How Do You Deploy Specific Apps To Specific Computers During Enrollment?

We use LDAP to populate the department and building fields for JAMF, we then scope policies based on those departments or buildings. We run in an education environment so we also utilise the telephone field from AD with year level or staff tags, then we use smart groups by setting the criteria "phone number is 'STAFF'" we can then scope to certain year levels or just staff members.

Thanks for the replay, @James.Shaw ! If I understand you correctly (and let me know if this isn't right) it sounds like you deploy certain apps to every member of a department. I think what we're trying to do is deploy apps on a more granular basis. For instance, we have a database somewhere that says team member X gets Slack, Evernote, and Sketch. And somehow Jamf communicates with that source of truth and installs those specific apps on the specific team member's computer automatically after enrollment.

We use Prestage Enrollments to segregate our users (staff, students, cart devices, support staff) and scope apps based on their pre-stage enrollment. Some things we force on everybody in a group (e.g. wifi configs), others we let them use Self Service so they have the choice (e.g. Microsoft Office). For more specific groups (e.g. Students in the App Development class), we'll just use a static group to make sure those students get Xcode.

Thanks for the response, @larry_barrett! So does that mean you're manually assigning each Mac to the appropriate Prestage Enrollment before that first boot?

@john.sherrod kinda. When we get a new shipment of devices in we can assign them to the appropriate prestage. This is more of a factor at the end of the school year when the graduating class leaves and the devices are wiped and put into the appropriate prestage for the next class (e.g. Prestage Enrollment 2020 gets put into Prestage Enrollment 2024) and wiped. For staff, as an example, they get put into the Staff Prestage and wouldn't necessarily wipe until replacement.

My prestages look like this:
Staff
Student Macbooks 2017
Student Macbooks 2018
Student Macbooks 2019
iMacs
School Board
Mobile Carts

I use some Smart groups that pull in the Prestages (e.g. Student Macbooks Smart group is populated by Prestage Enrollment 2017-2019). This will let me target things on the wider scope, like every student gets Google Chrome or Adobe Flash. For me its a way to keep each grade level seperated. Some apps (e.g. Chegg Flashcards) go to all the 7th & 8th graders, but not 9-12.

Thanks again, @larry_barrett! Really helpful for me to see what methods others are employing to do this. Would love to hear from as many people as possible to get as many ideas as possible!

Hey John, we also support a K-12 environment. I started off in a similar manner using multiple prestages for each section of our district. Down the road it started to get annoying managing prestages and moving devices around if I needed them in a different PreStage for some reason. What we did to simplify things, was create a single prestige enrollment called "District DEP". All of our groups are made with smart groups based off of the user inventory fields which are populated by out Active Directory. We even have a "graduating year" field which is how we separate our scopes by grade level. Either way, it works. I just got tired of checking boxes or changing the prestage groups with the MUT tool.

and on the iOS side, we use the same workflow but we add the JAMF Reset App workflow as well. This gives some of our less technical users the ability to help restore devices as well.

Thanks for the reply, @Jalves! That's really helpful. Yeah, we currently use a single PreStage enrollment. We're starting to build out Active Directory groups where our Procurement and Identity and Access teams add users once they've been approved to have a specific app. So like an Evernote AD group for instance. I'm currently thinking of basing my app installs around that. So maybe have a post-enrollment policy for each of our common apps that's scoped to all computers enrolled in the last week but limited to the appropriate AD group. Just curious how others do similar things. I know many organizations just make things available in Self Service for the end user to install or not install later which is also a valid way to do it.