Sites and "Imaging"

BCPeteo
Contributor II

We have a bunch of sites for Labs in Jamf, but we are finally starting to roll out jamf to the rest of campus macs. We have a site just for these. We used to use MDS for imaging but are moving away with using ASM/ADE and jamf to push down all applications/settings. The question now becomes how do we image lab computers that are in different sites and assigned to different MDMs in ASM (we have an MDM for each site in ASM)?  Would rather not have to maintain our "Image" applications and settings in each site.  We could initially put lab computers in one site, do the image and then move them to their lab site but what happens with ASM when we do this? (techs do not have access to ASM). Also what about iOS/mac app store apps since they are assigned to MDM in ASM. If there is a computer assigned to a MDM in ASM, but is now in a different site (with different MDM token) in Jamf will they get the apps? Also will config profiles work even though ASM and Jamf Site that the computer is in is different?

8 REPLIES 8

stevewood
Honored Contributor II
Honored Contributor II

Let's start with how to provision computers in each site without duplicating the policies in each site. For that you would create your policies at the top, or root, level of Jamf Pro. So instead of assigning a Site in the policy, leave it set to None. You can then use a Smart Group at the top level to capture devices that are enrolled via a PreStage and use that as the scope in those policies. The Policies and Smart Groups created at the top level will not be visible in Jamf Pro to the site admins, but they will run on the computers in those sites.

The relationship of ASM to Jamf Pro is loose. The only thing ASM does is tell Jamf Pro which MDM the device is assigned to. Other than that, ASM does not move devices within Jamf Pro. So if you were to provision in one site and move to another, the only time ASM would come into play is when that device was re-provisioned. At that point the device would provision into whatever MDM (Site) ASM had it assigned to.

App Store apps do not get broken into separate Sites when VPP and ASM are connected, technically. The break out happens in the App Store app object in Jamf Pro when you choose which Managed Distribution to use for the license. Then you can use the Site dropdown or use a Scope to split the App Store app out to the proper sites.

 

And Config Profiles are the same as Policies or App Store apps. If you leave them with Site=None and use Scope, you do not have to dupllicate anything, but site level admins have no visibility to them in the Jamf Pro GUI.

You can create Smart Groups to capture devices that are in the various sites. Set the Site dropdown to the site you want a Group for, and then use Criteria like "UDID is not blank", or better a REGEX that looks for non-blank/non-null characters. 

Thank you, this is very good information. The idea of putting our imaging tasks outside of the site is intriguing and I will look into this.  I'm little confused of the app store apps because I do notice that under volume purchasing in jamf the Locations (ASM) are assigned to sites. Does this mean if the device is not assigned to the same location in ASM as the app they will still be able to receive the app? I.E. app was purchased and assigned to staff location is ASM, Computer is in Staff site in jamf  (which has the staff Server/VPP token assigned) but the computer is assigned to "ITS" location in apple school manager

stevewood
Honored Contributor II
Honored Contributor II

Ah, you're right about the VPP tokens/Locations. I completely forgot, and didn't double check, that you can assign VPP entries to specific sites. This makes it so the licenses that are "purchased" in ASM are only available for that location/site. So if Site A purchases a licensed app, say Final Cut Pro, and the ASM location in VPP is set to Site A, only Site A can take advantage of that license. Site B, Site C, etc would not be able to see that licesne (wouldn't be able to see the VPP entry for Site A). Make sense?

Where a device is in ASM has nothing to do with what it can see or not see in Jamf Pro. That is purely driven by what Site a device is in. So if a computer is in the MDM for Site A in ASM, but once it is enrolled in Jamf Pro it gets moved to Site C, then that device will only see items scoped for Site C or items that are at the root level of Jamf Pro.

We had over 100 sites at my previous employer. We placed policies for all software installers at the top level. These policies only had the installer package, were scoped to All Computers, and had a custom trigger. That way these policies could be used in any site and we would not be duplicating the actual installer package (meaning we only had one policy to maintain when a package was updated). We then maintained a spreadsheet that contained the title of the software and the custom trigger that could be used to install that software. This way site admins could use the custom trigger instead of duplicating an installer policy. Happy to show examples if you want/ need.

