Jamf Nation Community

teach02 · ‎02-13-2023

Hello Everyone,

My company is slowly moving into the Apply ecosystem and I was put in charge of setting up MDM with Jamf. I do already have some good experience with Apple itself from previous days working at the Genius Bar. But, not at the enterprise level. I want to set this up right initially so that it makes the lives of everyone else that interacts with it easier.

I've gotten the bare minimum done(Setup Apple Business Manager, Jamf 100 cert). And we plan on using In-Tune for identity management. Which, at the moment will mainly be used for iOS devices.

As the title says above, what are some best practices that I can follow now? What Automation's feel like magic? What pitfalls should I expect to run into?

Any tips would be greatly appreciated.

Appvalley tutuapp

AJPinto · ‎02-13-2023

You are already off to a good start.

You pointed out your first challenge. Your Genius Bar experience will not help much in a administrative capacity. Apple teaches you the consumer side of their products, MDM is a totally different beast. Troubleshooting MDM workflows is totally different than troubleshooting consumer workflows. Look over Apples Deployment and Management training even if you dont plan on taking the exam.

https://it-training.apple.com/tutorials/apt-deployment

Use Automated Device Enrollment for organization owned devices. This will require you to reprovision your existing iOS and macOS devices because thanks Apple. Do not rely on user enrollments.

I cannot stress this enough. Manage Macs like Macs, not like Windows. If you expect the same workflows and results out of MacOS as you do Windows you will have a lot of problems and disappointments. Apple builds a lot of their functions off of Automated Device Enrollment. Apple also does not give too poops about centralized identity management, do not domain bind. If you need some kind of central identity management look in to something like JAMF Connect for the most Windows like Experience, if password syncing is all you need look in to Apples SSO Connector, NoMad, Okta Verify, etc.

As an admin, accept anyone who does not work daily with Macs and iOS will complain as your data and workflow is not the “Windows way”. Be ready for a lot of pushback because you cannot replicate a given GPO configuration, or collect the same kind of data in the same way.

You mention Intune, just to note as Intune is also a MDM. You cannot use multiple MDM’s on one device, its JAMF or Intune. On macOS there is JAMF+Intune integration for conditional access, its not worth the effort. Microsoft has no idea how to support it, and JAMF can do conditional access by itself.

View solution in original post

sdagley · ‎02-13-2023

@teach02 I agree 1000% with @AJPinto that you should adopt Automated Device Enrollment (ADE) from the start of your deployment. There are already some management capabilities only available to ADE enrolled devices, and I expect that list will expand in the future.

If you're looking for a workflow for ADE the combination of DEPNotify and DEPNotify-Starter has been around for a while and is a good start. For an example of what can be done with DEPNotify see https://www.youtube.com/watch?v=HbKZ66F58qo

Another option is the combination of swiftDialog and @dan-snelson 's Setup Your Mac script.

I disagree with @AJPinto that the Jamf & Intune integration isn't worth the effort. For some organizations it may be a requirement. The older Conditional Access integration was definitely a PITA to set up and the compliance check options in Intune were very limited. As of Jamf Pro 10.43 the new Device Compliance integration is supported for Macs, and moves the compliance check process from Intune to Jamf Pro which offers much more flexibility.

View solution in original post

Tribruin · ‎02-13-2023

@AJPinto & @sdagley both have given a lot of great advise. Just a few addtional comments.

Take advantage of the Jamf Training Catalog. https://trainingcatalog.jamf.com/ You get access with your Jamf subscription. There are some really good getting started video series.

Don't try and do everything at once. Take small steps. Learn how configuration profiles work and deploy a few (I always suggest starting with a FileVault profile. Fairly simple to understand and deploy.) From their create a policy to install a package. Try setting up the policy to install automatically, then another policy in Self Service.

Jamf Pro is a very powerful tool, but it is only as good as the Administrator. There can be a tendency to overmanage the computers, start slow and learn what you need.

Finally, asks lots of questions. One thing I really appreciate about the Mac Admin community is that we are very open and want to help. I think Jamf tag line of "helping organizations succeed with Apple" applies to the Mac Admin community. It is very likely that any issue or question you have will already been asked.

Join the MacAdmin Slack community and ask questions. (Start with #jamfnation). https://www.macadmins.org/

View solution in original post

AJPinto · ‎02-13-2023

You are already off to a good start.

You pointed out your first challenge. Your Genius Bar experience will not help much in a administrative capacity. Apple teaches you the consumer side of their products, MDM is a totally different beast. Troubleshooting MDM workflows is totally different than troubleshooting consumer workflows. Look over Apples Deployment and Management training even if you dont plan on taking the exam.

https://it-training.apple.com/tutorials/apt-deployment

Use Automated Device Enrollment for organization owned devices. This will require you to reprovision your existing iOS and macOS devices because thanks Apple. Do not rely on user enrollments.

