I am hoping that someone here can assist and/or advise.
Some months back we had a demo of JamfPro.
It seemed like it would do everything we wanted in the demo environment, so progressed ahead to purchase.
We get the live environment, do the JumpStart calls that were as useful as a chocolate fireguard and then got thrown in at the deep end so to speak.
We are now 3-4 months in and we are no closer to having a working or reliable system, with bugs big and small not getting addressed by Jamf themselves. For a solution that is seen as the market leader, and sold on its support as being first class, our experience has been abysmal.
Examples of bugs - which to be clear didn't happen in the demo environment, and are majorly intermittent in nature (sometimes works, sometimes don't).
The issue we have with interfacing with Jamf directly is their insistence on relying on nicely worded support mails with a link to a guide - I understand what they are trying to achieve, but after the 100th time of telling them that it still doesn't work, quite why they refuse to pickup the phone for a 5-10min call is beyond me.
If anyone can advise on how we get any of these solved, it would be very much appreciated.
One annoyed and disgruntled customer.
Thanks in advance.
Be annoyed isn't fun and sorry that I can't solve your issues.
However I am 100% sure that Jamf can. I think maybe taking some time and thinking about what must work vs what would be nice to have working would help. An example getting the VPN working is a must, having the custom dock working not so important. I picked the dock example on purpose.. I gave up managing the dock 10 years ago getting the OS and apps updated is way more important.
I would recommend after you have a list and prioritize it. Then you call Jamf. I am sure that they will help you get started on your issues one at a time. Some of the items on your list are simple and are in the Jamf admin guide like standard macOS updates, however others like VPP apps that could be complicated like a network issue and you might need some help from Apple.
Apple has a great tool/script that will check for connectivity to their cloud services like APNS from your network. That said you have to reach out to Apple and get some support from them to get the tool as an example.
There are no quick fixes for some of your issues as the process is different for each environment and each security groups macOS/network rules. Those issues are very hard to resolve and usually takes a lot of time too “change minds”.
Just hang in there and go one step at a time one issue at a time and welcome to a day in the life of a “macOS” admin and I hope you can get your issues straightened out.
PS I assure you that Jamf and Apple want to help you and get it working…
Hi @gachowski - thanks, we have already gone through all of these processes with Jamf, multiple times.
Prioritized work, investigated each bit, etc, but the continued lack of action from them, sending guides that we tell them don't work, pointless email chains back and forth, etc are completely ineffectual.
I do not know why they will not commit to having a phone call or two with us to get the issues looked at, our environment reviewed.
We have posted about it here as a final attempt to get the platform running.
After 3 months Jamf themselves not made any progress due to how they operate. I have no confidence in them to resolve this, so I'm reaching out to the community for assistance on any of these.
Are you yourself able to advise on any aspects of what we are having issues with?
Hey Andrew -
I’m sorry to hear about your experiences so far. While many of these issues are nuanced with several intricacies specific to your environment, I’ll try to shed some light on a few of the more straightforward topics. I understand how frustrating it can be to try and sort these out on your own.
FileVault does not reliably turn on either after the OOBE, or retrospectively.
Two parts to this: Secure tokens and Enforcing FileVault through Jamf.
First off, secure tokens is a whole topic in itself, but the sparknotes is if computers are bound to AD and using directory accounts, you often can’t FileVault the accounts because they don’t have secure tokens.
Secondly, Jamf/Apple has had some recent product issues with enforcing encryption through a configuration profile in Catalina. Because of this, I’ve transitioned to enforcing them through Policies.
MacStore (VPP) Apps either don't deploy, or take 5hours+ to deploy.
Two parts to this as well: The VPP Token and MDM Communication
VPP Token: First off, is your VPP token currently used in more than one server? This will create erratic behavior similar to what you’re describing. Sometimes when companies move over to Jamf they don’t remove their VPP token from their previous MDM before uploading it to Jamf.
MDM Communication: The problems with this can come from the MDM communication with the server or the client, or issues can arise if the Apple ID used to create the push certificate is associated with an Apple Business Manager (or Apple School Manager) account. In which case, you may have to rebuild it.
Packaged apps either don't deploy, or take 5hours+ to deploy
This might take a bit of digging to figure out what’s happening, but some questions I have: Are you on a cloud hosted or on-prem Jamf server? What type of distribution point do you have set up (Jamf Cloud, Custom Cloud, or Local)? When was the last time the client in question checked in? (they will not deploy the packages until they check in)
Wallpaper does not deploy.
If you’re having problems with MDM communication, that would explain this. Also, though, Wallpapers require devices to be supervised, which would prevent this from deploying (and is not clearly documented in Jamf Pro....)
Many of these require some trial and error to get to the bottom of it. If you’re up for it, I’d be happy to set up a call to dig into some of these a bit deeper.
My 2 cents.
Filevault - I have experienced similar problems, both with Config profiles and policies. I am forced to have a smart group that shows machines without FV, so that I can do actions based on that info. Intune Registration - From day one when it was launched I have had problems with it and with the initial launch, the experience was straight on terrible and unreliable. Still have problems with it - random "drops" of machine being compliant today but not tomorrow. MacOS Updates/Upgrades. I really do hope that Jamf would take the burden of us downloading, packaging and deploying the MacOS away from us. I do like the approach how Fleetsmith is doing the OS Updates/upgrades. Would also imagine that it would be beneficial for the Jamf - Compare: Jamf states that they have 20 000 customers. Every one of them would need to package and deploy OS updates. So, one OS updated package - about 5 Gb times 20 000 customers equals to 100 Tb. Then this needs to be done each year at least 6 times, so that adds up to 600 Tb. Other option would be just that one 5 Gb MacOS package packaged by Jamf only once (per region or something) - probably cloud storage is cheap. I also would like to have a flexible GUI for the end user, where we can easily inform user (a text field) and give users the possibility to postpone the update and also for admins to define the interval how often to show the message with our text field for the user that you need to do this and then do the update automatically if the user does not do it. That is my hope for the OS Updates/upgrades.
