Need help with Jamf? Our consultative process can take over from the first meeting and bring your organization through a comprehensive scoping process to ensure we help you get where you need to go
Just tested this, did not work as it is showing in Software Update with only major updates selected. Will have to make sure to add restriction in the sidebar setting to stop the installer app
Use Safe Practices! Supply chain attacks have happened to even the most security-conscious organizations. Caution should be exercised when using this app just as with any content sourced from the internet. Be aware that this application incorporates content from a number of Jamf and non-Jamf sources. Initial implementation of a new process in a test environment improves the chances you’ll catch problems before they can effect something important. Always do a careful inspection of any content uploaded to Jamf Pro before scoping it to user devices to make sure you fully understand what it’s doing. Deploy and test new content gradually, initially scoping it to a small number of non-production test devices, then expanding the scope over time to increasingly larger groups of user devices.
if you already had a profile that does this, I think you have to remove it first, and then reapply. the timer is one time use (according to jamf) so you have to reset the clock by removing it. Its not perpetual.
I had stopped using the Restricted Software record for the past few years because is seemed to stop working. Thankfully, I'm seeing reports on Reddit that it's working for some environments now, so I've added it back. Strangely, we had switched to using a Config Profile with "major updates" deferred for 90 days, but already have about 20 computers that slipped through the cracks. Very frustrating.
We have both the configuration profile and restricted software block in place. For the config profile, our previous engineer set the Defer Updates field to "All software, applications and non-OS updates" for 7 days, with the "Include major software updates" checked with a delay of 90 days. We are less concerned about point updates or other software than we are with macOS upgrades. The only difference I can see between selecting "All software, applications and non-OS updates" vs "Software updates" in the drop-down menu is that the latter lacks the "Set different delay for minor software updates" checkbox. We also include the Software Update payload in the same config profile, enabling everything except macOS beta installs and administrator user only installs. Overall, both the config profile and the restriction block seem to work just fine as-is for us. Even after 90 days, presumably the Restricted Software block should continue to block the Sequoia installer, even though the System Settings app will show the upgrade badge and show the Sequoia entry in Software Update.
Guess I have not heard anyone choose Intune because it is a good product - they choose intune because it is "free" and part of their MS license already. Price is of course an important indicator - but in larger Mac enviroments, Intune would is really a struggle. If you have few mac´s then Intune could work I guess
Intune enrollment with Mac is a nightmare. many prompts and also different behavior depending on default browser used on client. Often devices suddenly are "kicked" off intune as there is no connection - so conditional access fail, as device no longer are registered - and then need to delete intune entry - and do new registration.
Sorry, "legacy" was probably the wrong word, I was referring to the Conditional Access Integration with Jamf Pro, which has been deprecated and replaced with the Device Compliance Integration.
Is JAMF more Mac-centric, sure. But a few of the noted "can't dos" just aren't true. You CAN: manage the dock. Disable activation lock. If it is enabled, you have recovery passwords auto-generated for each device record. Haven't had a problem with FileVault, but we might just be lucky. We use mostly Intune for the very reasons you list, but are managing several hundred Macs with them. Long before MDM, we used Munki and it definitely takes a lot of Intune's shortcomings away. I doubt we could manage Macs with Intune alone without it.
It's biased in exactly the way they intended: those who have considerable investment in a Jamf infrastructure who are considering making a change (for whatever reason) to Intune. If that's not the perspective that you're coming from, the video is still of use in that you can see certain places where Jamf might have an advantage.
When it comes to Jamf Connect you should have taken a look into Microsoft Platform SSO that is already available. As you've mentioned User Affinity can't be compared to Jamf Connect. Regarding Zero Touch Provisioning: I recommend taking a look into Baseline in combination with Installomator. That's working well for me enrolling devices via Intune.
Love the channel and info, but do not underestimate the need for quality audio. Don't think AirPods Pro are gonna cut it. A professional mic definitely when making these videos.
I totally agree... but my podcasting mic is in storage, and I was on the road in a hotel room. In a month, I'll have my studio setup back. I did the best with the tools I had on hand, with my crazy travel schedule 😂
At 00:28:54 I talk about the Device Check-in Frequency. Since I created this video, I've gotten several people claiming different things about Intune's check-in frequency. Some people say 8 hours, others say 24 hours, and still others say 5 minutes. An Intune SME who worked for Microsoft told me if they made a change to a profile, their standard procedure was to have them check the computer the next day. In my experience, the wait time for a change to happen was often longer than I was willing to wait, so I would plug the computer in and wait a day for the change to apply, or restart the computer which would sometimes work (but not all the time).
CheckIn with Intune is worse, I agree. I always reboot the Mac when I made adjustments to my macOS Scripts, because restarting the MDM agent on the system locally just does not speed things up.
I've rarely ever seen a restart AND then a login by the user fail. That combo works for us. Then again, we've been in production with Intune for several years now and our configuration profiles aren't updated very often anymore.
Haha yes, this is the difficulty with trying to post a live recording with limited editing (so we can post the content quickly). We'll try to do better next time!
Love the excel tip, but the real pro tip is the comma separated searching... I'd tried doing space separated searches (ala Apple Business Manager) to no avail and assumed this wasn't possible. Never tried commas! Great tip!
