Jamfpro for developers

questionibble
New Contributor

Hi,
My company wants to start using Jamfpro because of high standards of data compliance required by our clients (healthcare, EU).
So far so fair enough.
I have some concerns though about how much this change will impact upon our development since we are a small company without dedicated devops or sysadmins and a small back-end team.
I work in data, R and python, and am the only person working with these at the company.
My concern is how much Jamf will impact on my working life, that it will prevent me building packages from CRAN/Anaconda or restrict my use of packages from github etc..., or any time a package has a missing dependency..
Rather than some kind of "Jamf is good" answer, which would be par for the course for the Jamf community, could someone point me to the relevant aspects of the kit? In particular, restrictions placed on repositories, whitelists, blacklists. It's a lot of documentation, I am not a sysadmin so any kind of head start would be a help.
Also, links to anecdotes about how teams overcame such issues would be very helpful.

More generally, we are not going to be getting a sysadmin or devops to help us with the transition. Does this make sense to people (salespeople excluded)? Is Jamfpro really good enough for a CTO to set up and manage alongside a thousand other tasks? It's not coming along for another few months, but I think it's kind of part of my job to already start worrying about how it might become an infrastructural death march if not done properly. (I've seen that happen with a top-down rushed AWS--->Azure migration at a previous gig, it was not pretty and we still carry the emotional scars..)
Thanks!

5 REPLIES 5

sdamiano
Contributor

The jamf binary itself isn't going to prevent you from doing anything on your machine.

Any restrictions put in place on your computer would be done by the administrator. The jamf binary itself cannot do anything without being told to execute commands that are set by the administrator. Anything that can be set as a bash script can be done by an administrator. You would have to have a conversation with whomever is doing the setup.

nelsoni
Contributor II

Jamf does not funtion like anti-virus if that is what you are getting at. It applies config profiles that are scoped based on how the admin decides to scope it. This includes things like KEXT approvals, PPPCs and other various mac settings that need an MDM to be set. This is directed by Apple with the direction they are taking MacOS. Any interference with your day to day opperations will have to be discussed with your Admin.

mm2270
Legendary Contributor II

Like @sdamiano mentioned, the jamf framework, which consists of a few binaries (/usr/local/bin/jamf being the main one) and some LaunchDaemons and LaunchAgents primarily, won't do much on their own. The Launchd jobs do run periodically, but only to check if something the administrator has set up should execute, or to capture some inventory data for reports. The agents/daemons will have a negligible impact on your computer usage. There are already dozens of daemons and agents running on your Mac and they don't impact anything.

The main thing I would discuss with whoever your Jamf admin will be is keeping your admin rights. If there's anything I can say that will have a detrimental impact on you as a developer, it would be losing admin privileges on your account. It's not uncommon for IT admins to think that now that they have some control over devices, they can remove local admin rights from users (there is Self Service they will argue), but unfortunately some of the tools you likely use will require you to enter admin credentials to complete their tasks. Those aren't things that are easy to accomplish when running as a standard account, especially if your company doesn't have someone that has a lot of experience putting those restrictions in place. I don't know if that's the case or not, but I would definitely bring this up in a discussion with them.

rseeley
New Contributor III

Things such as placing restrictions on repositories, white/black list is going to be done by whatever handles your network policies, ie: the firewall or a service like Cisco Umbrella. This is not the roll of JAMF.

JAMF's job is to provide a central interface to give visibility and management to all the Macs on the network. For example installing software and making sure it stays up to date. Also configurations on the Mac such as power settings, encrypting the hard drive, printers, wifi profiles.

Out of the box Jamf wont prevent you from doing anything you're able to do now. However an admin could implement policies which can lock down the machine. If those policies affect you being able to do your job, thats a conversation youll need to have with the admin.

Errick_Pfuhl
New Contributor II

In addition to what everyone else is saying, I strongly recommend having a sysadmin with knowledge of server operation, installation, and maintenance - otherwise you might have a difficult time maintaining the back end if you run into any issues (unless someone at your company happens to have this knowledge). Personal preference, spin it up on a Windows or CentOS server (ubuntu works too, but my experience is in RHEL and CentOS).

But like everyone else has stated, jamf will not block any of your work.

To your question regarding "manage along with a thousand other tasks" - depends on how well the individual can function with software/infrastructure they may or may not be familiar with and how good your incident response is. We can't really make that determination for your org.