ISC leverages Jamf Cloud for our Mobile Device Management offering. Jamf is the leading cloud-based endpoint management service for Apple devices, including Macs, iPhones, iPads, and Apple TVs. Jamf provides a unique level of control within the Apple ecosystem, not found in other endpoint management systems. In the tabbed sections below you will find an overview of ISC's Jamf Cloud offering.
If you are interested in using Jamf, please reach out to Client Care at help@isc.upenn.edu to begin the onboarding process.
The Jamf Cloud environment allows for the grouping of devices both organizationally and administratively, while maintaining some items globally. Within ISC's managed Jamf Cloud instance, what Jamf calls "Sites" are used to organize and silo each School and Center within the tenant.
Sites
Each organization that joins ISC's Jamf Cloud will be granted access to a Site. Under this site, you will be able to enroll and manage your devices and users. Individual Site Admin accounts can be created for each IT staff member who will be administering devices or users within the organization.
Items managed and controlled at the Site level include:
- Devices
- Users
- Policies
- Configuration Profiles
- Pre-Stage Imaging and Enrollment
- Patch Management
- App Management and Apple Volume Purchasing Program (VPP) Applications
- Device Groups (Smart and Static)
Global Items
While much of the Jamf environment can be managed at the Site level, some items are exclusively global in nature. Generally, these items, once created, can be applied and managed by Site Admins using Policies, Configuration Profiles, and Device Groups. However, the creation and editing of these items must be done by a Global Admin.
Globally created items include:
- Packages
- Scripts
- Directory Bindings
- LDAP Servers
Since Global access is required to create these, each organization is also provided with a modified Global Admin account that provides access to create and edit these items, without providing access to items such as the ability to edit Admin account permissions. This also allows for simplified sharing of items that may be useful across organizations, without granting anyone the ability to delete anyone else's work. More detailed information about these custom permissions and the expectations among organizations can be discussed during the onboarding process.
Custom Roles Within Sites
Some organizations may wish to have support providers who perform some device management tasks, without giving them full Site Admin access. In these cases, ISC can facilitate the creation of custom roles within a Site.
Jamf Cloud Features
Jamf Cloud provides all of the standard features of a cloud-based endpoint management system, for Apple devices, including:
- User management
- Application deployment and patch management
- Policy enforcement
- A cloud distribution point
- Static and smart device grouping
- etc.
In addition to these basics, Jamf Cloud provides a number of benefits for Apple devices that competitors do not. These include:
- PreStage Imaging, including editing the initial Setup process that the user experiences
- Enforcement of FileVault full-disk encryption
- Kernel extension whitelisting
- Providing of full disk access to applications
- Self Service, allowing organizations to provide a pre-packaged application bucket for their users to download as needed
- Management and distribution of applications via Apple's Volume Purchasing Program (VPP)
- Integration with and enrollment via Apple School Manager
Apple School Manager Integration
Jamf allows for integration with Apple School Manager via the distribution of MDM tokens. As part of an organizations Jamf onboarding process, ISC will create an MDM Server and Token in the University's Apple School Manager instance to link to the organization's Site within Jamf. The primary benefit of this integration is to allow organizations to claim purchases via Order Number or Serial Number, and pre-enroll those devices in their Jamf Site. Those devices can then be placed into groups, have policies applied and enforced, have user accounts created, have the initial setup process customized, etc., before the box is opened. Many have taken advantage of this feature to create a no-touch setup process for their Apple devices, often shipping the devices directly to the user.
Administrators within Jamf Pro are granted access to a number of resources via the Jamf Nation portal. These include:
- Access to Jamf's extensive Knowledge Base
- Direct access to open Support Tickets with Jamf
- Direct access to Penn's Jamf Customer Success Manager
- Access to a shared catalog of Scripts, Extension Attributes, and more, provided by other Jamf admins
- Jamf Pro desktop tools
Additionally, for organizations wishing to transition from another instance of Jamf Pro or Jamf Cloud, Jamf provides a Migration Tool, which can be used to import all of your devices and settings into a new Site within ISC's Jamf Cloud instance.