I am in the process of enrolling my colleagues into Jamf Pro before my Jumpstart next week.
We're a scale-up that grew really quickly, so I am getting a lot of concerned users who are used to being completely free on their laptops (to be used for private as well as work purposes) writing me about what capabilities I have on their laptops.
How did you guys ease your users into the mindset of going from non-managed to managed machines?
Would love to hear some input on this.
Ultimately, open and honest communication over what you will be doing and what you are unable to do to their machines is going to build trust. Letting them know, for example, that you're not taking inventory of what is in their home folders usually builds trust.
Also, if your company has an end goal in mind, like SOC 2, ISO, SOX, etc, there will be more understanding from your end users so that they can understand the business impact of having a managed machine.
And finally, I wouldn't recommend on enrolling machines until you have gone through jumpstart, just so that you can understand what may happen post enrollment with things that you build with your onboarding person.
@larry_barrett That's not accurate and can be misleading. Running the jamf agent on macOS pretty much gives you access to manipulate most anything in a users profile. It is true the tool may not be able to assess most things, but it can certainly access most. This can fast turn into a case where someone wants a technical solutions for a procedural or personnel problem. Being open with them about the intent of the tool is important but at the end of the day, the machines are company property and can be handled as such.
@andrew.nicholas You can put unlimited caveats on the ability to manipulate work devices. If you want to drill down to the 0's and 1's, then yes, obviously any managed device cedes control to JAMF. Manipulating the device and manipulating the data are two different things.
That's not what the post is about. JAMF (and Apple) take personal data seriously. If you forget the backend, brute force options you have with JAMF, there is no native way to see browsing history. There is no native way to see folder names or contents. The #1 question I'm asked is about browsing history (from men, no less). "Completely free" almost always means Porn. YMMV.
I'm pretty new to Jamf myself and agree, you should take the jump start before enrolling your company Macs. Key word, is company Macs. If they are company owned, there should be no issue or question of the Macs being managed moving forward. Things to communicate to your staff is that you are keeping them up to date, and therefore keeping them safe from a security perspective. Communicate how Jamf can benefit them, like using Self-Service. That was a big positive for the staff in my case. However when people have had free rein on their systems and they feel that's being taken away, there will always be the thoughts of here comes Big Brother. One thought, you state they use these Macs for private as well as business? That right there scares me. Who knows what your staff could be bringing to work and putting on your company network. Liability now comes into play since this is being allowed. Just my two cents.
@thelaith We are running into the same exact issue. There was no Mac management in place and we are now slowly "re-imaging", enrolling, and deploying new Macs with Jamf. That has included the removal of admin rights, restrictions, and a Self Service focused software deployment. As this is my first official "IT Job" (though I a seasoned Apple admin IMO), I really had trouble approaching this at first but I am slowly getting through it. Our leadership has been extremely patient with me.
I realize that 100% of our users are never going to be happy, but I think the open dialogue and being upfront is what has helped me most. Our goal with Jamf is not to be malicious, it is to make things easier and the end user experience better. I express to them how easy it is to get printers and software -- something that used to take days now takes minutes.
Our number one goal is the security of the end users data and the device itself.