Jamf Nation Community

khey · ‎08-16-2015

Hi guys,

We are a medium-sized company and at the moment we have about 100 OSX devices and growing. Most of the users are in IT (developers) and Marketing (visual designer).

We have just implemented Casper and finished enrolling devices and wondering what are the most common (standard) config profiles and restrictions?

At the moment we are thinking of enabling FileVault, locking down USB and disable Sharing in system pref so users cant modify the computer name and disable remote management.

Please share pros and cons of the profiles as well if you have any.

Looking forward to any feedback.

thank you.

talkingmoose · ‎08-17-2015

What's important for your environment? Asking what most folks are doing isn't really a recipe for what you need to do.

Is data security important to your company (e.g. company secrets) or is data transient and unimportant (e.g. kiosk computers)?

Is network security important to your company (e.g. restricted access to file shares and Internet) or is Internet access open for everyone (e.g. guest network)?

Is software management important to your company (e.g. you allow only properly licensed software) or do you allow users to install their own software (e.g. from the Mac App Store).

Are users admins or standard users on their own computers? Admins can do pretty much anything they want regardless of management you apply. Standard users rely on you for everything they can't do themselves.

Your use of configuration profiles and restrictions should reflect your company's policies. Don't apply any more than the absolute minimum necessary than what you discover you need. Manage with a firm hand but a light touch.

So, what do you need to accomplish?

davidacland · ‎08-17-2015

Personally I would go for a light touch and only add restrictions if there is a real need (like complying with a certification the company has).

The main reasons being:

Each config profile you add will need to be tested each time you upgrade the OS, so the more you have, the bigger the job you are creating for yourself
If the devices are too locked down, you may get a steady increase in resistance

This is even more important given that most of the users are developers as they are likely to just circumvent systems you put in place if they are too heavy handed.

I'd recommend checking out the security presentation from Facebook at the recent Penn State Macadmin conference. the first 15 mins was about their approach to locking devices down as most of their users are developers: https://www.youtube.com/watch?v=arOO3UUedeA&index=19&list=PLRUboZUQxbyVydhdMcxGGfEaZc2sFdQk8

khey · ‎08-17-2015

hi guys,

Thank you for your responses.

Data security is definitely important for us and hence the need of encrypting the disk.

Network security not as much as we use a proxy server ZScaler that requires AD authentication to get access to the internet.

Software management is also important to us as we really want to lock down the 3rd party software updates such as Microsoft Office and only make the updates available preferably on Self Service after we have tested the update. At the moment, all users have admin access and do updates when they get the notifications. Many times Helpdesk get a call from users saying that their outlook doesnt work after the update and we really want to avoid this. I was told that there is no way to manage 3rd party software through Casper. Is that the case?

i will definitely watch the video!

thank you.

davidacland · ‎08-18-2015

You can patch third party software with Casper, it can just a bit manual in some cases.

You can use AutoPKG and JSSImporter to automate a lot of the process.

RobertHammen · ‎08-18-2015

You can manage third-party software through Casper, there's just currently no automatic way to do so. Going to require you to learn about how to manage preference files and deploy update packages, etc.

Jamf Nation Community

Most Common Config profiles & restrictions