• Coded Point

Why Organisations are adopting JAMF to manage their Remote Apple Fleet?

Provide IT and End Users with the tools they need to work where they want to without putting barriers in their way.


JAMF is an Apple Focussed Mobile Device Management Solution (MDM). Helping organisations succeed with Apple. For us the main selling point of JAMF is going from managing each device individually, one by one and requiring physical access to the device, to being able to manage devices centrally from anywhere, whilst also improving the experience for both IT and end users.


Many organisations are adopting Apple Devices into their device fleets. There is a shift where end-users want to be using devices that they are most comfortable using, but also are powerful enough to do their best work, removing the barriers they face with traditional IT. But by implementing Apple Devices into your fleet this throws up problems for IT, more so for companies that are adopting and Remote and Hybrid Work Approach.


How can we manage, deploy and secure these devices easily but also remotely?


JAMF works with whatever work setup you have. Whether you work full time in the office, are fully remote or a little of both with a hybrid approach. JAMF removes the frustrations that IT face such as requiring physical access to the device to set it up and to deploy patches to users. So before we take a look at how you can adopt JAMF to manage your Apple fleet or switch to Apple all together, lets briefly detail the 3 main JAMF Products.


JAMF Pro

JAMF Pro allows users to effectively manage their fleet of Apple Devices. Deploy Applications and their patches either automatically or via your own App Store called Self Service, all without requiring physical access to the device. Deploy your devices remotely with a Zero Touch approach to get users working faster.


JAMF Connect.

For organisations that want to improve the deployment process. Integrate JAMF Connect with your Cloud Identity Provider such as Azure or Okta. JAMF Connect increases security by having authorised users sign into devices.


JAMF Protect

A Mac Focussed Endpoint Security Solution. JAMF Protect will help organisations of all sizes maintain compliance of endpoints, address your needs for AntiVirus with Malware Protection, control Applications within an Organisation, as well as remediate threats.


Let’s now take a look at how organisations can utilise JAMF:


Linking with a Cloud Identify Provider helps with scoping of Profiles, Policies and Apps. You complete the details of each user in the Identify Provider and this information can be pulled into JAMF to help make the onboarding process easier.


Setting up Policies, Profiles and Apps

We recommend that for the best approach to scope your Policies, Profiles and App Store apps based on Department. Ensure you have added the department of each user in your Cloud Identity Provider and this can be pulled through into JAMF to help with scoping.


Deploy App Store Applications. Whichever device you are running you can deploy Apps from the Apple App store. Both Paid and Free apps. This is great to improve Security but also saves time. Simply purchase the app through Apple Business Manager or Apple School Manager and scope it to JAMF Pro. Then in JAMF Pro go to either Computers or Devices > App Store App and create a new App. Then Scope to all users, groups or departments and the Deployment method of your choice. No need to manually get on to the device to install the App.


But what about non App Store Apps? Not every application that your organisation uses is going to be in the App Store. But JAMF has thought about this. You can create an application package to upload to JAMF Pro. Download the application you wish to deploy to your own Mac and ensure that it is in the Applications Folder. Then use an Application from JAMF called Composer. You can drag the Application from your Applications Folder into Composer, apply permissions and then create a PKG or DMG File. This can then be uploaded to JAMF Pro into Packages and then added to a Policy. You can then give the policy a category, decide to deploy Automatically or via Self Service or deploy as the result of a Script. Specify the scope of the policy and press save.


How can I efficiently deploy devices?

We believe that whether your team works in the office, at home or is taking a hybrid approach, that device deployments need to be made easier. All too often we see IT teams manually setting up devices, spending hours applying the correct configurations and security, installing applications to get each device to a base starting point ready for its new user. But could these hours not be put to better use?


JAMF Pro allows you to utilise Zero Touch Technology to deploy devices to users. No need for IT to setup the device before hand. IT can simply ship the device to the user, the user can unbox, turn on and sign into the device and away they go. This saves time for IT, but also get users working quicker increasing productivity and providing a great end-user experience.


Use a Prestage within JAMF Pro to configure your setup process. Say which screens in the Apple Setup Assistant you want users to see, say which Configuration Profiles will be applied at this stage and how the user account is created.


For Mac users you can integrate JAMF Connect at this stage instead of using the Apple Account Creation Screen, you can use JAMF Connect to have users sign in with their Cloud Identity Provider Credentials, for example by Azure or Okta. This increases security as only users that have credentials in your Cloud Identity Provider can access the device, but it also allows you to control password requirements and reduces the number of passwords for the user to remember. When users change their Cloud Identity Provider password, JAMF Connect will prompt them to change their local Mac Password as well.


You can use Enrolment Customisations that allow the user to specify who is using the device. This again can be integrated with your Cloud Identity Provider and the information entered here will be passed back to JAMF which is important for Automatic Device Scoping which we will come onto later.


Once the user has created their account and reached their desktop, their device will only have the applications that are pre-installed by Apple. You can use DEP Notify to download Applications, resources and configurations onto the device. This allows you to install base applications, set the device name, install printers and shows the user the status of the setup so they can see how long is remaining. If you didn’t want to use an Enrolment Customisation above, but you still want to report the user back to JAMF you can use DEP Notify to have the user enter their details and have this reported back to JAMF.


