Separate Staff and Computer lab policies

pandrum
New Contributor III

I work at a university with a fleet of about 400 Macs.

We have around 300 MacBooks that staff uses, and around 100 iMacs in labs that students uses.

For the staff I want to go with the Self Service approach for software and point users to it, and with the labs I want the silent approach with no Self Service interaction from students.

How do I separate policies in a nifty way regarding staff computers and lab computers?

I was thinking of this approach: Have a smart group for staff and static for labs.

Example: Smart group for staff thats called "All Staff Computers" with criteria COMPUTER GROUP not member of "Computer Lab". Then I can scope software policies thats available in Self Service for staff to the "All Staff Computers" group.

Does this makes sense? Or can I utilise another approach?

8 REPLIES 8

lrabotteau
New Contributor III

Hello ,

Yes the best way is to separate the Staff MacBook and iMacs labs with the Smart Group or Static Group.

After that , you can create your policy with the Scope for Lab or Staff with Self service or not

You can use the "Model" type for create your Smart Group

=> Show Advanced Options when settings the smart group.

francktournant
New Contributor II

Hello,
Another possibility could be to have different sites for different usage. One for staff and another one for students.
In that way you can have policies that apply to all sites and policies which apply only to one site or another.

blackholemac
Valued Contributor III

Do you use DEP with different prestages for your different populations? If so, two smart groups are easy to make by prestage. If not consider dumping a dummy, blank package onto your lab machines during deployment and build your smart groups from that. One group would have the receipt and another not so much. In our case I don’t need to even go that far because one title in our labs is only present in our labs ever. I check for the presence of that title.

pandrum
New Contributor III

@francktournant Hey!

I've seen this approach for other Jamf colleagues...would you care to elaborate more on it? I haven't fully understood it yet.

pandrum
New Contributor III

@blackholemac Unfortunately only for staff machines, not lab machines.

Interesting approach. I first thought of creating static groups for lab machines, (like lab1, lab2, lab3 and so forth) and just divide lab machines into the static groups.

But when you reinstall a lab machine the static groups membership is purged from Jamf Pro, and the machine gets policies it shouldnt...

francktournant
New Contributor II

Hi @pandrum,
In my company we differentiate computers by Geo. We got three (Asia-Pacific, Americas and Europe). For each Geo, we got a site. And computers are enrolled in the Geo (site) the user belongs to.
This permits us to have worldwide policies (mainly for updating software) and policies related to Geo configuration (Wi-Fi configuration, what software to install or not).
With that way we also have better split in the role. Worldwide admin takes care or worldwide updates and local admins can create adapted local tools (to configure printers for example).

pandrum
New Contributor III

@francktournant Well explained, thank you!

Look
Valued Contributor III

We have an asset database and the machines pull down their details (Name, Owner, Department, Location, Purpose) from there and populate various extension attributes based on the information, this is then used to create smart groups according to requirements.
It's a fair amount of work to setup but it's very handy for sorting things out.