Jamf Pro is a comprehensive Enterprise Mobility Management (EMM) solution specifically designed for managing Apple devices within organizations. It allows IT administrators to deploy, secure, and manage Mac computers, iPhones, iPads, and Apple TV devices, from initial setup through their entire lifecycle.
Jamf Pro provides a unified platform to automate device enrollment, configure settings, deploy software, enforce security policies, manage inventory, and provide a self-service app store for users.
Understanding the core components and concepts is crucial for effective Jamf Pro administration.
Before managing devices, you need to set up your Jamf Pro instance and enroll devices.
How devices get managed by Jamf Pro.
# Configuration Steps in Jamf Pro (GUI):
1. Settings (gear icon) > Global Management > Automated Device Enrollment.
2. Click "New" and follow prompts to connect to your Apple Business/School Manager account.
3. Define a "PreStage Enrollment" for device groups (e.g., "Corporate Macs").
4. Configure setup assistant options (e.g., skip Apple ID, Touch ID setup).# Configuration Steps in Jamf Pro (GUI):
1. Settings (gear icon) > Computer Management > Enrollment Methods > User-Initiated Enrollment.
2. Configure options like authentication, categories, and custom messages.
3. Direct users to the enrollment URL.Jamf Pro automatically collects detailed information about all enrolled devices, providing a powerful inventory system.
# Steps to create a Custom Extension Attribute (macOS example):
1. Settings (gear icon) > Computer Management > Extension Attributes.
2. Click "New" > Choose "Script" input type.
3. Provide a display name (e.g., "Custom App Version").
4. Paste a shell script that outputs the desired value to stdout.
Example Script (to get a custom app's version):
<pre><code class="language-bash">#!/bin/bash
if [ -f "/Applications/MyCustomApp.app/Contents/Info.plist" ]; then
version=$(defaults read "/Applications/MyCustomApp.app/Contents/Info.plist" CFBundleShortVersionString)
echo "<result>$version</result>"
else
echo "<result>Not Installed</result>"
fi</code></pre>
5. Save the Extension Attribute. It will be collected during the next inventory update.Policies are the primary method for performing automated tasks on managed computers. They can deploy software, run scripts, apply settings, and more.
# Navigation: Computers > Policies > New (+)
# Key sections when creating a policy:
1. General:
- Display Name (e.g., "Install Microsoft Office")
- Category (e.g., "Software Deployment")
- Trigger:
- **Recurring Check-in:** Runs every 15 minutes, once a day, etc.
- **Enrollment Complete:** Runs immediately after a device enrolls.
- **Login/Logout:** Runs when a user logs in/out.
- **Network State Change:** Runs when network status changes.
- **Custom Trigger:** Triggered by `sudo jamf policy -event <custom_trigger_name>` (useful for scripts).
- Execution Frequency: Once per computer, Once per user, Every time, Once every X days/weeks/months.
2. Packages: Add pre-uploaded software packages (.pkg, .dmg).
- Action: Install.
- Options: Restart required, fill user templates.
3. Scripts: Add custom shell scripts to run on devices.
- Priority: Before/After/At Reboot.
- Parameters: Pass variables to your scripts.
Example Script (in Jamf Policy):
<pre><code class="language-bash">#!/bin/bash
# Parameter 4: Custom message from Jamf Pro policy
MESSAGE="$4"
echo "Policy triggered at $(date) with message: $MESSAGE" >> /Library/Application Support/Jamf/Logs/policy_log.log
/usr/bin/osascript -e 'display notification "Hello from Jamf Policy!" with title "Jamf Alert"'
</code></pre>
4. Printers: Add/remove printers.
5. Disk Encryption: Manage FileVault.
6. Maintenance: Perform disk repairs, update inventory.
7. User Interaction: Display messages or restart prompts.
8. Files and Processes: Manage files, run commands, control processes.
9. Restrictions: Enforce various macOS restrictions (e.g., disable camera).# Navigation: Settings (gear) > Server Infrastructure > Distribution Points > Your DP > Packages > Upload.# Navigation: Computers > Policies > New (+)
- Display Name: Install Google Chrome
- Category: Software Deployment
- Trigger: Recurring Check-in (e.g., every day)
- Execution Frequency: Once per computer
- Packages: Add the uploaded "Google Chrome.pkg"
- Scope: (See "Scoping" section) Add your "All Managed Macs" Smart Group.
- Self Service: (Optional) Make it available in Self Service.Configuration Profiles are XML files (or payloads) that enforce settings on macOS, iOS, iPadOS, and tvOS devices. They are ideal for persistent, required settings.
# Navigation: Computers > Configuration Profiles > New (+) (for macOS)
# OR Mobile Devices > Configuration Profiles > New (+) (for iOS/iPadOS)
# Key payloads (settings) when creating a profile:
1. General:
- Name (e.g., "Wi-Fi Settings - Corporate Network")
- Category
- Level: User Level (applies to user session) or Computer/Device Level (applies to device itself, even without user login).
