First why would you want to use AirWatch over Jamf Pro ( as a former AirWatch customer) the product suites are Night and Day. Even if you chose to use AirWatch only for IOS the feature set for Jamf Pro vs AirWatch is superior. Either way its your call but why negate the power of the JSS to use MDM command from another MDM. You can be enrolled in as many MDMs as you want BUT you can only do DEP/ASM from one of those MDM's. Which means in all versions of Mac OS After 10.13.5 you will have to Approve the additional MDM Profiles for which ever MDM is not Registered in DEP/ASM. If you need more clarification email me Alvin.firstname.lastname@example.org
this type of setup is only going to get more difficult given Apple’s ever increasing macOS security.
It used to be that there was a healthy way to be able to use both, but given the demise of imaging, T2 security chips, heavy emphasis on DEP, it may be that one day we get to the point where app installation and settings management becomes the exclusive purview of an MDM InstallApplication command or mobile config profile. With App Store apps, we almost are there.
Essentially it becomes hard to decouple MDM management functions from your package and policy repo. We aren’t there totally yet, but we get closer with each os version release.
I 100% agree with Alvin. We are using JAMF and now some execs want us to test out using AirWatch/Workspace One. Not to get rid of Jamf (yet), just to add to the long list of security/management agents running on our stuff.
After doing this POC for 3-4 weeks, I can say that JAMF is in a whole different league that Workspace One. No competition. There are some additional features in Workspace One for collecting data on the users and what they are doing. There isn't a reasonable business case for us doing that. Jamf is a great balance of function and security without becoming a jealous spouse stalker type of app.
I have also seen that the two MDM profiles do not work well or even install together on a device. So yes, they do need to pick one.
I appreciate the input.land I agree 100% with the arguments of using JAMFs MDM. In this situation we can’t change it over so we are looking to see if the option is available with JAMF to work without the MDM profile. Would this be the same as an unmanaged client or a bring your own device config?
The Jamf binary will work without MDM commands but the combination of the two is what makes the JSS So powerful. No matter what the reason is you can't remove Airwatch from the devices you can install the jamf binary and have that level of control of the devices but to truly manage them your going to have to choose one MDM over the other. Something of note Airwatch has 0 security features that Jamf does not already implement. Jamf is the MDM Apple uses to manage the Macs in their own enterprise. No product has more integration with IOS & Mac OS from a security perspective from then Jamf. You should have your security folks ( who I am assuming are the ones making the mandate do a demo and ask all their questions.). If you can do it in airwatch you can do it in Jamf easier and faster.