Mac Labs: Shared Device Methodology Using Jamf Pro

smallchange
New Contributor

Hello Everyone,

 

I've seen a few posts surrounding this topic, but haven't really found an answer that I am satisfied with quite yet. My team manages somewhere around 400 iMac / MacBook devices that are either located in a shared lab setting, or loaned out to users for an allotted period of time. Our user base loves these devices, especially students who are in more creative classes using Adobe products. Currently we are provisioning these devices with automated device enrollment and policies targeting Smart and Static groups. As a quick note, I am fairly new to Jamf, and Mac management in general.

 

I'm sure many admins in Higher Ed have faced this issue in Mac lab settings; how do we handle devices being used by multiple users? What I mean by that is, how can we provide a fresh OS and Mac desktop experience for each user as they sign on to a device? How do we prevent the device from filling up as users store their data there?

 

We currently utilize Deep Freeze, which wipes the iMac of any changes that occurred during a session as soon as a user logs out. However, this software is a logistical nightmare when it comes to updating software, patching macOS, deploying new applications and policies, and re-imaging/deploying devices. My goal is to somehow do away with this software and our current methodology used to keep the Mac lab devices clean for each individual use. The end user experience is currently seamless, they sign in and the desktop appears as an out of box (branded) experience, with all the tools they need at their fingertips. I would love to replicate this end user experience, while also enabling myself and fellow system admins to manage these devices in a more efficient fashion.

 

If anyone has any experience with this I would love to learn about it. I can also provide more information if that would help clarify anything. Thanks in advance for your thoughts!

8 REPLIES 8

arnoldtaw
New Contributor III

I've previously used Deep Freeze to deliver the same type of experience to end users also in a Higher Ed environment.  Maintenance Schedules was one of the features we relied on. At one point, they removed the Maintenance Schedule feature for macOS and it was complete chaotic for us. Later on, they brought back Maintenance Schedules.

 

For software updates, macOS updates, try using Deep Freeze Maintenance Schedule together with Jamf Policy with Client-Side Limitations.

For re-imaging/deploying devices, If your workflow is set to be fully automated (runs all polices and settings without a technician logging in to initiate the deployment process), you can leverage startosinstall with eraseinstall flag. Which will bring the device back to service with one click or one Jamf Remote command. 

PaulHazelden
Valued Contributor

In our Labs we use iMacs and Mac Mini's. For multi user sign in we use NoMAD to authenticate the Users. Each User gets their own account on the Mac. We find that students will tend to use the same Mac in each room, so they do not end up with multiple logins in the same room. They are encouraged to store all of their work in Google Drive.

Filling up space is an issue for us, especially in a few of our Music Labs. I run a Smart group to look for Macs with less than 30Gb remaining. Then I will email the tutors and get them to sort out the issue. I also run a script that pops up a notification at each log in to each user informing them of how much space they are using. I used to run a script every weekend that did a big purge on all accounts on the Mac, leaving some settings alone, but clearing out their files, but it appears Apple has now made that not work, time to hunt a new method out. If between the students and tutors the Mac stays in the critical low space list, I will then give them a week, and remote in and start deleting files based on last use or sign in. They do have Google Drive, so anything left on the Mac is supposed to be backed up.

For us MacBooks are a single user device. And again they have Google Drive to back up into.

 

We have found that totally wiping accounts off the devices all the time, tends to in the end waste time. Each fresh login takes longer to complete, they have to sign in to Drive again, and wait for it to synch etc. Hence my script only removed the generally bulky stuff, leaving the settings for accounts in place. But that doesnt work now, so I rely on the tutors to get it sorted out. Running the purge on the accounts at the weekend meant the students could work freely during the week, and then back up everything by the end of the week. Again purging daily or at log out, also wastes teaching time as they have to spend however long it takes at the end of a session backing up their work.

Out of around 400 Macs, so far since last Autumn we have only had issues on about 10, and that was a big project the students were working on with a lot of 4K video files. Generally they are good at managing their space useage, and are considerate. I am not sure if that is the threat of them loosing everything if they dont.

Basic question, so where do the users come from?

Our users are authenticated on the Mac by NoMAD, which is pointing at our LDAP server to aquire the accounts.

FutureFacinLuke
Contributor II

Our students us a mix of OneDrive, Adobe Cloud and a couple of SANs for mass storage, I have a fairly brutal policy (custom trigger: order66) that runs overnight and deletes all user accounts on Macs with less than a certain amount of free space left. You could go one further and take the Apple Store approach of eraseInstalling each Mac every night.         

mickgrant
Contributor II

We use a guest account. everything gets deleted at every logout.
We use google drive and students are taught that it's their responsibility to save their work in the appropriate place or its gone, no if no and no buts

smallchange
New Contributor

Thank you all for your input on this, I am going to investigate all the solutions you provided and will follow up if I have any success! 

jpeters21
Contributor II

I guess my best recommendation unless you have an example of something you are having problems doing is to watch the Jamf raining videos. We dropped Deep Freeze when faronics started telling us we had to disable SIP (which to me was the equivalent of telling us they really did not support Mac), about the same time altering the default template stopped working.

storage would be easy enough, make a bash script to delete the contents of /Users/.. then there would be quite a few different ways to apply that in a policy to run at startup or shutdown but I would probably point a policy with said script  at  a smart group based on "Boot Driver Percentage Full" or "Boot Drive Available MB" .