That sounds like the solution. We could put the Macs into the correct site but have the master "Image" (Policies/Config profiles) at the root and then scope computers from any of our sites to them that need the "image"

One question about smart groups & static groups. At root I can see all the smart groups & static groups from every site. Does that mean I can assign these groups to my "image" root polices/Config profiles? That would give us the ability for site mangers to control what systems get an image, by putting them into a smart or static group in their site.

 

dennisnardi
Contributor

I don't have labs in my enviorment, but I manage a multi-site (about 15 or so) Jamf Pro. Each distributed IT unit at my organization has their own site. We want automatic enrollment of devices via ADE into Jamf, so we don't want to go into ASM to assign devices to different sites, we want it all automatic. So what I do is have the automated enrollment option in ASM turned on, so all devices land in a specific site designed for new ADE machines. Then I utilize DEPNotify in that site, and have created a drop down menu that asks people what site the computer should be in, then uses an API call move the computer to the selected site. 

Then we do similarly to what stevewood suggested - we create policies and config profiles in the root/top level/"none" site for content that is centrally consumed across my organization (ie. endpoint protection app is made available to all machines without it, same with the backup application, and ubiquitous apps like Chrome, Office, etc). Then the distributed IT units have additional customizations set that fit their need. You could likely do a similar model where certain policies and profiles are set at a top level, and then each site has different customizations based on need. 

 

As for Mac App Store Apps, there are multiple different permissions level you can assign to people in ASM. You first need to make a "location" in ASM. Each location will have their own individual VPP token. Then you can create/assign a user to that location (our locations match our sites). Then there is a role named "content manager" that you can assign which will allow people to manage/purchase VPP in that location alone. That person, or you, can then import the VPP token for each location/site into Jamf Pro for use. With this approach you can delegate access to ASM, or just have separate VPP environments within Jamf. It is necessary to do this if you don't want to manage VPP content at a top level/root/"none" site. 

Thanks

"That person, or you, can then import the VPP token for each location/site into Jamf Pro for use. With this approach you can delegate access to ASM, or just have separate VPP environments within Jamf. It is necessary to do this if you don't want to manage VPP content at a top level/root/"none" site. "

Yes we already have that set up, but as @stevewood stated above, the issue is if the computers are assigned to a location in Apple school manager and the site has a different location VPP token those apps will not be available to be assigned. So it looks like we will need to assign the computers in the correct location in ASM and correct site (the location VPP token) in order for those to work.

stevewood
Honored Contributor II
Honored Contributor II

Remember that the location of a device in ASM only has correlation to what PreStage/Site a device will show up in Jamf Pro. So, if the device shows up in Site A, for example, because that's where it is in ASM, if you move it to Site B in Jamf Pro it will see everything for Site B (Policies, Smart Groups, etc), including any App Store apps that are tied to that location in ASM and scoped in Jamf Pro.

So your workflow could be, as suggested by @dennisnardi (this is also how we handled sites):

1) Place all devices in one MDM in ASM and mark that as the default MDM where all devices should go as they are added to ASM by your vendors/Apple.

2) In Jamf Pro, in the PreStage for this MDM, check the box "Automatically Assign New Devices". This will insure that all devices flowing into this PreStage will be enabled.

3) Use a script with DEPNotify's "Registration" screens to capture the site that the device should be assigned to. Let the script move the device into the proper site in Jamf Pro. Or use a script that uses AppleScript to pop a dialog after you've provisioned the device with base software.

4) Scope all "site specific" Policies, Smart Groups, Static Groups, Searches, Configuration Profiles, and App Store apps to the proper sites in Jamf Pro.

You now have a workflow that allows for you to not have to mess around assigning devices in ASM or Jamf Pro, and any device can be moved between sites during provisioning (or after via Jamf Pro). So if you have need to ship a device to a different school for break fix, that school can wipe the machine and re-provision it so that it shows up in their site.

 

Thanks, but we have different PreStages so we can't auto assign them (we have systems in use out in the wild that we are migrating over to Jamf too) Also if you do this you will have the VPP issue. Labs do not get new computers or wiped much so assigning the computers manually in ASM and PreStage is not the end of the world.