Jamf After Dark: Managed App Config
Gifford Brickley
After you configure Intune and Jamf Pro integration and deploy conditional access policies, users of devices managed with Jamf Pro receive password prompts when opening Microsoft 365 applications, such as Teams, Outlook, and other apps that require Microsoft Entra authentication.
Something to add: Carbon Black 3.5.1.19 can operate with either kexts or system extensions, and needs special handling to use kext mode in Big Sur (configured in the unattended install script, or via a repcli command after installation). Even if the kext is whitelisted, Big Sur will not start using it until either the user approves it and restarts, or a special MDM restart command is sent to rebuild the kext cache.
In jamf, if you go to one of the affects mac's record, look in the Management tab. Do you see any failed commands? Also, in that same tab and look in the Configration Profile section, do you see if your Jamf Connet config profile is applied to that mac? If the correct config profile is applied, then instead of updating Jamf Connect, I would uninstall it, reboot, and reinstall it.
In order to leverage the Application & Custom Settings functionality in Jamf Pro, developers must configure their application to read settings from managed macOS devices. Settings should be stored in a preference domain where they will be accessible using the CFPreferences, NSUserDefaults or UserDefaults APIs.
Jamf also recommends disabling any end-user facing interfaces that are "forced". Settings that are "forced" are being applied via the managed settings and should not be accessible for users to interact with. For example, if your application includes a preference to configure a specific setting, when managed via Application & Custom Settings, users should not be presented with the option to configure this setting as the value is already "forced".
Jamf recommends including the name of the preference domain within the header of the schema. This is a required field when importing the schema into Jamf Pro and also dictates the name of the file that's deployed to the managed device, which your application will be configured to read from.
Create a read-only API user in Jamf for Duo to obtain managed macOS and iOS endpoint information. Determine whether you plan to create a standard (local) account or an account from your LDAP directory before you begin. You must have previously configured LDAP directory services in Jamf in order to create a new LDAP account.
Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately prevents identification of Jamf-managed devices using Duo Desktop. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Jamf Pro integration from "Trusted Endpoints Configuration".
Once your managed computers start receiving the Duo certificate you can configure the Trusted Endpoints policy to start checking for the certificate as users authenticate to Duo-protected services and applications.
Instead, the two (2) methods that actually work are either
a) use a Printing configuration profile for the domain com.apple.mcx.printing like the example XML profile from OIT named Template-com.apple.mcxprinting.ncsu.mobileconfig (click to download)
or
b) setup the printer using the lpadmin Unix command line tool that configures CUPS after installing the additional required software packages for the printer. Starting with macOS 10.15.x Apple has restricted network printing to the ipp or ipps protocol (direct attached USB should work ongoing and smb based printing still seems to work but I would not expect it to be there in future versions of macOS.)
I'm wondering if we need to send a disable/activate remote desktop command to all of our devices with a mass action, then after waiting a bit for that to cycle through most of them flush our script above to make sure they all stay set to specific users? I know I've read that using the kickstart command is somewhat frowned upon now and the MDM command should be used but we are not wanting it to allow access for all users, which seems to be the default unless set otherwise either by hand or by terminal/script. To clarify, we do have "Allow screenshots and screen recording" and "Allow AirPlay, View Screen by Classroom, and Screen Sharing" checked as enabled in a config profile on all of our Macs.
Correct @igdjamen, Profile is approved. We are using our local administrator account which happens to be the managed by account. We have recon locally and using jamf remote and still, the MDM capable category is listed as no.
@mconners @scottb If the MDM Capability & the User Approved MDM both said no, while the MDM Capable Users is the same then it is very weird. Try this (it seems the enrollment didn't properly work) :
- Go to JSS and Remove MDM Profile from the management tab on the laptop
- Ran user level mdm command "sudo jamf mdm -userLevelMdm"
- Go to "Profiles" on "System Preferences" and approve the "MDM profile"
- Double click on "verified or unverified" to view the certificate
- Drag the "Bellese JSS Built-in Certificate Authority" to your desktop, in order to add it to your keychain Access under "system". Make sure to change the trust configuration to "Always trust". - Run command "sudo Jamf manage". It should work.
So I have been visiting offices and manually installing the enrollment profile on devices that used to be enrolled in our Mac Server MDM instead. While the profile installs fine and it auto pulls the MDM profile and another, the rest of my JAMF configs in at least 1 case haven't installed after 12 hours and multiple reboots and terminal command sends. Looking in JAMF pro the devices still shows just basic enrollment but no group memberships or config profiles and policies for the device (but the device HAS been added to several static groups).
Jamf is an Apple device management solution used by system administrators to configure and automate IT administration tasks for macOS, iOS, and tvOS devices. The current project will focus solely on macOS devices. All macOS devices used by GitLab Team Members for the purposes of fulfilling the responsibilities of their role as a GitLab Team Member are required to be enrolled and managed by Jamf.
If you use Fish Shell, Jamf's inventory process may be broken. To remedy this, do not set the default shell to Fish and do not launch Fish in /.bash_profile or /.profile or any other files which can be loaded by login shell. Use a workaround by having your Terminal program launch Fish. Please verify the Jamf connection after you have finished configuring Fish.
Starting with macOS Ventura 13, Apple introduced a new framework for managing background tasks such as LaunchAgents, LaunchDaemons, and Login Items. BeyondTrust's Jump Client for Privileged Remote Access leverages background tasks to ensure the client is running at all times. Administrators can manage these background tasks using a Managed Login Items payload delivered to managed devices. To ensure proper functionality, deploy a configuration profile targeting the below values:
One of the most challenging processes that an IT administrator will run into with device management is learning the software. However, Jamf breaks down these components so that it's simple to use. The first thing an administrator will see after logging in is a dashboard with a breakdown of Computers, which encompasses macOS devices, Devices, which encompasses iOS, iPadOS and tvOS devices, and Users (Figure 1). This separation gives administrators an organized view of device types, profiles and configurations.
Use the Deep Freeze Configuration Administrator utility to configure a password and a new partition (for example: T:\) with minimum of 1.5 GB capacity as thawspace. The thawspace includes the files that will be kept after a system is rebooted with Deep Freeze active.
aa06259810