But in general, I do feel that Jamf should put more effort on the existing features to make them work flawlessly and reliably rather than generating new features. Updates, enforcing security like Fv are mandatory stuff that should just work and making those happen should be an easy task for the admins and clear thing for the end users also. Today there are as many scripts and ways to do OS updates as they are admins for the Jamf.
@rocketman - we finally got someone on the phone and found that an obscure setting that flushes the cache for known devices seems to have resolved many, but not all, of our issues. We are no longer seeing things be intermittent.
From what was described, without the setting, a rebuilt computer would not receive policies unless manually pushed due to how Jamf works, a little silly to say the least.
We still face issues with FV however.
We've found that making a user an admin through the AAD manifest method lets them encrypt fine, but Jamf does not recognize that they are encrypted until we manually force a jamf recon on the device itself.
Checking what we have policy wise, we have 2x FileVault policies set, at the recommendation of the guy who did the JumpStart -
I'm not sure of the point of no.2 as if its already encrypted, why do we need to rotate the key?
Our re-enrollment policy flush settings wern't turned on in our Jamf Pro server. So every time my test student lab machine went through device re-enrollment I was manually flushing the program policies I wanted to deploy during testing. It wasn't until I started going through each of the global settings icons and started reading the pages of the Admin guide for each one that I found the re-enrollment settings and saw they hadn't been properly configured.
I'm afriad it's a case of you have to go through the Jamf 100 course videos, then you have to start watching all the videos in the training catalogue, then you have to start going through each icon in the settings control panel and read its coresponding admin guide documentation.
I'm finding the more I learn, the better Jamf works for me and the more I find the settings that haven't been configured properly by the previous employee who didn't configure the Jamf server properly in the past 6 years.
They also didn't turn on Automated Device Assignment in our Apple School Manager and were manually assigning devices to the MDM servers because....why? O_o? They also never set up prestage enrollments or smart groups for those enrollments.
Jamf is not without it's flaws but as a product I think it is improving with each version.
There is a best practice article for deploying a wallpaper to computers and an example video in the training catalogue
I've followed this and my custom wallpaper deployed to all our student lab machines last week without any issues.
There were some issues of some large apps not downloading properly leaving a ? on the dock. We're using Jamf Pro 10.21 which can only do run-once for policies but 10.23 can do run-once 'until successful' which should fix that issue once we upgrade.
Going into the policy log, finding the machine that failed and flushing the policy fixes the problem.
My packaged apps deploy as soon as the client checks-in with a randomness of 300 seconds so they dont all kick off at the same time. Check your computer management/check-in settings in the Jamf control panel to see how often your cleints are checking in? Make sure it's not set to some crazy number. Ours is set to every 15 - 20 minutes.
@mainelysteve unfortunately for us, the guy we had, whilst he seemed quite nice, was clearly going through a list of motions he'd gone through 1000x. Understandable, but we're finding that more and more of the 'recommended settings' that we rushed through were in actual fact awful for any live environment.
@bibandym Have you considered signing up for the Jamf online training courses, specifically the 100, 200, and 300 classes? (I wouldn't recommend the 400 until you have some in-depth experience with Jamf Pro). To follow your deep end analogy, a Jump Start is kind of like a life preserver, and the 100 through 300 classes are swimming lessons that will make your time in the pool much more enjoyable, or at least bearable. The 100 is free, and your best deal for doing both the 200 and 300 is a Training Pass as it's less than paying for the classes separately.
I'm curious about the two FileVault related policies you mentioned. Both questions revolve more around the scope.
1. Enable Disk Encryption, Individual File Vault - ongoing - check-in & enrollment.
For the first one that is set to ongoing frequency and triggered by the check-in, is that at least scoped to a smart group of unencrypted computers? I used to do a lot of ongoing policies scoped to smart groups, but after a few issues with failing policies, I've started using more 'once per computer' policies that get flushed on re-enrollment instead to avoid possible loops.
2. Generate New File Vault Key - Once per user, per computer, - check-in.
Similarly, is the second one just aimed at computers that were encrypted prior to enrollment in Jamf? If so I completely understand, but if if it's set to all computers, I would also be confused.
I feel like you are so close with those if they are scoped properly. FWIW, let me point you to the following technical paper from Jamf:
This is the paper I keep in my back pocket when I work with clients on FileVault.
I agree with @snowfox and @sdagley that the JumpStarts are great for getting the ground under your feet, but the only real way to learn Jamf is to use Jamf. And beyond that, to use it beyond your current comfort zone. I've been taking the 400 class every year for the last four years because it's the one class that is different and pushes me every time. But to get started, the 100 class is free (except the certification exam) and online and self-paced.
Let us know how else we can help.
And @mainelysteve, I read your comment:
My jumpstart was wildly different and while the guy was very hyper and talkative...
And had to make sure it wasn't me. 🙂
but Jamf does not recognize that they are encrypted until we manually force a jamf recon on the device itself.
Is there any way you could run the jamf recon command after your encryption policy in order to automate it?
I name my lab computers using a script and the name doesn't update on the Jamf record until I run a Jamf recon command using the files and processes payload in a policy. You could also run the command in a script: