We're currently looking at purchasing Casper Suite as a better way to manage our Macs than what we have at the moment.
Before the purchase of a solution can be approved, our organisation needs us to perform "due diligence", in order to establish that the product in question will do at least 80% (and ideally 100%) of what we want to do.
We'll be asking JAMF about these items too, but our due diligence procedure requires us to seek opinions from other users of the product as well as the vendor themselves.
The things we want to be able to do with Casper Suite fall into three main categories:
I won't go into detail on the first category as the functionality that Profile Manager provides is fairly basic and I would not expect any issues with Casper Suite providing those same functions - though if you're from an organisation that has also transitioned from Profile Manager to Casper I'd be interested in hearing about that, as that's the situation we're in.
There are a number of things in the second category. In no particular order:
- Connecting Macs to our 802.1X wireless network. We have a Windows based RADIUS and Certificate Authority. It's supposed to be possible to configure Profile Manager to have the Mac request a certificate from the Windows CA and use this to authenticate the machine (not the user - the connection needs to already be up before the user logs in) to 802.1X, but I have never been able to get this to work, so currently all our Macs that need to use wireless are languishing on a PSK SSID.
- Adding printers (ideally, different ones for different groups of Macs, so that Macs in rooms on C corridor get the C corridor printer, while ones on the first floor of G block get the printer in that corridor, for example). Profile Manager doesn't have that level of granularity (other than by splitting the Macs up into Device Groups) but our expectation was that we could just put all the Mac-compatible printers on there and users would be able to choose which one they wanted to print to. The actual reality was that any Mac which had this profile applied to it got all its printers deleted. Also the printers had to be added on the Profile Manager server before they were selectable in Profile Manager.
- Configuring icons on the Dock. Seems like a trivial thing, but we think it's useful to be able to preconfigure our students' Dock with the applications they are most likely to need. Profile Manager requires us to have all the applications we want to put on the Dock, installed on the Profile Manager server. The actual reality of a Profile Manager Dock profile was that the icons were put onto the Dock in a completely scrambled up order which did not resemble the order we had set them up in.
- Managing local accounts. Due to the size of the video files they work with, students in the Media Department currently use local accounts on Macs so that their work is saved on the local hard drive (which we use Retrospect to back up). Profile Manager doesn't offer us a way to manage these at all, so we're unable to apply restrictions such as preventing users from accessing certain System Preferences panes. Parental Controls on the local Mac does not offer enough functionality - you can use it to deny access to System Preferences entirely, but students need to be able to access some things, such as Accessibility settings or Wacom tablet settings.
- Centrally managed login items. We currently have an AppleScript login script (some of the things it does are to work around brokenness in Profile Manager, but one of the things it does is not Profile Manager's fault at all) but it's on the local hard drive of each Mac, so if we needed to change it for any reason, we would have to update every Mac with a fresh copy. The Login Items functionality in Profile Manager didn't work at all, so I had to use a LaunchAgent (again on the local Mac) to get it to run at login in the proper context (the one thing it does that is not Profile Manager's fault is mounting ~/Documents to an Active Directory user's home folder)
The third category includes (but is not limited to) things such as:
- Email. On our PCs, we have Autodiscover enabled in Outlook, so that when a user logs on they can just open Outlook straight away and it will automatically configure their mailbox settings and get them into their email. I gather that Outlook for Mac doesn't have the same sort of capability (though I may be wrong - I haven't had an opportunity to explore the new 2016 version yet). Profile Manager has an Exchange ActiveSync section, but I couldn't see a way to specify "actually, for the username just use the logged on user, and have them enter their password if you need it". I also suspect this would have set up their email in the native Mac Mail.app client, which is perhaps not what we want. Being able to deliver the same Outlook email experience on the Mac as we do on the PC would be really useful.
- Faster imaging. Currently for Mac imaging we have a Mac Mini server with a copy of Server.app and the NetInstall service enabled. This kind of works okay but is really basic and is not much cop if you want to image a lot of Macs at once (as a Mac Mini only has a single, 1 Gigabit Ethernet port on it). Casper Suite's backend seems like it can be installed on a Windows server; does it do the NetInstall stuff as well? Specifically, can we put it on a Windows server with a 10 Gigabit fibre adapter connected to our backbone and get faster imaging? Or do we still need a Mac server with NetInstall to be able to do imaging at all?
