JSS Granular Privileges

aburrow
Contributor

We're looking to move multiple VPP accounts into JSS and would like to allow those staff responsible for their sections access to JSS so they can manage the entire process from purchasing in Apple VPP through to deployment to their iPads.

Can this be done?
I'm not sure which privileges I should be giving to allow this without allowing access to everything. Is there a spreadsheet or something similar available that would help with this?

1 ACCEPTED SOLUTION

bburdeaux
Contributor II

As a baseline you'll need the following:

Read access to Mobile Devices
Full access to Mobile Device Apps
Create* and Read access to VPP Admin Accounts

Aside from those, I'd recommend giving access to User and Mobile Device groups, at your discretion, depending on how you intend to scope your apps.

  • I know that Create access is needed on Jamf Pro 10.1.1 in order to use the "Update Purchased Content" tool to pull new licenses into the JSS, but this feels like a bug to me so I don't know if it's needed in other versions.

View solution in original post

3 REPLIES 3

bburdeaux
Contributor II

As a baseline you'll need the following:

Read access to Mobile Devices
Full access to Mobile Device Apps
Create* and Read access to VPP Admin Accounts

Aside from those, I'd recommend giving access to User and Mobile Device groups, at your discretion, depending on how you intend to scope your apps.

  • I know that Create access is needed on Jamf Pro 10.1.1 in order to use the "Update Purchased Content" tool to pull new licenses into the JSS, but this feels like a bug to me so I don't know if it's needed in other versions.

aburrow
Contributor

Thanks for that I'll give those settings a go.

m_donovan
Contributor III

I would recommend a more centralized approach. Depending on how many people have the ability to add apps to the JSS it can get out of control fast. In our situation we have applications duplicated 20 times because 20 different campuses want to use it. With multiple people adding applications the vetting process is not easily enforced. We are currently at 5539 apps in the JSS with a huge number of duplicates.