Does anyone have any sample emails or letters that were given to staff when they implemented JAMF? I work at a University and the Apple ecosystem has been like the wild, wild west. Now that we're going to be managing Macs the way we manage PCs we want the transition to be fairly smooth. Has anyone got any tips to help with buy in without using the "m" word (manage)?
Actually MDM as originally designed was for this very reason. It basically takes a "carrot and stick" approach. If they choose to go and enroll, you can provide seamless Wi-Fi connectivity, keep a handle on budget spent on apps and be more available to your end users while not being bogged down by troubleshooting the inevitable crazy issues that show up in a wild-west environment. If they choose not to opt in...well things may not work quite as seamlessly.
In short, now I don't have a letter per se, but in my communications with staff, I try very heavily to play up the Self Service angle and our department's ability to get things done quickly on things that we know about.
One final thought...managing Macs is NOT the same as managing Windows endpoints. It isn't. For one, block copy imaging is actually on it's way out of the Mac ecosystem. In a managed Windows ecosystem, it's less likely end users have any choice in any matters. You don't want to go that far....just far enough to get a handle on your devices and meaningfully serve your users. Going to a totally locked down world is what makes us Apple users want to become dissidents anyway.
Microsoft has a lot of great products for managing there own stuff. If you are a Windows 10 shop don't forget to compare how different tools handle servicing Windows 10 updates. Some products will only do an in-place upgrade where it has to copy the entire new W10 iso to the machine to upgrade (If you have 1000+ endpoints it can be very bothersome to copy that large of a file to so many machines) and others will let you use Windows Updates for Business which makes servicing W10 a lot easier.
Just my two cents.
I don't have any letters, but I do have a few talking points: 1) Self Service. Self Service is THE selling point of the whole thing. Users may lament being in a locked down world, but if you give them the power to install apps or run scripts to fix common problems, they will be very happy... especially when you look at the dearth of such tools in the Windows world. It may be difficult to sell it if you don't have a fully fleshed out Self Service yet, so put your most common apps and some helpful scripts with non-generic icons in there before Day 1. Think like Apple (in the old days) and make it inviting so the user WANTS to go in there often.
2) Generally, the only users who put up any resistance are those non-IT users who love their admin privileges. You have to convince those users that taming the wild wild west is absolutely crucial to maintaining stability and security with limited staff & budget. You may not need the blessing of these users, but it would be nice to get them on board with it. And if they still refuse, maybe your IT management can put their foot down and say "Suck it up, Buttercup. This is happening whether you want it or not. Kiss your admin privileges good bye and say hello to Self Service."
3) I've found that a group chat system that works in parallel helps a lot. We use RocketChat, but Slack and Hipchat are also good. I established a #mac_support chat room where I can help users and make announcements like "the new OS updates are in Self Service, please install before the end of the week." or "remember that problem many of you reported yesterday with xxxxx.app? There's a script in Self Service that can fix it." As users use Self Service and learn their way within the locked down Mac environment, they can help each other if you aren't available. I also find that the chat room also acts as a direct 2 way communication so users can suggest new apps or scripts to put in self service. It all goes toward making the users feel empowered. They can contribute to the conversation. Of course I am the only Mac person in IT and I manage over 100 Macs by myself, so it may not be practical for you to have a chatroom with 1000+ users.
4) when I got here at my current job, the casper 8 system was being migrated to Casper 9 by Windows guys who had no idea how Macs worked. In a management sense it was the wild wild west. Macs were being managed with a Windows thought process - it doesn't work that way. I dug in and fixed the problems and expanded on parts that were almost right. I've made the entire Mac environment so much better than it was and a much better experience than what the 700 Windows users get with dozens of server engineers and support personnel. Word has spread that productivity on the Macs is so much better now that I've had a lot of Windows users switch to Mac when their PCs are due for a refresh. The only thing preventing the Mac population from growing exponentially is the initial cost of Macs and a very tight budget. My point is, you may not need to get the staff to buy in on Day 1. It may take time. As the mac management spreads and more users learn that it not only isn't bad, its very good, the staff buy in will take care of itself.
I have stood up Jamf systems at 2 different higher-ed institutions, where the Macs and iOS devices were previously unmanaged. My main message point is always that my team is going to take over the details of keeping the computers and devices updated and secure. I explain that we are doing that so that the users can focus on using the computer/device as a tool to do their job. Explaining it this way in person, I have never gotten pushback.
It helps if there are institutional policies requiring that the devices be kept updated and secure. That way, you're not taking away the user's privileges, you're taking away their responsibilty to manage the computer or device in a way that complies with those policies.
As mentioned above a good Self Service portal will sell it very easily. To get those devices enrolled you can deploy a quick-add to the devices via ARD if you have a local account on them, which I assume you do. That's what I did for the cleanup of users who didn't come forward on their own (tinfoil hat).
Also, as mentioned above, don't try to parallel manage Windows and Macs the same way. They are different animals. The base security products/settings should be the same but other than that run them to the strengths of each OS/MDM.
Try talking instead about Services.
anyone got any tips to help with buy in without using the "m" word (manage)?
In some ways, it is just semantics. I try to avoid the m word, and instead talk about the s word. We provide Mac "Services."
It is a natural to lead in to Self Service, as everyone has mentioned here.
People don't want to be managed, but they do like receiving services.