Ideas for Working From Home and supporting Remote Learning

davidhiggs
Contributor III

Wanted to share some work I was doing as a proof of concept in preparation for staff working from home and students transitioning to remote learning at my University. This can be adapted to any organisation and I'd love to hear what others are doing to empower their users and help them gain access to software and services.

With Jamf's announcement to provide extra licensing at no cost, you could do this now and not have to worry about seeking financial approval for more licences. Some of us are about to ask 1000’s of users to start using their own devices without knowing what kind of state they are in. Self Service is a great tool to help IT and users through this period.

What I wanted to achieve:
- Onboard users quickly with access to software, knowledge and training.
- Address issues relating to unsupported macOS versions and software behind in patching.
- A mechanism to publish updates and notifications to new software as they became available
- Reduce tickets to my service desk for common software requests and setup.
- Identify personal machines for easy removal from Jamf later on.

The changes i made:
- Made two Sites - University Owned and Personally Owned Macs
- User-Initiated Enrollment - Defined my Staff LDAP group to choose any Site. My Student LDAP group to enrol in Personally Owned Macs.
- One Smart Group - Site is Personally Owned Macs, no criteria. All machines enrolled to that option will be used for Scoping policies.
- Policy Exclusions - I reviewed each policy that had a software licence or action not applicable to personal machines, and excluded it using the Smart Group.

Video of enrollment process here.

I haven't communicated this as being available, but i've already had 8 people enrol Personal devices. I interviewed 2 of them today and got some great feedback, here is how it’s going so far:
- Our automatic patching updated browsers and other at risk software.
- One user reported that installing software fixed an issue our Helpdesk were having issues troubleshooting.
- One user had to borrow their parents iMac and found Self Service easy to use and got setup with our working-from-home apps quickly.
- We have already packaged and made available vendor supported extended trials for two software titles and advertised them to Personally Owned Macs.

If you have other workflows, suggestions or things to share to help other admins, please feel free to share. Cheers!

19 REPLIES 19

jamtay
New Contributor II

This is great! Out of curiosity how did you brand the enrolment pages? Do you have an on-premise instance?

EDIT: no worries I've discovered how to change the settings.

davidhiggs
Contributor III

@jamtay and others wanted to customise their enrolment pages, you just need edit in markdown language, I used this reference which has simple examples.

tcam
Contributor

Keep in mind that if you choose to have two sites, that measn for VPP apps, you'll have to buy them twice, deploy them twice, extra.

davidhiggs
Contributor III

Just an update. We're seeing delays through approved Apple hardware procurement channels for some models, so some staff are getting exemptions and buying from retail. Our deployment techs are also not able to do their normal deployments in some cases now with social distancing.

I'll be modifying our Self Service options to make it easy for regular users to setup new machines using self-enrolment. Staff Pack is a Self Service policy i'll probably turn on for everyone, which deploys our core University apps quickly.

f711f258cd9d4eb1b0c4d49f65f95a03

davidhiggs
Contributor III

@tcam Good point, I checked my setup and it looks like i had all the apps (free) set to None, so I believe both Sites will get it i think!

tcam
Contributor

Did they change that? back in the day, having two sites was like having to JAMF instances. Like everything policy, VPP account, vpp app, had to be in one site or the other.

Brad_G
Contributor II

@tcam It's been possible to create policies and do things at the "None" level that can be scoped to any and all sites for a while now. We've been doing this for several years. You just have to be careful not to have site policies that may conflict with things at what I call the root level (None).

davidhiggs
Contributor III

Just another benefit I wanted to share that I hadn't considered.

We all know how confusing it must be for users with KEXT and PPPC approvals for various software. Our WFH recommended software would be throwing up popups for things like Box, Zoom, Citrix Workspace, Cisco AnyConnect etc.

Highly recommend Privacy Preferences Policy Control (PPPC) Utility for adding PPPC approvals Config Profiles.

mconners
Valued Contributor

Hello @davidhiggs I was curious, the icon you used for your Staff pack, did you find that somewhere or did you create this in house? We are just now exploring a BYOD model for our students. I want a proof of concept and having something like you created with the staff pack would be awesome. This way, enrolled student Macs could get the needed apps all in one install.

davidhiggs
Contributor III

Just rolled my own using https://pixlr.com/x/ online editor, was easy enough to layer a few icons on top of each other!

For the policy, I ended up using a script to call my software policies using custom triggers, that way i didn't have to duplicate work to maintain them later on.

mconners
Valued Contributor

@davidhiggs I know you mentioned sites, outside of organizing personal vs college owned devices, is there any other advantage? I attempted to see how I could scope or use smart groups to identify those systems belonging to one site or another. I couldn't find a way to deal with the idea of sites for personal devices. I'm trying to create a model to demo this concept to our leadership over the next month, to explain what could be done.

davidhiggs
Contributor III

@mconners It might be that you have different organisation policy for personal vs. business. eg. You may want to force a software removal/update on a college owned Mac but leave personal devices alone, even if it's in their best interest. Or not allow Terminal.app to be used on college devices, but you don't control that on personal devices.

User-Initiated Enrollment
My staff ldap group can enrol into any site, University Owned or Personally Owned (you could have more). My student ldap group are forced into Personally Owned, so they wont see the choice on enrolment. To ensure people outside of these groups can't enrol, I have All LDAP Users set to No.
d088f16db33b4516982ab5014eae9b6f

Smart Group
Once you have your Sites setup, you'll see a new option in Smart Groups. You want to choose your Site that relates to personal computers. This is how I setup a smart group that only includes people enrolled as Personally Owned. Note that not having criteria will include all machines, which is what you want.
72136fd310f249b48f39307e5002c0a9
4de49d62d1da42c6a01348b9910dd34d

mconners
Valued Contributor

@davidhiggs what have you folks done to support licensing issues. For instance, when you license a piece of software, typically, that license is for college owned equipment. Do you have new arrangements in place to allow those with BYOD to acquire and use the software via self service?

davidhiggs
Contributor III

@mconners fortunately most of our core software works on an SSO and can be used on personal machines. For everything else, it's a bit of a process to find out if it can be used off campus. Most vendors seem to be offering extended trials, so we found that more suitable to promote and we'll reassess as needed. Some have great options with different licence keys, some offer nothing at all.

Below is a sample of what we added for IBM SPSS, a simple set of instructions with the app packaged ready to go. Policy set to expire 15th June.

88a6c438cbeb47009304cbb7f903a7e3

mconners
Valued Contributor

Thank you @davidhiggs this is helpful. We have not configured SSO in our case, but we are working on it now. We will be using Azure.

I read your reply above and was thrown off a bit. You mentioned, "...our core software works on an SSO..." What do you mean by works on an SSO? I might be thinking one thing while reading this and was thrown off a bit. If you could explain the context of an SSO, that might clear things up.

davidhiggs
Contributor III

@mconners to clarify, for our core software and services we usually have a site licence and it can be accessed by signing in with their University identity. As such, there’s no risk with software licences on personal machines if the identity ceases to exist at any point in time.

mconners
Valued Contributor

Perfect @davidhiggs now I know the context, thank you.

mconners
Valued Contributor

Sorry @davidhiggs one other question. This is all new to me and I trying to get my head around it. For your user-initiated enrollment settings, what do you have setup for the general tab?

davidhiggs
Contributor III

@mconners only have "Skip certificate installation during enrollment" ticked as I have Jamf Cloud, but i also had this ticked when on-prem and has an ssl certificate signed with a third party vendor.