Wanted to share some work I was doing as a proof of concept in preparation for staff working from home and students transitioning to remote learning at my University. This can be adapted to any organisation and I'd love to hear what others are doing to empower their users and help them gain access to software and services.
With Jamf's announcement to provide extra licensing at no cost, you could do this now and not have to worry about seeking financial approval for more licences. Some of us are about to ask 1000’s of users to start using their own devices without knowing what kind of state they are in. Self Service is a great tool to help IT and users through this period.
What I wanted to achieve:
- Onboard users quickly with access to software, knowledge and training.
- Address issues relating to unsupported macOS versions and software behind in patching.
- A mechanism to publish updates and notifications to new software as they became available
- Reduce tickets to my service desk for common software requests and setup.
- Identify personal machines for easy removal from Jamf later on.
The changes i made:
- Made two Sites - University Owned and Personally Owned Macs
- User-Initiated Enrollment - Defined my Staff LDAP group to choose any Site. My Student LDAP group to enrol in Personally Owned Macs.
- One Smart Group - Site is Personally Owned Macs, no criteria. All machines enrolled to that option will be used for Scoping policies.
- Policy Exclusions - I reviewed each policy that had a software licence or action not applicable to personal machines, and excluded it using the Smart Group.
Video of enrollment process here.
I haven't communicated this as being available, but i've already had 8 people enrol Personal devices. I interviewed 2 of them today and got some great feedback, here is how it’s going so far:
- Our automatic patching updated browsers and other at risk software.
- One user reported that installing software fixed an issue our Helpdesk were having issues troubleshooting.
- One user had to borrow their parents iMac and found Self Service easy to use and got setup with our working-from-home apps quickly.
- We have already packaged and made available vendor supported extended trials for two software titles and advertised them to Personally Owned Macs.
If you have other workflows, suggestions or things to share to help other admins, please feel free to share. Cheers!
Just an update. We're seeing delays through approved Apple hardware procurement channels for some models, so some staff are getting exemptions and buying from retail. Our deployment techs are also not able to do their normal deployments in some cases now with social distancing.
I'll be modifying our Self Service options to make it easy for regular users to setup new machines using self-enrolment. Staff Pack is a Self Service policy i'll probably turn on for everyone, which deploys our core University apps quickly.
@tcam It's been possible to create policies and do things at the "None" level that can be scoped to any and all sites for a while now. We've been doing this for several years. You just have to be careful not to have site policies that may conflict with things at what I call the root level (None).
Just another benefit I wanted to share that I hadn't considered.
We all know how confusing it must be for users with KEXT and PPPC approvals for various software. Our WFH recommended software would be throwing up popups for things like Box, Zoom, Citrix Workspace, Cisco AnyConnect etc.
Highly recommend Privacy Preferences Policy Control (PPPC) Utility for adding PPPC approvals Config Profiles.
Hello @davidhiggs I was curious, the icon you used for your Staff pack, did you find that somewhere or did you create this in house? We are just now exploring a BYOD model for our students. I want a proof of concept and having something like you created with the staff pack would be awesome. This way, enrolled student Macs could get the needed apps all in one install.
@davidhiggs I know you mentioned sites, outside of organizing personal vs college owned devices, is there any other advantage? I attempted to see how I could scope or use smart groups to identify those systems belonging to one site or another. I couldn't find a way to deal with the idea of sites for personal devices. I'm trying to create a model to demo this concept to our leadership over the next month, to explain what could be done.
@mconners It might be that you have different organisation policy for personal vs. business. eg. You may want to force a software removal/update on a college owned Mac but leave personal devices alone, even if it's in their best interest. Or not allow Terminal.app to be used on college devices, but you don't control that on personal devices.
My staff ldap group can enrol into any site, University Owned or Personally Owned (you could have more). My student ldap group are forced into Personally Owned, so they wont see the choice on enrolment. To ensure people outside of these groups can't enrol, I have All LDAP Users set to No.
Once you have your Sites setup, you'll see a new option in Smart Groups. You want to choose your Site that relates to personal computers. This is how I setup a smart group that only includes people enrolled as Personally Owned. Note that not having criteria will include all machines, which is what you want.
@mconners fortunately most of our core software works on an SSO and can be used on personal machines. For everything else, it's a bit of a process to find out if it can be used off campus. Most vendors seem to be offering extended trials, so we found that more suitable to promote and we'll reassess as needed. Some have great options with different licence keys, some offer nothing at all.
Below is a sample of what we added for IBM SPSS, a simple set of instructions with the app packaged ready to go. Policy set to expire 15th June.
Thank you @davidhiggs this is helpful. We have not configured SSO in our case, but we are working on it now. We will be using Azure.
I read your reply above and was thrown off a bit. You mentioned, "...our core software works on an SSO..." What do you mean by works on an SSO? I might be thinking one thing while reading this and was thrown off a bit. If you could explain the context of an SSO, that might clear things up.