Skip to main content

We're a school new to using Jamf Pro and looking for recommendation/best practice. First off, we're mostly a Windows org but our fleet of Apple devices is growing so pardon if we get things confused/not familiar with the ecosystem. It's the primary reason we went with Jamf in the first place, so we can have an easy time managing this fleet.

 

We have essentially 2 types of devices, staff Macbooks and classroom/lab computers (either iMacs or Mac Minis). Currently, these all bind to AD via a Mac Mini Server configured with OpenDirectory. Our staff and students use their AD login.

 

We're moving more and more to the cloud and staff are now using their Azure AD login (firstname.lastname@topdomain.com) while the students use their Google login (studentIDnumber@subdomain.topdomain.com) for most services.

 

What we want to achieve is:

  1. STAFF
    1. Their Macbooks should auto-enroll (in the pre-stage enrollment, we selected Require Authentication)
    2. Their accounts are to be made local (since we have 1:1 assignments of user to device)
    3. We connect their personal folders via SMB:// for the next 6mos (after that they will be moved to OneDrive)
    4. We connect their department shared folders via SMB:// for the next 6mos (after that they will be moved to Sharepoint Online)
    5. The apps/settings to be installed are assigned to users not devices
    6. Printers are currently deployed via GPO but we can switch to using Papercut Print Deploy with Jamf
  2. STUDENTS
    1. The lab devices are configured for multi-user
    2. The accounts are to be made mobile (we can't guarantee that the same student will use the same device in the same classroom every time)
    3. We connect their personal folders via SMB:// for the next 6mos (after that they will be moved to OneDrive)
    4. The apps/settings to be installed are assigned to devices
    5. Printers are currently deployed via GPO but we can switch to using Papercut Print Deploy with Jamf

 

Can we (and should we) configure both Azure AD and Google IDP in Jamf Pro and be able to achieve our requirements? Or should we stick to LDAP (not really a fan of this although we know it works as that was what was initially configured for us) and do AD binding?

 

For classroom computers, should we still stick to AD binding and just using mobile accounts? If yes, can we have Azure AD, Google IDP and AD binding all configured or is it a choose-one-only situation? There was this line in the Admin Guide that seems to indicate that we can't have LDAP and Azure AD both configured.

 

We'd appreciate any recommendations/pointers especially from those who are in the education sector of how you have this configured.

@myu  most Mac Managers today would agree that you should not bind to AD nor should you make mobile accounts.  For the staff 1 on 1's you describe you are on the right track with Require Authentication in PreStage so at least the local account will be the same as their directory account. 
It seems like you have 3 directories: legacy on prem. AD, Azure, Google Identity.  It seems like from your questions you are moving towards Azure and One Drive for most things in very short time frame (~6mo) so I would suggest that you take a look at Jamf Connect which will allow you to setup your users to login with their Azure credentials as a replacement for the legacy AD.   It is possible to setup Jamf Connect to allow login with Google Identity for say your student lab machines but be sure to read about the differences and limitations.  It might be that you should consider authenticating your students with Azure now to avoid a transition.  As for mounting shares it is pretty simple to use the unix "open" command in a policy to do the SMB mount  ( use the Execute command feature inside the Files and Process option.  Something like 

/usr/bin/open smb://server.domain/folder 

should work but test of course.  

Apps and setting will depend on the vendor but if you can use App Store Apps with  VPP purchased licenses from Apple School Manager you will be ahead of the game.  

Printers are rapidly changing in the macOS world.  Going forward devices are going to be required to be able to have a network conversation with the real printer or a modern print server that can pass back configuration information like iPads do now.  The way it looks today we can cheat and use an AirPrint configuration profile if the printer/server will send back auto setup information.  If not for macOS 11.x can still use lpadmin command line unix tool to setup the CUPS printer.  For my Site admins I wrote up a summary you might find useful at go.ncsu.edu/jamfcheat#printers We also use PaperCut and the auto-setup works ok for printers without "features" like scan, staple, 3+ trays, etc.  Beyond that you have to work on the server side to make sure the "driver" installed on the server side is configured to match the actual printer installed options.  

I hope this is helpful.

@myu Also bear in mind that you will need to give Standard Users the ability to add printers since the configuration is not really setup until someone tries to print the first time.   For the smb mounts if you have folks working from home might want to leave those in Self Service since reliability and performance of SMB shares outside of the campus network are hit and miss at best and may require VPN depending on your setup.

@ega Thanks for the reply and also the link. Lots of useful information there that could help us.

@myu  most Mac Managers today would agree that you should not bind to AD nor should you make mobile accounts.  For the staff 1 on 1's you describe you are on the right track with Require Authentication in PreStage so at least the local account will be the same as their directory account. 
It seems like you have 3 directories: legacy on prem. AD, Azure, Google Identity.  It seems like from your questions you are moving towards Azure and One Drive for most things in very short time frame (~6mo) so I would suggest that you take a look at Jamf Connect which will allow you to setup your users to login with their Azure credentials as a replacement for the legacy AD.   It is possible to setup Jamf Connect to allow login with Google Identity for say your student lab machines but be sure to read about the differences and limitations.  It might be that you should consider authenticating your students with Azure now to avoid a transition.  As for mounting shares it is pretty simple to use the unix "open" command in a policy to do the SMB mount  ( use the Execute command feature inside the Files and Process option.  Something like 

/usr/bin/open smb://server.domain/folder 

should work but test of course.  

Apps and setting will depend on the vendor but if you can use App Store Apps with  VPP purchased licenses from Apple School Manager you will be ahead of the game.  

Printers are rapidly changing in the macOS world.  Going forward devices are going to be required to be able to have a network conversation with the real printer or a modern print server that can pass back configuration information like iPads do now.  The way it looks today we can cheat and use an AirPrint configuration profile if the printer/server will send back auto setup information.  If not for macOS 11.x can still use lpadmin command line unix tool to setup the CUPS printer.  For my Site admins I wrote up a summary you might find useful at go.ncsu.edu/jamfcheat#printers We also use PaperCut and the auto-setup works ok for printers without "features" like scan, staple, 3+ trays, etc.  Beyond that you have to work on the server side to make sure the "driver" installed on the server side is configured to match the actual printer installed options.  

I hope this is helpful.


Do you use a virtual queue with Papercut? 

Terms & ConditionsCookie settingsAccessibility statement