I lost a job because of Kandji. I didn't embrace the company's choice to use it over Jamf Pro but I did try. I took some time to learn how to interact with Kandji through command line but that was largely useless. A simple product is not always better, and Kandji is no exception. I'm a Jamf Now customer. I have my personal Apple devices managed through Jamf Now. I noticed that there are similarities between Kandji and Jamf Now. As a home user, Jamf Now is perfect. I don't need a lot of functionality. Jamf Pro allows me to do much more than I could ever do with Kandji. I'm a bit of a control freak... in a good way. I like to be able to create a great user experience. I can't do that with Kandji. The lack of ability for granularity with Kandji is very limiting (and annoying). With Jamf Pro, I can scope policies and profiles to specific computers and groups of computers with ease. Jamf Now is just as limited as Kandji, but as a non-business user, I don't care. While looking at Kandji before the company I was working for signed onto it, I tried out its blueprints feature and thought of a way that I could create basically the same functionality with Jamf Pro using a combination of policies and configuration profiles. In the end, the company went with Kandji because of these reasons. The first was that Kandji was much more eager for our business and they were willing to make a good deal. Jamf seemed a bit arrogant, and like they had the deal already sewn up. That may have been because Jamf knew I was a huge fan and advocate for Jamf Pro, but they should have tried a lot harder. I was really PO'd at Jamf over that. The second reason was because the owners of the company felt that Kandji would be easier for their techs to work with. If I was one of those techs, I would have been insulted by that. I promised them that I could train everyone on Jamf Pro. They would learn it very quickly. To be fair, I realized that job wasn't working out after about a month of being there. It just wasn't a good fit. The decision to go with Kandji was the final blow. I tried to embrace it but the company owners knew full well that I thought Kandji was not good. I can't say in polite conversation what I really think about Kandji. I'm in a much better job now and I work with Jamf Pro daily. I could go on for hours about how great Jamf Pro is but it does have some problems and annoyances. In some ways I'm a bigger fan of Jamf's than Apple's.
A client asked me about this feature shortly after making this video, and I had a couple more notes I didn't mention in the video that I wanted to call out: - The password is randomized for each computer, a static password that's the same cannot be set - The password is a random, 29 character alpha-numeric string that cannot be customized in any way to be more readable - Once the password is retrieved, it MUST be cycled - The password must be changed by specific intervals (aka 90 days) and can't be done at specific times (like at the end of the year) so each computer not only has a unique password, but a unique password change interval. - All the settings for this a global, meaning you can't have different configurations for different computers. Every computer gets the same configuration. - Biggest of all, this account is not FileVault enabled, meaning you can't login to it on a FileVault enabled computer. Worst off, because of the way the password is cycled, it's basically impossible to setup a script that will make the account FileVault enabled. I'm not trying to push users away from this tool, there's a lot of organizations that this tool is perfect for, but when we're talking to Universities and School Districts that have specific needs for their backdoor admin account, this may not be the best solution.
Great overview, What types of custom attributes is everyone using out there? In the video you mentioned the country the device is in based on IP. What else? I've seen battery charge cycles as well, but what else?
Want to say thank you for this video. I was able to figure out how to call a webhook from a Power Automate flow. Im going to start playing with Azure Functions.
Found the demo to be very useful. Getting more hands on with Jamf. Bash scripting already quite familiar. The background explanations are fascinating, since it is the real world stuff :)
Hey sir, I switched from Jamf Pro to Kandji after using Jamf for 2 years. While I do think Kandji is "stripped" of more settings and basically looks like typical "web app" we need to keep in mind that Jamf Pro (aka Casper) they were founded almost 20 years(?) ago. I do think that Kandji is "worse" version of Jamf but I would recommend Kandji over Jamf for companies or start ups up to 300/500 devices. Great video tho!
The number of the devices isn't really the concern, it's the complexity of the workflows. I often find that companies over 100 devices start to get more complexity in their environments, but there's certainly new companies that are around the 300-500 range where I'm sure Kandji would still be a good option. I think some better criteria would be for going with Jamf: - Do you have many different workflows for devices? - Do you deploy enterprise level software (Cisco AnyConnect, McAfee Web Proxy, Crowdstrike, Palo Alto, ect)? - Are you highly security focused? - Do you have unique workflows that don't fit into Kandji's box? - Do you require advanced level support for your users? For us, we would never manage any client using Kandji, no matter how small or how simple, because we already have a high understanding of Jamf, so it's actually easier and much better for us to manage a server using Jamf. And if a company is looking for Tier 3 support from a service provider (like ourselves) providing a high level of Mac expertise, more often than not they won't support a product like Kandji, since they would already have the expertise in a more robust platform and would prefer to use that. So if I am to simplify this, if you can get by without a Mac expert on your IT team, you're probably fine. If you need to have a Mac expert on your team, you're probably going to want Jamf, because that's the tool they will prefer.
Thanks for the great review. We did the same, challenged Jamf against Kandji and we came to the same conclusion. Our fleet are currently more than 400 devices and it is almost impossible to manage devices in the same way you do with Jamf. If you focus on automation, APIs or options like "Smart Groups" there is no better MDM for Apple than Jamf.
Simplicity and customization don't go hand in hand, and I often find that when I go for the "simple" solution when I actually needed something more customizable, it ends up becoming more complex than if I had just started with the right solution.
