Posted on 02-19-2020 12:00 PM
Hey Guys and Girls!
I'm an experienced Mac / Linux / AWS Sysadmin. I work for a group of music universities around Europe, just started a new role as Jamf Infrastructure head for our 700 strong Mac fleet, but they are using probably 30% of its functions and potential. I've used Puppet, Chef, Salt, DS, and Munki professionally so I have a deep understanding of deployment technologies. I've built my own open source solutions in the past.
I've used Jamf at Apple HQ 6 years ago, but only for Self Service and minor pushes (no 0 touch DEP etc). I've gone through the Jamf 100 but my knowledge is limited with Jamf. I've done a ton of research but nothing answers my question to follow...
I wanted to ask the infinite knowledge brain that is Jamf Nation for some ideas / guidance please :)
I have sign off for 6 days of Jamf Pro Services onsite Engineer visit to my HQ to modernise and simplify our existing infrastructure any way I see fit (but no extra cost on top).
The thing is a mess. Multiple people before me have done it "their way" resulting in a bloated, convoluted setup that I just can't get my head around. The policies aren't organised, no room groups set up, not using Remote and other features etc.
I have carte blanche to make WHATEVER changes I want. My goals are:
Maintain absolute functionality of the existing setup. It is Edu so we have a 1st Sept deadline, the students have to be able to work if it goes wrong.
Make our new Mac purchase installations updates and patch mgmt as quick and efficient as possible with as little human interaction as possible.
Centralise and unify our music software license management. Ideally have something that holds all our various Mac licenses (Ableton, Logic, Pro Tools, Adobe etc etc) and installs the software via Jamf with the License working ready to go.
At the moment for the students they are using a single local home "Music" with no password (with full admin rights lol) for every student login. Work is stored on a network share. Deepfreeze is used to enforce the desired device state upon restart.
What would everyone suggest for a modern school / college / uni setup? If you had 6 days Engineer time and they could set up whatever you wanted (but no extra spend approved - bye bye Connect lol) what would you get them to do?
I've been flirting with 0 touch with Nomad for initial deployment speed but I really want to know how everyone enforces the machine state for music labs? Deepfreeze is hated by everyone and makes Jamf admin ridiculously slow, planning on site IT time to unfreeze for any update whatsoever.
I see the benefit of Deepfreeze but I know not many people use it so how do you guys approach enforcing machine states? Simply DL'ing all software again if it is modified isn't an option due to HUGE package sizes. We have onsite Dist Points but even so there must be a more modern way...
Hoping to drum up a little discussion from Music Edu Jamf Admins as to how you guys work to save time and maintain your desired feel state please!
Thanks in advance any advice at all would be very welcome :)
Posted on 02-19-2020 02:00 PM
I wasn't at a music school per se, just a regular full spectrum university.
We dropped freezing machines a few years ago and had suprisingly few issues. When users don't have admin rights macOS does a reasonable job of keeping things isolated if users have seperate logins (we were AD bound for labs).
You do have to have some kind of stale user clean up and we also tended to refresh things each semester as well.
Do you have different setups for different areas?
If you have a number of different lab configurations it's worth trying to get a way for either the machines or JAMF to talk to your asset database they can automatically work out what they need to have, this means you can send down macOS click a couple of buttons on setup and leave them overnight (or perhaps is someone has worked out how to avoid the setup these days not even do that part).
The one thing we have had the most trouble with was actually Apple's caching servers, we had bespoke security built over a very long time and it really didn't play with Apple's plug and play and don't let the customer have a clue what's happening philosophy, Apple content was by far the biggest issue for us every year, both App Store apps with VPP and the additional content that some apps required, loops etc... I know other universities haven't had issues with this, but for me personally that is the one thing I would want running as smoothly as possible.
Posted on 02-20-2020 08:37 AM
@Look Hey weird. I didn't post that... My name sure ain't Dave.
Edit: Ok... now Jamf Nation doesn't say I posted it. So never mind I guess.