After DEP Notify has finished there may be applications which need to be installed that are user or department specific, or applications that aren’t part of your base configuration that your users may need. But how do you quickly scope these applications and profiles to new devices. IT could go into each Policy, Configuration Profile or App Store app and manually add in the new device, but this will take a lot of time and could hold the user up. You could find the Device in the JAMF Inventory and if JAMF Pro is tied to a Cloud Identity Provider, search for the user under the “User and Location Tab” This could auto fill the department of the user as discussed above and auto Scope Policies, Profiles and Apps, however this is still a manual approach and can only be done when the device is enrolled, potentially holding up users. But if you setup an enrolment customisation or User section in DEP Notify the users details will have already been reported back to JAMF Pro, we recommend using the department field to correctly scope Policies, Profiles and Apps. Once the user details have been reported back to JAMF, the Policy, Profile or Apps will then be deployed to users based the scope set.


JAMF Pro Inventory

Inventory is vital to IT Teams to be able to establish all kinds of information about their device fleet. For example the current OS Version, Application Version Numbers, current user, Encryption Status, Applications installed and Configurations. You can also get hardware information such as Device Model, Hard Drive Capacity and Memory. All of this information can be used to generate reports or to deploy applications, resources and patches


How can I Patch and Manage my devices.

Without an MDM, Device Management and Patching can take a lot of time for IT and users and not provide a great experience. Below we will identify a few ways to manage your Devices.


App Store Applications:

The benefit of using App Store Applications is that they can be updated on Devices automatically. IT configures JAMF to deploy App updates automatically and JAMF will check for new updates at a time you choose and then deploy any new updates to devices not running the latest version.


Non App Store Apps.

There is slightly more work to do when it comes to deploying non App Store Patches. But overall a lot less time than updating each one individually. You can either use a script inside a packaged PKG File and this will download and install the latest version of an application from a vendor or you could can package the latest version and upload to JAMF as with deploying the application originally. JAMF Pro has built in Patch Management functionality to help. We recommend creating a Smart Group for each Application that lists all the devices not running the latest version. You can do this by using the Criteria “Application name” for example “Google Chrome.app” and “Application Version” but change the operator to “Is Not” and specify the latest version number. Then every time there is a new patch you can update the Smart Group with the latest version number and you will be given a list of devices that are not running that version.


Then in the Patch Management Section you can add a Patch title for example Chrome and specify the package (Either Script or Application) against the correct version number. You can then create a Patch Policy that will deploy either the script or Application. You can configure the patch policy to deploy Automatically when the device next checks in or via Self Service. We usually go with the Self Service route to avoid disruption to users. You can then configure the notifications and Self Service details giving a logo for the application, description and the update deadline, so that if the user doesn’t update before the deadline the update is forced to ensure compliance. You can then specify the scope, we recommend scoping the Smart Group you just created for the application in question to ensure only devices not running the latest version are notified of the update.


macOS Updates

Vital to ensuring the Security of your devices, installing macOS updates as they become available, patches any potential vulnerabilities in the Operating System. As with Application patches without an MDM Solution, deploying OS Patches can be hard to achieve and you don’t have full visibility of the status of your device fleet. JAMF allows you to manage macOS Updates and use the inventory to determine which OS version each device is running. Use a variety of different methods to achieve the end result, from allowing users to update their devices through Self Service to forcing the updates on each or all devices.


macOS Upgrades:

Similar to macOS Updates, Apple releases new versions of their Operating Systems usually every year. This provides users with a host of new functionality, but also Security Improvements. JAMF gives IT Departments and Users the ability to easily deploy the upgrades, but also restrict them from being installed to allow IT time to test compatibility and the deployment process. This ensures that when the new OS is released to end-users you know that your other tools and systems are going to work with it.


Summary:

When managing a fleet of devices, IT Teams need an efficient way to manage them. Many organisations are doing this one by one and require access to the physical device. But this is time consuming and takes IT away from important tasks that are a better use of their time, when a end-user could action the same task at the click of a button. This in turn improves the end-user experience. Users don’t have to raise IT Ticket requests for new software or updates they can install applications and resources as and when they need them and they don’t need to schedule a time with IT to action maintenance they can action it on their own at the best time for them. IT can then focus on other tasks that improve the IT experience in other areas increasing productivity further.


Many studies have found that giving employees a choice of which hardware they use for work increases their productivity, makes them more likely to join a company and remain there for longer. To add to this, by implementing JAMF you can give your users the ability to setup their own devices out of the box, to get them up and working quickly.

To sum up JAMF offers organisations efficiency savings for both end-users and IT. Management teams will be able to see the improvement that this has made and know that they can onboard users quicker than they could previously. The end-user IT experience is so important now, traditionally when you thought about business IT words that would come to mind would be Clunky, unreliable, Support Tickets, un-productive, inefficient and wasted time. But JAMF is a step in the right direction so that your teams can describe your IT with words such as, productive, easy to use, efficient, quick and simple.


With teams now working remotely or with a hybrid approach, JAMF solves the problems of managing and maintaining devices when you don’t have physical access to them. Deploy and manage devices wherever they are.