JAMF Onboarding First Steps
The following are a series of suggested policies to help transition units into the JAMF management system. These policies include:
-
BigFix Agent Removal if the device still happens to have it
-
Trend Agent Installation
-
MDM Profile User Approved Status
Jamf Tips and Considerations
The following are tips and considerations that should be taken prior to executing the aforementioned policies.
-
For ALL Policies, make sure that you configure Maintenance to Update Inventory after the policy executes. This will prevent items from running multiple times.
-
To force a Policy to rerun on a computer that has successfully run it, navigate to the Computers > Policies > [Policy Name] > Logs, then click the Flush button for a computer.
-
When creating a New Policy, uncheck the Enabled box. When you are ready to initiate the Policy, Enable it again.
-
Recurring Check-in is a good Trigger for Policies.
MDM Profile User Approved Status
The MDM profile must be manually approved in High Sierra and later. This policy executes a script that will open the profile system preference item and prompt the user to approve the MDM profileΓÇöwhich can be done without admin rights to the machine. Failure to approve the MDM Profile will result in issues loading kernel extensions. Please see https://support.apple.com/en-us/HT208019 for more information regarding this issue. It is highly recommended to apply this policy first as Trend deployments can break.
-
First, create a Policy: [Please note there are two methods to creating this policy: using the generic UF policy or cloning and tailoring the policy to meet your department's need]
METHOD 1: Use the generic UF policy
-
Under Computers > Content Management > Policies click +New
-
Under Options > General, ensure:
-
Display Name is in the proper syntax: <DEPT>-Unapproved MDM Profile
-
Category is set as Script
-
Trigger is set as Recurring Check-in
-
Execution Frequency is set to Once every week (or desired time interval for users to receive a pop-up notification)
-
-
Under Options > Scripts, add the UF-ApproveMDMProfile script.*
-
*Users will receive the following pop-up message: "Your Mac has now been enrolled in the UF Jamf Solution for management. Please Approve the MDM Profile to continue. After you have approved the profile please restart your machine at your earliest convenience. If you have any issues please contact your Computer Support group."
-
Click Save
-OR- METHOD 2: Create a custom policy based on the UF policy
-
Log in to http://uf.jamfcloud.com/?failover as your LGA (i.e. xx-adm-xxx) account and create a customized version of this script.
-
Under Computers > Computer Management > Scripts click on UF-ApproveMDMProfile
-
Next, click Clone
-
For the New Script:
-
On the General tab, ensure:
-
Display Name is in the proper syntax: <DEPT>-ApproveMDMProfile
-
Category is set as Script
-
Information is set to Approve MDM profile for High Sierra
-
Notes is set to User interaction for MDM profile in High sierra <YOUR NAME>, <CURRENT DATE/TIME> (or as desired)
-
-
On the Script tab, ensure that line 16: dialog="Your Mac has now been enrolled in the UF Jamf Solution for management. Please Approve the MDM Profile to continue. After you have approved the profile please restart your machine at your earliest convenience. If you have any issues please contact your Computer Support group." is tailored to meet your specific user's needs.
-
-
Click Save
-
-
Next, log in to https://uf.jamfcloud.com/ as your GatorLink account.
-
Under Computers > Content Management > Policies click +New
-
Under Options > General, ensure:
-
Display Name is in the proper syntax: <DEPT>-Unapproved MDM Profile
-
Category is set as Script
-
Trigger is set as Recurring Check-in
-
Execution Frequency is set to Once every week (or desired time interval for users to receive a pop-up notification)
-
-
Under Options > Scripts, add the <DEPT>-ApproveMDMProfile script.
-
-
Click Save
-
-
Next, create a new Smart Computer Group:
-
Under Computers > Groups > Smart Computer Groups click +New
-
Under Computer Group tab, ensure:
-
Display Name is in the proper syntax: <DEPT>-Unapproved MDM Profile Group
-
Under Criteria tab, click +Add and click Show Advanced Criteria and choose User Approved MDM
-
Operator is set to is
-
Value is set to No
-
-
Click +Add and choose Operating System Versions
-
And/Or is set to and
-
Operator is set to greater than or equal
-
Value is set to 10.13.2
-
-
-
Click Save
-
-
-
Finally, link the Smart Computer Group to the Policy:
-
Under Computers > Content Management > Policies, click <DEPT>-Unapproved MDM Profile
-
Under Scope > Targets > Selected Deployment Targets section, click +Add
-
Under Add Deployment Targets section, click Computer Groups
-
Under Group Name column, locate <DEPT>-Unapproved MDM Profile Group and click Add
-
-
Click Save
-
BigFix Agent Removal
This policy will remove the BigFix Agent from computers that have it installed.
