Posted on 02-19-2018 02:17 AM
I work at a university with a fleet of about 400 Macs.
We have around 300 MacBooks that staff uses, and around 100 iMacs in labs that students uses.
For the staff I want to go with the Self Service approach for software and point users to it, and with the labs I want the silent approach with no Self Service interaction from students.
How do I separate policies in a nifty way regarding staff computers and lab computers?
I was thinking of this approach: Have a smart group for staff and static for labs.
Example: Smart group for staff thats called "All Staff Computers" with criteria COMPUTER GROUP not member of "Computer Lab". Then I can scope software policies thats available in Self Service for staff to the "All Staff Computers" group.
Does this makes sense? Or can I utilise another approach?
Posted on 02-19-2018 02:26 AM
Hello ,
Yes the best way is to separate the Staff MacBook and iMacs labs with the Smart Group or Static Group.
After that , you can create your policy with the Scope for Lab or Staff with Self service or not
You can use the "Model" type for create your Smart Group
=> Show Advanced Options when settings the smart group.
Posted on 02-19-2018 06:34 AM
Hello,
Another possibility could be to have different sites for different usage. One for staff and another one for students.
In that way you can have policies that apply to all sites and policies which apply only to one site or another.
Posted on 02-19-2018 08:27 AM
Do you use DEP with different prestages for your different populations? If so, two smart groups are easy to make by prestage. If not consider dumping a dummy, blank package onto your lab machines during deployment and build your smart groups from that. One group would have the receipt and another not so much. In our case I don’t need to even go that far because one title in our labs is only present in our labs ever. I check for the presence of that title.
Posted on 02-20-2018 02:06 AM
@francktournant Hey!
I've seen this approach for other Jamf colleagues...would you care to elaborate more on it? I haven't fully understood it yet.
Posted on 02-20-2018 02:11 AM
@blackholemac Unfortunately only for staff machines, not lab machines.
Interesting approach. I first thought of creating static groups for lab machines, (like lab1, lab2, lab3 and so forth) and just divide lab machines into the static groups.
But when you reinstall a lab machine the static groups membership is purged from Jamf Pro, and the machine gets policies it shouldnt...
Posted on 02-20-2018 02:17 AM
Hi @pandrum,
In my company we differentiate computers by Geo. We got three (Asia-Pacific, Americas and Europe). For each Geo, we got a site. And computers are enrolled in the Geo (site) the user belongs to.
This permits us to have worldwide policies (mainly for updating software) and policies related to Geo configuration (Wi-Fi configuration, what software to install or not).
With that way we also have better split in the role. Worldwide admin takes care or worldwide updates and local admins can create adapted local tools (to configure printers for example).
Posted on 02-20-2018 03:04 AM
@francktournant Well explained, thank you!
Posted on 02-20-2018 12:25 PM
We have an asset database and the machines pull down their details (Name, Owner, Department, Location, Purpose) from there and populate various extension attributes based on the information, this is then used to create smart groups according to requirements.
It's a fair amount of work to setup but it's very handy for sorting things out.