I cannot stress this enough. Manage Macs like Macs, not like Windows. If you expect the same workflows and results out of MacOS as you do Windows you will have a lot of problems and disappointments. Apple builds a lot of their functions off of Automated Device Enrollment. Apple also does not give too poops about centralized identity management, do not domain bind. If you need some kind of central identity management look in to something like JAMF Connect for the most Windows like Experience, if password syncing is all you need look in to Apples SSO Connector, NoMad, Okta Verify, etc.

As an admin, accept anyone who does not work daily with Macs and iOS will complain as your data and workflow is not the “Windows way”. Be ready for a lot of pushback because you cannot replicate a given GPO configuration, or collect the same kind of data in the same way.

You mention Intune, just to note as Intune is also a MDM. You cannot use multiple MDM’s on one device, its JAMF or Intune. On macOS there is JAMF+Intune integration for conditional access, its not worth the effort. Microsoft has no idea how to support it, and JAMF can do conditional access by itself.

sdagley · ‎02-13-2023

@teach02 I agree 1000% with @AJPinto that you should adopt Automated Device Enrollment (ADE) from the start of your deployment. There are already some management capabilities only available to ADE enrolled devices, and I expect that list will expand in the future.

If you're looking for a workflow for ADE the combination of DEPNotify and DEPNotify-Starter has been around for a while and is a good start. For an example of what can be done with DEPNotify see https://www.youtube.com/watch?v=HbKZ66F58qo

Another option is the combination of swiftDialog and @dan-snelson 's Setup Your Mac script.

I disagree with @AJPinto that the Jamf & Intune integration isn't worth the effort. For some organizations it may be a requirement. The older Conditional Access integration was definitely a PITA to set up and the compliance check options in Intune were very limited. As of Jamf Pro 10.43 the new Device Compliance integration is supported for Macs, and moves the compliance check process from Intune to Jamf Pro which offers much more flexibility.

AJPinto · ‎02-13-2023

To be fair the last time I tested Conditional Access was with 10.41. Though what left the bad taste in my mouth was Azure not JAMF. Though we have a very heavily configured Azure environment which added to the complications and could be skewing my opinion.

10.43 just came out and I have not had my teeth in to it yet. I just upgraded our on prem instance to 10.42.1 two weeks ago. I really should give intune integration another look.

Tribruin · ‎02-13-2023

@AJPinto & @sdagley both have given a lot of great advise. Just a few addtional comments.

Take advantage of the Jamf Training Catalog. https://trainingcatalog.jamf.com/ You get access with your Jamf subscription. There are some really good getting started video series.

Don't try and do everything at once. Take small steps. Learn how configuration profiles work and deploy a few (I always suggest starting with a FileVault profile. Fairly simple to understand and deploy.) From their create a policy to install a package. Try setting up the policy to install automatically, then another policy in Self Service.

Jamf Pro is a very powerful tool, but it is only as good as the Administrator. There can be a tendency to overmanage the computers, start slow and learn what you need.

Finally, asks lots of questions. One thing I really appreciate about the Mac Admin community is that we are very open and want to help. I think Jamf tag line of "helping organizations succeed with Apple" applies to the Mac Admin community. It is very likely that any issue or question you have will already been asked.

Join the MacAdmin Slack community and ask questions. (Start with #jamfnation). https://www.macadmins.org/

AJPinto · ‎02-13-2023

There can be a tendency to overmanage the computers, start slow and learn what you need.

@Tribruin This, very well put. Asking "why are we doing this" has become my first question whenever anyone asks to implement some new managed configurations.

piotrr · ‎02-14-2023

I'm glad you came in now, when we have conditional access rules in Jamf rather than the old Intune integration. I'm on the old integration and there is no plan from Jamf on how to migrate for us yet.

sdagley · ‎02-14-2023

@piotrr My suspicion is that there will be no simple direct migration mechanism as that would entail having some way to create a Smart Group in Jamf Pro for the Device Compliance evaluation by extracting the existing Conditional Access configuration from Intune and I don't believe there's any API to get that info from Intune (or if there's a direct match in criteria). I expect anyone who had invested significant time into setting up the old Conditional Access integration with Intune isn't going to be happy having to migrate to Device Compliance, but they will be much happier with the configuration process because it's much cleaner (with the caveat that we've just started testing the process of setting up DC here, but IMO it looks much better than CA)

piotrr · ‎02-14-2023

My compliance rules aren't that complicated and if all I have to do is create smart groups for evaluation and compliance in JAMF that correspond to our old Intune rules, I could have that done this afternoon.

I'm more worried about how to properly remove the old connections between Jamf and Intune, the old registrations on all these Macs without breaking anything....which is why I'm glad teach02 won't have to go through that. :)

Jamf Nation Community

Jamf Best Practices