- More intelligent imaging. Currently there is a bunch of stuff that we have to do to Macs after imaging them to make them ready for use, including assigning them their proper name. I gather with Casper there is this "thin imaging" concept, where your base image is just a basic OS X installation, and you just select what software goes on top of that. Does Casper keep track of things like "the Mac with this serial number should have this name"? So for example, our ideal situation would be if we could just boot a Mac off the network and it is automatically imaged, installed with appropriate software and configured the way we want it, based on us already having input its serial number into Casper somewhere and telling it "this Mac is called this, it's for use in such and such a department, so install and configure it appropriately" according to configurations we've already defined.
- Default programs. For the aforementioned local accounts it's kind of okay, because we could just set these up while creating our big monolithic image, but currently we don't have a way to specify, for example, that Chrome should be the default browser for Active Directory users, or that VLC should be the default program for opening .mpg and .mp4 files. Is this something that Casper could help us do?
- Deployment of complex software. In theory Apple Remote Desktop is capable of installing packages on Mac clients. In practice it's pretty rubbish at that, partly because it tries to do all the target Macs at once and thus slows everything to a crawl, eventually ending in failure. And for big suites like Office or Adobe products, it's out of the question. I gather that this sort of thing should be possible with Casper, but how well does it work in practice? For example, our big monolithic image currently contains Office for Mac 2011, but as you may be aware, this doesn't look a great deal like its PC counterpart, and we are planning to move to Office 2013 on the PC side anyway within the next year or two (or Office 2016 for PC if it's out by then) so it would be useful to be able to say "remove Office 2011 and install Office 2016" and have Casper intelligently do this, staggering installs so that not all the Macs are trying to install it all at the same time (ensuring that on the majority of Macs at any given time during the whole deployment, there will still be a working version of Office). We're also looking to move from CS6 to Adobe Creative Cloud next year, so deploying packages created by the Creative Cloud Packager is also something we'll need to be able to do.
If you've successfully done any of the things I've mentioned using Casper, it would be great to hear from you.
Dan Jackson (Lead ITServices Technician)
Long Road SIxth Form College
Here's my opinion on each of the points. We're a JAMF integrator so have worked with all of the topics you've raised over the past few years.
This is just my opinion though!
For the first point you're right, Casper has an MDM built-in that provides the same service as Profile Manager. Its worth noting that depending on the issues you are seeing with Profile Manager, Casper may not solve them. The underlying MDM system and config profile delivery mechanism isn't 100% reliable. It does work but requires a bit of hand holding sometimes.
Hope this helps.
We're in the UK (Amsys) BTW if you want to talk more about it 😉
On point 3, while the Casper JSS server can run on Windows, Casper Imaging which orchestrates the imaging process needs to be run from a Mac.
You'll discover that a lot of what you're doing isn't bound by what Casper Suite allows but what the operating system or the software vendor's PKG allows.
Be sure to sign up for their free trial, before the clock starts ticking on the trial work out what you want to test: enrollment of current Macs, deploying new Macs, deploying software, etc so you can get to work quickly. However it sounds like you have a lot of this figured out already.
You've got a very solid list of wants/needs, and I'm quite happy to say that most everything should be doable:
I think that hits most of your points. Please feel free to ask follow-up questions or any other kind of request!
I'll give you a short answer re-enforcing Adam's .....
"You'll discover that a lot of what you're doing isn't bound by what Casper Suite allows but what the operating system or the software vendor's PKG allows." 100% True!!!! The other big thing is the internal policies you have to follow.
There are other options beside Casper, but usually given all the tradeoffs Casper usually comes out on top. The one thing that is usually missed in the tool comparisons is the support. My support experience has been outstanding, in fact I would say Jamf is more Apple than Apple when it comes to support. When I have questions or issues the support team has always went above and beyond.
I would also point out that none of the other options has the track record of delivering updates when Apple does.. Jamf has been ready day of releases for every Mac OS upgrade when Apple since X.6 and maybe before that ( I can't remember).. I have talked to vendors that said they would guarantee compatibly with in six months. (no thank you)... Many vendors think the world revolves around themselves, Jamf knows their world revolves around their customers and Apple.
Hope this helps!!!
PS Dan, if you you have any other question, I am more than will to chat about Jamf anytime : )