We're looking at enhancing our new Mac deployment process so that the proper apps get installed on the proper Macs automatically after enrollment. Does anyone utilize a process like this, and if so, what is the process you employ for accomplishing this? Do you have a script that retrieves data from some source outside of Jamf? Or do you scope apps to LDAP groups and drop users into the proper groups? Would love to know how others are accomplishing this.
We use LDAP to populate the department and building fields for JAMF, we then scope policies based on those departments or buildings. We run in an education environment so we also utilise the telephone field from AD with year level or staff tags, then we use smart groups by setting the criteria "phone number is 'STAFF'" we can then scope to certain year levels or just staff members.
Thanks for the replay, @James.Shaw ! If I understand you correctly (and let me know if this isn't right) it sounds like you deploy certain apps to every member of a department. I think what we're trying to do is deploy apps on a more granular basis. For instance, we have a database somewhere that says team member X gets Slack, Evernote, and Sketch. And somehow Jamf communicates with that source of truth and installs those specific apps on the specific team member's computer automatically after enrollment.
We use Prestage Enrollments to segregate our users (staff, students, cart devices, support staff) and scope apps based on their pre-stage enrollment. Some things we force on everybody in a group (e.g. wifi configs), others we let them use Self Service so they have the choice (e.g. Microsoft Office). For more specific groups (e.g. Students in the App Development class), we'll just use a static group to make sure those students get Xcode.
@john.sherrod kinda. When we get a new shipment of devices in we can assign them to the appropriate prestage. This is more of a factor at the end of the school year when the graduating class leaves and the devices are wiped and put into the appropriate prestage for the next class (e.g. Prestage Enrollment 2020 gets put into Prestage Enrollment 2024) and wiped. For staff, as an example, they get put into the Staff Prestage and wouldn't necessarily wipe until replacement.
My prestages look like this:
Student Macbooks 2017
Student Macbooks 2018
Student Macbooks 2019
I use some Smart groups that pull in the Prestages (e.g. Student Macbooks Smart group is populated by Prestage Enrollment 2017-2019). This will let me target things on the wider scope, like every student gets Google Chrome or Adobe Flash. For me its a way to keep each grade level seperated. Some apps (e.g. Chegg Flashcards) go to all the 7th & 8th graders, but not 9-12.
Hey John, we also support a K-12 environment. I started off in a similar manner using multiple prestages for each section of our district. Down the road it started to get annoying managing prestages and moving devices around if I needed them in a different PreStage for some reason. What we did to simplify things, was create a single prestige enrollment called "District DEP". All of our groups are made with smart groups based off of the user inventory fields which are populated by out Active Directory. We even have a "graduating year" field which is how we separate our scopes by grade level. Either way, it works. I just got tired of checking boxes or changing the prestage groups with the MUT tool.
and on the iOS side, we use the same workflow but we add the JAMF Reset App workflow as well. This gives some of our less technical users the ability to help restore devices as well.
Thanks for the reply, @Jalves! That's really helpful. Yeah, we currently use a single PreStage enrollment. We're starting to build out Active Directory groups where our Procurement and Identity and Access teams add users once they've been approved to have a specific app. So like an Evernote AD group for instance. I'm currently thinking of basing my app installs around that. So maybe have a post-enrollment policy for each of our common apps that's scoped to all computers enrolled in the last week but limited to the appropriate AD group. Just curious how others do similar things. I know many organizations just make things available in Self Service for the end user to install or not install later which is also a valid way to do it.