Apple's new security posture changes over the years means we need to provide additional permission for apps like Code42 (full disk access) and others. BigFix can no longer work with the new Apple security features. A tool like JAMF is necessary in today's Apple environment to apply security settings on Macs.
Jonathan Morton & Chad Morales - CPE, TDS (SoM).
JAMF is being currently deployed in SoM.
What is SoM doing with JAMF?
- Deploy Digital Guardian to high risk users (USB Encryption protection)
- Enabling Code42 Full disk access
- Deploying Crowdstrike! (new ISO AV tool)
Challenges?
- macOS 10.13+ deployment can't be fully automated due to FDA, kernel extensions. SoM has 13k mac's, we can't rely on users to do this. Jamf can take care of this automatically but the JAMF needs to be manually approved by the user.
- Every system that apple supports (macOS n-2) needs to use JAMF.
- Cyber attacks targeting hospitals. JAMF requires the user to approve the MDM profile but we have been training users to not click on malicious links.
Chad does a demo of how to enroll a device in JAMF and approve MDM.
For current macOS users, SOM is using BigFix to push out the JAMF to the endpoint with instructions on how to approve the JAMF MDM profile. 4 clicks is all it takes to enroll in JAMF with the appropriate profiles. That will then kick off other actions such as Crowdstrike install or Code42 full disk access
SoM started deployment Dec 1. Currently 5200 are in JAMF in various states.
Chad is sharing daily progress slides. I'll ask for them to share their presentation and include it here.
Targeting macOS 10.13+. Big Sur is still the outlier. Currently about 1,000 Big Sur machines in SoM.
If we get JAMF on a mac before it upgrades to Big Sur, that is not an issue.
Started deploying JAMF to Stanford owned machines and very recently started adding personal devices as well. They will continue to add devices over winter break.
Jeff Barkow's team is leading this JAMF effort for SU.
If a user enrolls in MDM, the user can remove the profile. If the device is supervised (pre-enrolled through DEP), then the user cannot remove the JAMF profile. We cannot 'supervise' personally owned machines.
in SoM 75% of Stanford owned macs are purchased through SmartMart or Apple and can be locked in supervisor mode.
Jeff's team will be building out sites (for different admin groups) when scaling JAMF. They are still trying to figure out what the attributes need to be (by org code, etc.)
Jonathan: LDAP connection is still needed for a no touch deployment. A user can receive a brand new laptop and enter their sunet ID and provision the machine based on that. This is the power of JAMF and apple management.
In the future, anything purchased through Apple or the book store will automatically funnel into our MDM server. Currently, it's not pointed to our JAMF server but it requires us to input a serial number. In the future, the serial number will not be required.
JAMF would have been nice before Covid so we can send machines directly to users instead of having a technician set it up before shipping it to the user.
How will sub-admin teams be set up and will there be training? Jeff: JAMF offers training courses, JAMF 100 course self-paced. JAMF 200, 300 can lead to certification. Jeff is hoping to work with Techtraining to create a JAMF training program (hopefully with certification training). Site administrators might need to have a PAW to access the JAMF console (starting today you can use cardinal protect). They are still trying to figure out the security model.
If any admins are interested in learning about JAMF or getting their feet wet sooner or later, reach out to Jeff Barkow and he will be happy to give you a quick demo and what they are planning on doing. There is also an endpoint management session tomorrow at the IT Unconference.
One thing we can start doing today is to make that computer purchased today to go through Smartmart or the book store so it can be included in ASM.
Can we manually enroll a device into ASM? If it's not purchased through Smartmart or book store, then probably no. for example if it was purchased at the Stanford mall apple store. It is possible on iphones, ipads. Hopefully we can do this on Apple silicon devices, but we don't know yet.. There could be a possible rework on how this works. More to come..