2. Wi-Fi: Configure Wi-Fi networks (SSID, security type, password).
3. Restrictions: Disable cameras, force passcode, restrict app installation.
4. Passcode: Enforce passcode requirements (length, complexity, age).
5. Web Clips: Create shortcuts to websites on the home screen.
6. Email: Configure email accounts.
7. Certificates: Deploy certificates for network access or VPN.
8. Privacy Preferences Policy Control (PPPC): Grant permissions to apps (e.g., screen recording, full disk access).
9. Custom Settings: Deploy custom plist files.# Navigation: Mobile Devices > Configuration Profiles > New (+)
- Name: Corporate Wi-Fi
- Category: Network
- Level: Device Level (applies to the device)
- Payloads: Add "Wi-Fi" payload
- SSID: Your_Corporate_WiFi_SSID
- Security Type: WPA/WPA2 Enterprise (or appropriate)
- Protocol: EAP-TLS (or appropriate, often requires certificates)
- Auto Join: CheckedKeeping macOS and third-party software updated is critical for security and stability.
# Example Policy for macOS Update:
# Navigation: Computers > Policies > New (+)
- Display Name: Upgrade to macOS Sonoma
- Category: OS Updates
- Trigger: Manual (User-initiated via Self Service) or Recurring Check-in (for forced updates)
- Execution Frequency: Once per computer
- Payloads: Add "Operating System"
- Action: Install an update
- macOS Version: Latest (or specific version)
- Options: Restart if needed, deferrals, force installs.
- Scope: Smart Group of devices eligible for Sonoma upgrade.
- Self Service: Make available (with icon and description).# Example using App Installers (Jamf Pro GUI):
1. Computers > App Installers.
2. Click "New" or browse available titles.
3. Select an app (e.g., Google Chrome).
4. Configure:
- Deployment Type: "Install automatically" (for forced updates) or "Make available in Self Service".
- Scope: Apply to relevant Smart Groups.
5. Jamf Pro will automatically download, deploy, and update the app when new versions are available.Deploying and managing applications is a core function.
# Steps for VPP App Deployment:
1. Settings (gear) > Global Management > VPP Accounts > Add your VPP token.
2. Apps > New (+) > App Store app or VPP App.
3. Search for the app, select it.
4. Configure:
- Distribution Method: "Install Automatically" or "Make Available in Self Service".
- App Configuration (Managed App Config): Pass specific settings to the app.
- Scope: Assign to devices/users.
- VPP Assignment: Choose "Assign to device" or "Assign to user".Jamf Self Service empowers end-users to install applications, run scripts, and access resources without requiring direct IT intervention.
# Navigation: Settings (gear) > Self Service (for Computers or Mobile Devices)
- Branding: Customize icons, banner, colors.
- Layout: Organize categories, featured items.
- Notifications: Configure push notifications for new content.Groups are fundamental for organizing devices and users, and for scoping policies and profiles.
# Navigation: Computers > Static Computer Groups > New (+)
# Or Mobile Devices > Static Mobile Device Groups > New (+)# Navigation: Computers > Smart Computer Groups > New (+)
# Or Mobile Devices > Smart Mobile Device Groups > New (+)
# Example Smart Group Criteria (for "Macs with macOS 10.15 Catalina"):
- Criteria: Operating System Version
- Operator: is
- Value: 10.15.x
# Example Smart Group for "Devices with App X Installed":
- Criteria: Application Title
- Operator: is
- Value: Microsoft Word.app
# Example Smart Group for "Devices without FileVault Enabled":
- Criteria: FileVault 2 Status
- Operator: is not
- Value: EncryptedScoping defines which devices or users a policy, profile, or application applies to. It's done by assigning to groups.
# Example Scope Configuration for a Policy:
- Targets:
- Choose "All Computers" initially for broad reach, then refine.
- Or choose "Specific Computer Groups" and add your "All Faculty Macs" Smart Group.
- Limitations: (Optional, e.g., only apply in a specific building, or to specific users).
- Network Segments
- Users
- Buildings
- Departments
- Exclusions: (Optional, e.g., exclude "IT Department Macs" from a general policy).
- Computer Groups (Static or Smart)
- Individual Computers
- Users
- Network Segments
- Buildings
- DepartmentsThese are the primary methods for getting devices under Jamf Pro management.
Jamf Pro helps enforce security best practices and meet compliance requirements.
# Example Remote Commands (from a device's inventory record or group action):
- Lock Device
- Wipe Device
- Clear Passcode
- Restart Device
- Update Inventorytail -f /Library/Application\ Support/Jamf/Jamf.logsudo jamf policy # Runs all applicable policies
sudo jamf policy -event <custom_trigger> # Triggers a specific custom policy
sudo jamf policy -id <policy_id> # Runs a policy by its IDJamf Pro is a robust platform that simplifies Apple device management in complex environments. By understanding its core concepts, mastering policy and profile creation, and applying best practices, you can efficiently deploy, secure, and manage your organization's Apple fleet, providing a seamless experience for both IT and end-users.