Your perfect JSS setup

rodders
New Contributor III

I searched for a similar title but didn't come up with what I wanted to ask, so apologies if this has already been spoken about elsewhere.

Q: If you had a clean slate, retrospective knowledge and no budget/red tape limitations: How would you setup your JSS DP NB and whatever else you consider essential?

Ive had a suggestion already of DEP & VPP & AWS DP & EC2 Instance
but wanted to maybe get a wider range of opinions and where possible, a little snippet of why you chose your answer - presumably they've been shaped by a big 'con' or 'gotcha' that you didn't know about before you started with your current setups.

Feed me!

10 REPLIES 10

davidacland
Honored Contributor II
Honored Contributor II

Depends on the environment, but we definitely like to go for the Apple route on VPP and DEP.

Hosting the JSS is less of a worry, either in-house virtual server, or hosted with JAMF. We've used Microsoft Azure as well which works fine.

We're making less and less use of Netboot and Casper imaging these days and given a clean slate, tend to do most of that work with either VPP or policy deployments.

The big thing for me now is how we get applications out to users. Doing all we can to use the vendors packages as they come, supplementing with config profiles and scripts where required, and really avoiding blindly snapshot repackaging everything in sight.

mvu
Valued Contributor

What @davidacland said.

rodders
New Contributor III

@davidacland Are you rebuilds all Internet Recovery orientated then?

daniel_behan
Contributor III

@rodders For rebuilds, I typically use JAMF's NetBoot SUS and leave an AutoDMG'ed OS X dmg on the Desktop of the Root User account. Support techs can NetBoot the machine and use Disk Utility to format the drive, block copy the OS, then reboot to let DEP do its job.

davidacland
Honored Contributor II
Honored Contributor II

We're an MSP so work in lots of different types of environment. In most business environments, we really don't have much of a need for full OS rebuilds. It does come up very occasionally and Internet recovery works fine for those cases, but for most users, they start with the OS that ships with the device and in-place upgrade over the device's 3-5 year life.

For our edu customers NetBoot still gets used now and again, although even that is becoming less of a thing. Casper's ability to manipulate the configuration of a device, combined with tools like createosxinstallpkg mean that NetBoot and traditional OS replacements aren't needed in our case, even for lab machines.

jduvalmtb
Contributor

How do places that just deploy laptops out of the box handle transferring GBs worth of data? Our image has one textbook package alone that's 7 GB. We don't have a good wired infrastructure and wireless doesn't work well enough at sizes that large. I'd love to just use a clean AutoDMG OS with DEP & VPP & a JSS policy, eliminating the need to create my monolithic (terrible, I know) image but not sure how to leveraging just WiFi.

chendricks
New Contributor

@davidacland The big thing for me now is how we get applications out to users. Doing all we can to use the vendors packages as they come, supplementing with config profiles and scripts where required, and really avoiding blindly snapshot repackaging everything in sight.

Where are you finding "vendors packages"?

owen_hael
New Contributor III

JAMFcloud or hosted on AWS EC2 (Ubuntu or RHEL). Even a t2.micro on AWS will perform quite well with a good number of devices, but you can get a fancy as you like to make it extra secure and fault-tolerant. But preferably JAMFcloud - that way I administer the product, and not the server.

Cloud distribution points only if you can do it. No netboot, and no SUS if at all possible. On-site Apple caching server still can provide a good amount of value however.

DEP & VPP an absolute requirement in any environment to manage devices in the way Apple approves - not to mention they're actually useful.

davidacland
Honored Contributor II
Honored Contributor II

@chendricks By "vendor packages" I'm talking about the vanilla package you get from the Office365 portal or the ones created by the Adobe CC packaging tool. The key thing is to not "take snapshot in composer > install software package from vendor > make a load of changes > take second snapshot > create package > deploy to users". This method is the root cause of a lot of issues.

@jduvalmtb You can save some network traffic by leveraging DEP and not deploying the OS. When you're left with packages or content that needs to be on the MacBooks, you have to transfer it somehow, whether thats over the network or via external HDDs. If the network doesn't support what you're trying to acheive, there's really only two options:

  • Work out a different way to deploy the packages that bypasses the network (i.e. external drives)
  • Have the network upgraded to be able to support the deployment

matthewbodaly
New Contributor

Clean slate... or if i get to nuke / pave....

JSS hosted offsite (Jamfcloud or EC2 or Cloud Compute) ... number of clients and needs will likely dictact the final location.
Apple VPP / DEP hooked to the JSS. Absolute need.
Apple Caching server on site. This is a nice to have and definitely helps speed up roll out of new software and recovery.
DP in S3 and maybe a DP onsite if there are enough clients.