So… your NC State Mac has Jamf on it. Great! But what does that mean? In this blog entry, we’re going to deep dive exactly what Jamf is configuring for the Mathematics environment, how it does it, and why it does it for 1-to-1 assigned devices. For a larger overview of Jamf’s purpose and effects, check out the Device Management page.
Configuration Profiles
Configuration profiles are Apple’s method of enforcing system preferences on iOS and macOS devices. These profiles prohibit conflicting settings from being set, even by IT staff themselves. Let’s go over each profile and what they do:
- Allow All Apps and Escrow FileVault Keys
- Enables Gatekeeper to permit apps from third party sources
- Configures FileVault to escrow recovery keys for device encryption to secure NC State servers
- Connect to NCSU WiFi
- Automatically sets your device to connect to the ncsu WiFi network
- Enable Automatic Office Updates
- Configures Office’s built-in updater (MAU) to periodically check for updates and apply them in the background
- Enable Multiuser and Lock Screen
- Enables macOS “multiuser”, which allows another user to sign in at the lock screen and not interrupt another session
- Disables Apple ID and Siri prompts when setting up new account
- Disables macOS’ “Guest User”
- Enforces screen saver after 15 minutes (not device sleep)
- Mathematics Approved KEXTs
- Whitelists approved Kernel Extensions to prevent issues and prompts for common apps like Cisco VPN and Google Drive
- Mathematics NoMAD Configuration
- Configures NoMAD to connect to NC State servers and allow network authentication post-login as well as Unity password syncing, while utilizing local accounts for no network dependency
- Mathematics NoMAD Login Configuration
- Configures NoMAD Login to connect to NC State servers and allow Unity logins at the login screen, while utilizing local accounts for no network dependency
- Temporary Admin Permissions
- Configures the Privileges app that allows users to escalate themselves to administrator status
Policies
Policies are Jamf’s action-based solution. Each policy has a scope and a run interval. Jamf checks-in securely over the internet every 15 minutes for policy execution, and updates computer records after a successful policy, or once per day. The agent on a macOS device checks in with the JSS at computer start up and every 15 minutes thereafter, consuming 2KB of network traffic, 4MB Real Memory, and 0.10% CPU. On average the once-per-day inventory process takes 30 seconds to complete. Let’s go over each policy and what they do:
- App Policies
- These policies are scoped to all devices running a supported OS that do not have the respected app installed. The following Apps are enforced:
- NoMAD – helper app that allows Unity authentication and keychain access for network resources, as well as user prompts to synchronize password on Unity password changes
- NoMAD Login – helper app that allows NC State Unity sign ins at the login screen, while utilizing local accounts for no network dependency
- Privileges – helper app that allows users to escalate themselves to administrator status
- Spirion Identity Finder – according to NC State standards is required for scanning for sensitive data
- DockUtil – helper app that is used to add things to user docks, such as the Privileges and Self Service apps, as well as your home directory
- DetectX Swift – according to NC State standards is required for antivirus and anti-malware scanning.
- These policies are scoped to all devices running a supported OS that do not have the respected app installed. The following Apps are enforced:
- Compliance Policies
- These polices are scoped to all devices running a supported OS and have various run intervals
- AuditAdminLogins – executed on login to log whenever a service account is used on your device, and is verified by the Mathematics System Administrator in real time
- ChangeFVRecoveryKey – executed weekly to rotate FileVault enabled devices’ recovery key so that the same recovery key is not used indefinitely
- EnableChromeUpdates – executed daily for Google Chrome to phone home and check for any available updates directly from Google
- InventoryUserOnLogin – executed on login to report device status, installed apps, and configuration changes back to Jamf to keep track of who is using the device and to ensure duplicate policy execution does not occur
- LocalAdminAccount – executed at enrollment to create a service account for Mathematics IT access in the event of service, troubleshooting or other IT problems
- EnableFirefoxUpdates – executed daily for Mozilla Firefox to phone home and check for any available updates directly from Mozilla
- EnableFlashUpdates – executed daily for Flash to phone home and check for any available updates directly from Adobe
- Rename – executed on devices that do not maintain departmental naming standards (MA-SERIALNUMBER)
- Wallpapers – executed once per user to install and set a NC State branded wallpaper on first login
- PrintManagement – executed once per user to configure the Mac to allow all users to modify printer settings without requiring administrator privileges
- RotateMathadminPW – executed weekly to rotate individual service account passwords to ensure device security
- EnableMojaveAutoupdate – executed on devices that have Apple’s new autoupdate disabled on macOS 10.14.
- EOLNotice-app – executed once per day to notify macOS devices that have software that is End-Of-Life that the respected software needs to be removed
- These polices are scoped to all devices running a supported OS and have various run intervals
As of publishing this blog entry, these are all of the moving parts of the Jamf management system, excluding what is available via Self Service. If you have questions, suggestions, or any comment on the matter, we’d love to hear your feedback in the comments below.
One Comment