Posted on 02-13-2020 08:39 AM
Hi!
As my institution's Jamf admin I'm working on developing procedures to manage our to-this-point large pool of essentially unmanaged iOS devices. Prestage Enrollment isn't new to me, but managing iOS very much is. I'm currently working on bringing management to a pool of loaner iPads, but with an eye towards managing personally assigned iOS devices once I've got the loaners under control. I've been playing around with Jamf Reset, Jamf Setup, and Apple Configurator 2, and I'm still confused on a few points.
1) I think I already know the answer to this (No) but... there's no way to wipe an iOS device via Configurator, Jamf Reset, or any other method that wipes everything EXCEPT a wireless profile, right? Doing so would actually allow us to provide the "over the air" functionality everyone likes to talk about.
2) Activation Lock seems to be a sticking point. I definitely want "Prevent user from enabling Activation Lock" since that's burnt us before, but if I enable "Enable Activation Lock on the device (Apple School Manager, Apple Business Manager)" it seems like I have to share my Apple School Manager password with the students who work the loaner pool desk, which is a no-go. There's no other option than to leave Activation Lock off then, is there? Otherwise whenever they want to set up the device they're going to have to have that password.
3) For Jamf Setup, there's no way to control which devices see what items on the list, is there? As far as I can tell, all devices with Setup see all possibilities, which might allow users to select settings inappropriate for the device they're using.
Thanks for any light anyone can shed - I'm sure I'm not the only person to have these questions.
Posted on 02-13-2020 09:13 AM
1) I think I already know the answer to this (No) but... there's no way to wipe an iOS device via Configurator, Jamf Reset, or any other method that wipes everything EXCEPT a wireless profile, right? Doing so would actually allow us to provide the "over the air" functionality everyone likes to talk about. 2) Activation Lock seems to be a sticking point. I definitely want "Prevent user from enabling Activation Lock" since that's burnt us before, but if I enable "Enable Activation Lock on the device (Apple School Manager, Apple Business Manager)" it seems like I have to share my Apple School Manager password with the students who work the loaner pool desk, which is a no-go. There's no other option than to leave Activation Lock off then, is there? Otherwise whenever they want to set up the device they're going to have to have that password. 3) For Jamf Setup, there's no way to control which devices see what items on the list, is there? As far as I can tell, all devices with Setup see all possibilities, which might allow users to select settings inappropriate for the device they're using.
There is no way to pick and choose what remains on the device as far as I am aware. Everything will be wiped when wiping remotely with your jss or when the user wipes with the jamf reset app.
If we do not want our users to enable activation lock (students for example) we prevent them from signing into iCloud, which in turn prevents activation lock from being enabled. We use the restrictions payload in a configuration profile to accomplish this and make sure that the "Allow modifying account settings (supervised only)" box is NOT checked.
I haven't tried this but in theory it should work - You could create two separate mobile device app entries for the jamf setup app, each with a different app configuration (different list of options would then display in each app entry) and then you would scope each app entry according to which group of devices that you want to see the specific lists.
Hope this helps a bit!