devices can be enrolled to Jamf Pro?
I've seen some options, but I'm not grasping all of the information.
04-01-2022 05:57 PM - edited 04-01-2022 06:04 PM
Real BYOD support for macOS isn’t in Jamf yet. I believe it was announced at JNUC 2021 and is currently just rolling out for iOS at the moment with macOS to come at a later date.
There’s a lot of things to consider with this, like how are you going to control corporate data on a BYOD Mac while not impacting your user’s personal files. Then when they unenroll how will you verify all of that data and your licensed applications are fully removed from the device without making them wipe it completely (unless they understand that’s the exit strategy when they accept your corporate BYOD EULA prior to enrollment). Those two questions around data security and application license compliance are just the tip of the iceberg. If they don’t need direct access to install corporate licensed applications and connect to file shares over VPN then their are probably better solutions then managing BYOD.
However if you have a solid plan for personal privacy as well as corporate data and license governance then these would probably be the easiest ways to pull a separation of the devices at time of enrollment as of Jamf 10.37.0…
1.
Sign up for Apple Business Manager and begin leveraging DEP enrollment exclusively for corporate owned systems. Then that leaves devices that come in through use based enrollment/the enrollment website as your BYOD devices.
2.
If for some reason you can’t leverage Apple Business Manager and DEP enrollment, you could setup your enrollmentComplete triggered policy to run a modified version of DEPNotify that allows the user to identify the device as either corporate owned or BYOD using some attribute of your choosing in Jamf.
Note: DEPNotify linked below is fairly easy to implement and can be leveraged by Macs regardless of enrollment method. There’s no requirement to have DEP in order to use it in your environment. It also comes in handy as a base framework to use if you need to take over the screen during other installs or would like to create something that prompts the users to ask a question, gather their responses, and immediately perform actions in Jamf against that data in the future.
https://marketplace.jamf.com/details/depnotify/
Unfortunately the user enrollment webpage can’t be restricted or redirected to different workflows based upon the user or device it’s being accessed from using just Jamf itself immediately. You can try to do this by policy but it would be username/security group based via multiple enrollmentCompete policies, inflexible, and likely flaky to maintain long term. Any attempt to restrict or disable the page in our environment has disabled enrollment completely, including automated enrollment via DEP, so I would suggest to avoid attempting to go down that route.
Posted on 04-12-2022 03:52 AM
@rudrasete in our Windows® Domain, we use jamf PRO®. We can allow LDAP users to enroll clients. We can specify, who will be allowed to enroll a client and we are able to exclude who not. Maybe it could be a way for you to create some Active Directory® Groups, that are allowed to register a client and set them to the "User-initiated Enrollment".