-
First, create a new Policy:
-
Under Computers > Content Management > Policies click +New
-
Under Options > General, ensure:
-
Display Name is in the proper syntax: <DEPT>-BigFix Uninstall
-
Category is set as Scripts
-
Trigger is set as Recurring Check-in
-
Execution Frequency is set to Once per computer (or as desired)
-
-
Under Options > Scripts, add the UF-BigFixAgentUninstall script.
-
-
Click Save
-
-
Next, create a new Smart Computer Group:
-
Under Computers > Groups > Smart Computer Groups click +New
-
Under Computer Group tab, ensure:
-
Display Name is in the proper syntax: <DEPT>-BigFix Uninstall Group
-
Under Criteria tab, click +Add and choose Running Services
-
Operator is set to has
-
Value is set to com.bigfix.BESAgent
-
Optionally, click … button and locate com.bigfix.BESAgent and Choose this criteria.
-
-
-
-
Click Save
-
-
-
Finally, link the Smart Computer Group to the Policy:
-
Under Computers > Content Management > Policies, click <DEPT>-BigFix Uninstall
-
Under Scope > Targets > Selected Deployment Targets section, click +Add
-
Under Add Deployment Targets section, click Computer Groups
-
Under Group Name column, locate <DEPT>-BigFix Uninstall Group and click Add
-
-
Click Save
-
-
Trend Agent Installation
This will install Trend on computers that do not already have it installed.
-
First, create a Policy:
-
Under Computers > Content Management > Policies click +New
-
Under Options > General, ensure:
-
Display Name is in the proper syntax: <DEPT>-Trend Install
-
Category is set as Security
-
Trigger is set as Recurring Check-in
-
Execution Frequency is set to Once per computer (or as desired)
-
-
Under Options > Packages, add the UF-CampusTMSM3.0.3044 package.
-
-
Click Save
-
-
Next, create a new Smart Computer Group:
-
Under Computers > Groups > Smart Computer Groups click +New
-
Under Computer Group tab, ensure:
-
Display Name is in the proper syntax: <DEPT>-Trend Install Group
-
Under Criteria tab, click +Add and choose Running Services
-
Operator is set to does not have
-
Value is set to com.trendmicro.icore.av
-
Optionally, click … button and locate com.trendmicro.icore.av and Choose this criteria.
-
-
-
New Recommended Criteria ΓÇô Trend can install the services but fail to install the application, this will resolve that. Under Criteria tab, click +Add and choose Application Title
-
Operator is set to does not have
-
Value is set to Trend
-
-
Click Save
-
-
-
-
Finally, link the Smart Computer Group to the Policy:
-
Under Computers > Content Management > Policies, click <DEPT>-Trend Install
-
Under Scope > Targets > Selected Deployment Targets section, click +Add
-
Under Add Deployment Targets section, click Computer Groups
-
Under Group Name column, locate <DEPT>-Trend Install Group and click Add
-
-
Click Save
-
FileVault Key Reissue/Redirection - This section is still a work in progress
Jamf has the ability to store FileVault keys for easy recovery. If the system was already encrypted when joined to Jamf you will need to deploy a reissue key policy to force the computer to reissue the FileVault recovery key which will then be stored in Jamf. UFIT has a top level policy configured that redirects all keys to Jamf. Please note that issuing new recovery keys will NOT reencrypt the computer. Once reissued, recovery keys are available for each computer <This is still a work in progress>
-
First, create a Policy:
-
Under Computers > Content Management > Policies click +New
-
Under Options > General, ensure:
-
Display Name is in the proper syntax: <DEPT>-FileVault2 Reissue Keys
-
Category is set as Disk Encryption Configurations
-
Trigger is set as Recurring Check-in
-
Execution Frequency is set to Once per computer (or as desired)
-
-
Under Options > Disk Encryption, add the Issue New Recovery Key > Individual setting.
-
-
Click Save
-
-
Next, create a new Smart Computer Group:
-
Under Computers > Groups > Smart Computer Groups click +New
-
Under Computer Group tab, ensure:
-
Display Name is in the proper syntax: <DEPT>-No Encryption Key Group
-
Under Criteria tab, click +Add and choose FileVault 2 Individual Key Validation
-
Operator is set to is not
-
Value is set to Valid
-
-
-
Click Save
-
-
-
Finally, link the Smart Computer Group to the Policy:
-
Under Computers > Content Management > Policies, click <DEPT>-FileVault2 Reissue Keys
-
Under Scope > Targets > Selected Deployment Targets section, click +Add
-
Under Add Deployment Targets section, click Computer Groups
-
Under Group Name column, locate <DEPT>-No Encryption Key Group and click Add
-
-
Click Save
-